prisma-risk / tsoracle / 26652831183
95%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 92
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 94.848%. Remained the same
26652831183

push

github

web-flow 
ci(release): sign tags in gitsign offline Rekor mode so git verify-tag works (#573)

gitsign's default "online" Rekor mode logs an annotated tag's signature under
the hash of the tag reconstructed with the signature as a `gpgsig` header
(commit form), whereas `git verify-tag` reconstructs an annotated tag with the
signature in-body (tag form). The two hashes never coincide, so
`git verify-tag --raw` fails with "could not find matching tlog entry" for
every release tag signed since #544.

Verified against the shipped tag tsoracle-v2.0.0: the CMS messageDigest is a
valid SHA256 of the tag payload, but gitsign logged Rekor under
d86dc4f9... (= SHA256 of the gpgsig-header reassembly) while verify searches
9a404a7e... (= SHA256 of the real in-body tag object) — which is absent from
Rekor. Offline mode embeds the inclusion proof in the signature itself, keyed
to the CMS signed-attributes hash; that path is object-type-agnostic and
round-trips for tags.

Proven end-to-end with a live keyless sign+verify (gitsign 0.16.0): an
online-signed annotated tag fails `git verify-tag --raw` (exit 1,
"hashes don't match") while an offline-signed one passes (exit 0, GOODSIG).
Verifiers need no change — gitsign tries the embedded-proof path first.

Fix-forward only: tags already published in online mode cannot be re-signed
(their ephemeral certs have expired) but remain verifiable via SLSA provenance.

Refs #549.

Signed-off-by: Sebastian Thiebaud <sebastian@prismarisk.com>

14195 of 14966 relevant lines covered (94.85%)

364953.98 hits per line

Jobs
ID Job ID Ran Files Coverage
1 26652831183.1 92
94.85
 GitHub Action Run
Source Files on build 26652831183