Addressing comments/issues

attzonko · attzonko · commit be7283a3e7a0 · 2025-11-06T09:13:21.000-08:00
Signed-off-by: Alex Tzonkov &lt;4975715+attzonko@users.noreply.github.com&gt;
diff --git a/.github/workflows/validate-reports.yml b/.github/workflows/validate-reports.yml
@@ -175,10 +175,10 @@ jobs:
         run: |
           cd shortform_report-main
           
-          # Find a sample JSON file to test conversion
-          sample_json=$(find ../Reports/ -name "*.json" -not -name "*_converted*" | head -1)
+          # Use a specific JSON file for testing conversion
+          sample_json="../Reports/CHIPS_Alliance/2024/Caliptra/caliptra_fw_report.json"
           
-          if [ -n "$sample_json" ] && [ -f "$sample_json" ]; then
+          if [ -f "$sample_json" ]; then
             echo "Testing conversion of: $sample_json"
             
             # Convert JSON to CoRIM
@@ -199,9 +199,8 @@ jobs:
               exit 1
             fi
           else
-            echo "ℹ️  No sample JSON files found for conversion testing"
+            echo "ℹ️  Test JSON file not found: $sample_json"
             echo "Running final validation summary instead..."
-            cd shortform_report-main
             python tests/final_validation_summary.py
           fi
 
diff --git a/shortform_report-main/tests/final_validation_summary.py b/shortform_report-main/tests/final_validation_summary.py
@@ -275,10 +275,39 @@ def validate_corim_compliance():
                 encryption_algorithm=serialization.NoEncryption()
             )
             
-            if report.sign_corim_report_pem(private_pem, "ES512", "test-validation-key"):
+            # Sign the CoRIM report
+            signing_result = report.sign_corim_report_pem(private_pem, "ES512", "test-validation-key")
+            if signing_result:
                 signed_corim = report.get_signed_corim_report()
                 print(f"✓ CoRIM signing successful ({len(signed_corim)} bytes)")
                 print("✓ COSE-Sign1 format with cwt library")
+                
+                # Validate the signature is actually valid
+                try:
+                    import cwt
+                    from cwt import COSEKey
+                    
+                    # Extract public key from private key for verification
+                    public_key = private_key.public_key()
+                    public_pem = public_key.public_bytes(
+                        encoding=serialization.Encoding.PEM,
+                        format=serialization.PublicFormat.SubjectPublicKeyInfo
+                    )
+                    
+                    # Create COSE key for verification with proper key ID
+                    cose_key = COSEKey.from_pem(public_pem, kid="test-validation-key")
+                    
+                    # Verify the signature
+                    verified_payload = cwt.decode(signed_corim, cose_key)
+                    if verified_payload:
+                        print("✓ Signature verification successful")
+                    else:
+                        print("✗ Signature verification failed - invalid signature")
+                        return False
+                        
+                except Exception as verify_error:
+                    print(f"✗ Signature verification failed: {verify_error}")
+                    return False
             else:
                 print("✗ CoRIM signing failed")
                 return False
