prefix-dev · wolfv · Dec 6, 2025 · Dec 7, 2025 · Dec 7, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -68,9 +68,43 @@ jobs:
 
       - uses: dtolnay/[email protected]
 
-      - name: Build conformance binary
-        run: cargo build --release --package sigstore-conformance
+      - name: Build binaries
+        run: |
+          cargo build --release --package sigstore-conformance
+          cargo build --release --example verify_bundle
 
       - uses: sigstore/sigstore-conformance@main
         with:
           entrypoint: ./target/release/conformance
+
+      - name: Upload verify_bundle binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: verify_bundle
+          path: target/release/examples/verify_bundle
+
+  mutation-tests:
+    name: Mutation Fuzzing
+    runs-on: ubuntu-latest
+    needs: conformance
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Download verify_bundle binary
+        uses: actions/download-artifact@v4
+        with:
+          name: verify_bundle
+          path: target/release/examples
+
+      - name: Make binary executable
+        run: chmod +x target/release/examples/verify_bundle
+
+      - name: Clone sigstore-conformance test data
+        run: git clone --depth 1 https://github.com/sigstore/sigstore-conformance.git
+
+      - name: Run mutation fuzzer
+        run: python3 tests/mutation_fuzzer.py --verifier-type rust
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -17,7 +17,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.5.0"
+version = "0.6.0"
 edition = "2021"
 license = "BSD-3-Clause"
 repository = "https://github.com/wolfv/sigstore-rust"
@@ -87,15 +87,15 @@ futures = "0.3"
 directories = "6.0"
 
 # Internal crates (path + version for publishing)
-sigstore-types = { path = "crates/sigstore-types", version = "0.5.0" }
-sigstore-crypto = { path = "crates/sigstore-crypto", version = "0.5.0" }
-sigstore-merkle = { path = "crates/sigstore-merkle", version = "0.5.0" }
-sigstore-tsa = { path = "crates/sigstore-tsa", version = "0.5.0" }
-sigstore-trust-root = { path = "crates/sigstore-trust-root", version = "0.5.0" }
-sigstore-bundle = { path = "crates/sigstore-bundle", version = "0.5.0" }
-sigstore-rekor = { path = "crates/sigstore-rekor", version = "0.5.0" }
-sigstore-fulcio = { path = "crates/sigstore-fulcio", version = "0.5.0" }
-sigstore-oidc = { path = "crates/sigstore-oidc", version = "0.5.0" }
-sigstore-cache = { path = "crates/sigstore-cache", version = "0.5.0" }
-sigstore-verify = { path = "crates/sigstore-verify", version = "0.5.0" }
-sigstore-sign = { path = "crates/sigstore-sign", version = "0.5.0" }
+sigstore-types = { path = "crates/sigstore-types", version = "0.6.0" }
+sigstore-crypto = { path = "crates/sigstore-crypto", version = "0.6.0" }
+sigstore-merkle = { path = "crates/sigstore-merkle", version = "0.6.0" }
+sigstore-tsa = { path = "crates/sigstore-tsa", version = "0.6.0" }
+sigstore-trust-root = { path = "crates/sigstore-trust-root", version = "0.6.0" }
+sigstore-bundle = { path = "crates/sigstore-bundle", version = "0.6.0" }
+sigstore-rekor = { path = "crates/sigstore-rekor", version = "0.6.0" }
+sigstore-fulcio = { path = "crates/sigstore-fulcio", version = "0.6.0" }
+sigstore-oidc = { path = "crates/sigstore-oidc", version = "0.6.0" }
+sigstore-cache = { path = "crates/sigstore-cache", version = "0.6.0" }
+sigstore-verify = { path = "crates/sigstore-verify", version = "0.6.0" }
+sigstore-sign = { path = "crates/sigstore-sign", version = "0.6.0" }
diff --git a/crates/sigstore-bundle/CHANGELOG.md b/crates/sigstore-bundle/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-bundle-v0.5.0...sigstore-bundle-v0.6.0) - 2025-12-07
+
+### Other
+
+- add fuzzing tests
+- improve types and add interop test workflow ([#9](https://github.com/wolfv/sigstore-rust/pull/9))
+
 ## [0.5.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-bundle-v0.4.0...sigstore-bundle-v0.5.0) - 2025-12-01
 
 ### Added

diff --git a/crates/sigstore-bundle/src/validation.rs b/crates/sigstore-bundle/src/validation.rs
@@ -53,6 +53,9 @@ fn validate_v0_1(bundle: &Bundle, options: &ValidationOptions) -> Result<()> {
         ));
     }
 
+    // Validate inclusion proofs if present (v0.1 may have both promise and proof)
+    validate_inclusion_proofs(bundle)?;
+
     // Common validation
     validate_common(bundle, options)
 }

diff --git a/crates/sigstore-sign/CHANGELOG.md b/crates/sigstore-sign/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-sign-v0.5.0...sigstore-sign-v0.6.0) - 2025-12-07
+
+### Other
+
+- improve types and add interop test workflow ([#9](https://github.com/wolfv/sigstore-rust/pull/9))
+
 ## [0.5.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-sign-v0.4.0...sigstore-sign-v0.5.0) - 2025-12-01
 
 ### Added

diff --git a/crates/sigstore-types/CHANGELOG.md b/crates/sigstore-types/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-types-v0.5.0...sigstore-types-v0.6.0) - 2025-12-07
+
+### Other
+
+- improve types and add interop test workflow ([#9](https://github.com/wolfv/sigstore-rust/pull/9))
+
 ## [0.4.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-types-v0.3.0...sigstore-types-v0.4.0) - 2025-11-28
 
 ### Other

diff --git a/crates/sigstore-verify/CHANGELOG.md b/crates/sigstore-verify/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-verify-v0.5.0...sigstore-verify-v0.6.0) - 2025-12-07
+
+### Other
+
+- add fuzzing tests
+- improve types and add interop test workflow ([#9](https://github.com/wolfv/sigstore-rust/pull/9))
+
 ## [0.5.0](https://github.com/wolfv/sigstore-rust/compare/sigstore-verify-v0.4.0...sigstore-verify-v0.5.0) - 2025-12-01
 
 ### Added

diff --git a/crates/sigstore-verify/src/verify.rs b/crates/sigstore-verify/src/verify.rs
@@ -364,6 +364,20 @@ impl Verifier {
                 }
             }
         }
+
+        // For MessageSignature bundles, verify the messageDigest matches the artifact
+        if let SignatureContent::MessageSignature(msg_sig) = &bundle.content {
+            if let Some(ref digest) = msg_sig.message_digest {
+                let artifact_hash = compute_artifact_digest(&artifact);
+
+                // Compare the digest in the bundle with the computed artifact hash
+                if digest.digest.as_bytes() != artifact_hash.as_bytes() {
+                    return Err(Error::Verification(
+                        "message digest in bundle does not match artifact hash".to_string(),
+                    ));
+                }
+            }
+        }
         // Note: For hashedrekord (MessageSignature), the signature verification
         // is performed in step (8) by verify_hashedrekord_entries, which properly
         // handles prehashed signatures.