@@ -441,21 +441,26 @@ def verify_dsse(
441441 and entry ._kind_version .version == "0.0.2"
442442 ):
443443 try :
444- entry_body = v2 .Entry ().from_json (base64 .b64decode (entry .body ))
444+ v2_body = v2 .Entry ().from_json (base64 .b64decode (entry .body ))
445445 except ValidationError as exc :
446446 raise VerificationError (f"invalid DSSE log entry: { exc } )
447447
448+ if v2_body .spec .dsse_v002 is None :
449+ raise VerificationError (
450+ "invalid DSSE log entry: missing dsse_v002 field"
451+ )
452+
448453 if (
449- entry_body .spec .dsse_v002 .payload_hash .algorithm
454+ v2_body .spec .dsse_v002 .payload_hash .algorithm
450455 != v1 .HashAlgorithm .SHA2_256
451456 ):
452457 raise VerificationError ("expected SHA256 hash in DSSE entry" )
453458
454- payload_hash = sha256_digest (envelope ._inner .payload ).digest
455- if entry_body .spec .dsse_v002 .payload_hash .digest != payload_hash :
459+ digest = sha256_digest (envelope ._inner .payload ).digest
460+ if v2_body .spec .dsse_v002 .payload_hash .digest != digest :
456461 raise VerificationError ("DSSE entry payload hash does not match bundle" )
457462
458- signatures = [
463+ v2_signatures = [
459464 v2 .Signature (
460465 content = signature .sig ,
461466 verifier = v2 .Verifier (
@@ -469,7 +474,7 @@ def verify_dsse(
469474 )
470475 for signature in envelope ._inner .signatures
471476 ]
472- if signatures != entry_body .spec .dsse_v002 .signatures :
477+ if v2_signatures != v2_body .spec .dsse_v002 .signatures :
473478 raise VerificationError ("log entry signatures do not match bundle" )
474479 else :
475480 try :
@@ -481,15 +486,13 @@ def verify_dsse(
481486
482487 payload_hash = sha256_digest (envelope ._inner .payload ).digest .hex ()
483488 if (
484- # type: ignore[union-attr]
485- entry_body .spec .root .payload_hash .algorithm
489+ entry_body .spec .root .payload_hash .algorithm # type: ignore[union-attr]
486490 != rekor_types .dsse .Algorithm .SHA256
487491 ):
488492 raise VerificationError (
489493 "expected SHA256 payload hash in DSSE log entry"
490494 )
491- # type: ignore[union-attr]
492- if payload_hash != entry_body .spec .root .payload_hash .value :
495+ if payload_hash != entry_body .spec .root .payload_hash .value : # type: ignore[union-attr]
493496 raise VerificationError ("log entry payload hash does not match bundle" )
494497
495498 # NOTE: Like `dsse._verify`: multiple signatures would be frivolous here,
@@ -553,7 +556,12 @@ def verify_artifact(
553556 entry ._kind_version .kind == "hashedrekord"
554557 and entry ._kind_version .version == "0.0.2"
555558 ):
556- expected_body = v2 .Entry (
559+ if bundle ._inner .message_signature is None :
560+ raise VerificationError (
561+ "invalid hashedrekord log entry: missing message signature"
562+ )
563+
564+ v2_expected_body = v2 .Entry (
557565 kind = entry ._kind_version .kind ,
558566 api_version = entry ._kind_version .version ,
559567 spec = v2 .Spec (
@@ -578,19 +586,23 @@ def verify_artifact(
578586 )
579587 ),
580588 )
581- actual_body = v2 .Entry ().from_json (base64 .b64decode (entry .body ))
589+ v2_actual_body = v2 .Entry ().from_json (base64 .b64decode (entry .body ))
590+ if v2_expected_body != v2_actual_body :
591+ raise VerificationError (
592+ "transparency log entry is inconsistent with other materials"
593+ )
594+
582595 else :
583596 expected_body = _hashedrekord_from_parts (
584597 bundle .signing_certificate ,
585- # type: ignore[union-attr]
586- bundle ._inner .message_signature .signature ,
598+ bundle ._inner .message_signature .signature , # type: ignore[union-attr]
587599 hashed_input ,
588600 )
589601 actual_body = rekor_types .Hashedrekord .model_validate_json (
590602 base64 .b64decode (entry .body )
591603 )
592604
593- if expected_body != actual_body :
594- raise VerificationError (
595- "transparency log entry is inconsistent with other materials"
596- )
605+ if expected_body != actual_body :
606+ raise VerificationError (
607+ "transparency log entry is inconsistent with other materials"
608+ )
0 commit comments