Skip to content

chore: remove an unused nonce from OAuth flow #1649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
woodruffw merged 2 commits into from
Jan 9, 2026
Merged

chore: remove an unused nonce from OAuth flow #1649

woodruffw merged 2 commits into from
Jan 9, 2026

Conversation

@woodruffw
Copy link
Member

@woodruffw woodruffw commented Jan 8, 2026

Our OAuth flow uses authorization_code, in which nonce is not required and has no effect.

@woodruffw woodruffw requested a review from jku January 8, 2026 22:54
@woodruffw woodruffw self-assigned this Jan 8, 2026
@woodruffw woodruffw added the chore label Jan 8, 2026
woodruffw
woodruffw commented Jan 8, 2026
View reviewed changes
sigstore/_internal/oidc/oauth.py

class _OAuthRedirectHandler(http.server.BaseHTTPRequestHandler):
def log_message(self, _format: str, *_args: Any) -> None:
def log_message(self, format: str, *_args: Any) -> None:
Copy link
Member Author

@woodruffw woodruffw Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: fixed this as a very minor but technically invalid Liskov Substitution.

@woodruffw
Copy link
Member Author

woodruffw commented Jan 8, 2026
edited
Loading

This error makes zero sense to me:

ERROR: In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    importlib_resources~=5.7 from https://files.pythonhosted.org/packages/7a/68/bd9dd6bbf06772c7accce77d0354d783333fbe712a60b08fc13540c05422/importlib_resources-5.13.0-py3-none-any.whl (from sigstore==4.1.0->-r install/requirements.txt (line 446))
Error: Process completed with exit code 1.

I don't understand how it even sees that importlib_resources version, since we're not actually doing any dependency resolution here, just installed from a fully hashed requirements.

Ah, this is probably pypa/pip#9644.

@woodruffw woodruffw mentioned this pull request Jan 8, 2026
Merged
jku
jku approved these changes Jan 9, 2026
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed

@woodruffw woodruffw merged commit a2eb492 into main Jan 9, 2026
44 checks passed
@woodruffw woodruffw deleted the ww/rm-nonce branch January 9, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku approved these changes

Assignees

@woodruffw woodruffw

Labels

chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @jku