Merge pull request #137 from Venafi/experimental-pqc-support

pqc experimental signing support + fixes

EXPERIMENTAL.md

@@ -4,6 +4,28 @@ While parts of `vsign` are stable, we are continuing to experiment and add new f
 
 **Note: the following providers require online access to CodeSign Protect for both signing and verification**
 
+#### PQC Experimental Signing Support
+
+ML-DSA44 example
+
+```
+vsign sign --config test/config.ini --output-signature test/output.sig --payload test/data.txt --mechanism 2147483650
+```
+
+SLH-DSA-SHA2-256S example
+
+```
+vsign sign --config test/config.ini --output-signature test/output.sig --payload test/data.txt --mechanism 2147483652
+```
+
+SLH-DSA-SHAKE-256S example
+
+```
+vsign sign --config test/config.ini --output-signature test/output.sig --payload test/data.txt --mechanism 2147483652 --digest shake
+```
+
+**Note: PQC verification not currently supported given experimental state of algorithms and no official library support**
+
 #### Jar Signing
 
 Inspired by the [Relic](https://github.com/sassoftware/relic) project

cmd/vsign/cli/sign/sign.go

@@ -34,7 +34,6 @@ import (
 	"github.com/sassoftware/relic/v7/cmdline/shared"
 	"github.com/venafi/vsign/pkg/plugin/signers"
 	"github.com/venafi/vsign/pkg/provider/audit"
-	"github.com/venafi/vsign/pkg/provider/certloader"
 	cp "github.com/venafi/vsign/pkg/provider/cosign"
 )
 
@@ -108,9 +107,11 @@ func SignCmd(ctx context.Context, fs *pflag.FlagSet, signOpts options.SignOption
 			return fmt.Errorf(err.Error())
 		}
 
-		if cp.WriteSignatures(ctx, signOpts.ImageRef, data, sig, c.EncodeBase64(sig)) != nil {
+		err = cp.WriteSignatures(ctx, signOpts.ImageRef, data, sig, c.EncodeBase64(sig))
+		if err != nil {
 			return fmt.Errorf(err.Error())
 		}
+
 		fmt.Fprintln(os.Stderr, "Pushing signature to: ", signOpts.ImageRef)
 		return nil
 	}
@@ -170,8 +171,8 @@ func SignCmd(ctx context.Context, fs *pflag.FlagSet, signOpts options.SignOption
 	if err != nil {
 		return shared.Fail(err)
 	}
-	var cert certloader.Certificate = certloader.Certificate{Leaf: certs[0], Certificates: certs}
-	blob, err := mod.Sign(stream, &cert, *opts)
+
+	blob, err := mod.Sign(stream, certs, *opts)
 	if err != nil {
 		return shared.Fail(err)
 	}

cmd/vsign/cli/sign/sign_verify_test.go

@@ -239,6 +239,42 @@ func TestSign(t *testing.T) {
 			publicKeyPath: "../../../../test/ed25519.pub",
 			expected:      nil,
 		},
+		{
+			description:   "Ml-Dsa44 Sha256 valid test",
+			project:       "vsign\\ml-dsa44",
+			payload:       sample_payload,
+			mechanism:     c.MlDsa,
+			digest:        "sha256",
+			publicKeyPath: "../../../../test/tbd.pub",
+			expected:      nil,
+		},
+		{
+			description:   "Slh-dsa-sha2-128s Sha256 valid test",
+			project:       "vsign\\slh-dsa-sha2-128s",
+			payload:       sample_payload,
+			mechanism:     c.SlhDsa,
+			digest:        "sha256",
+			publicKeyPath: "../../../../test/tbd.pub",
+			expected:      nil,
+		},
+		{
+			description:   "Slh-dsa-shake-256s Sha256 valid test",
+			project:       "vsign\\slh-dsa-shake-256s",
+			payload:       sample_payload,
+			mechanism:     c.SlhDsa,
+			digest:        "shake",
+			publicKeyPath: "../../../../test/tbd.pub",
+			expected:      nil,
+		},
+		{
+			description:   "Slh-dsa-shake-128f Sha256 valid test",
+			project:       "vsign\\slh-dsa-shake-128f",
+			payload:       sample_payload,
+			mechanism:     c.SlhDsa,
+			digest:        "shake",
+			publicKeyPath: "../../../../test/tbd.pub",
+			expected:      nil,
+		},
 	}
 
 	err := setTLSConfig()
@@ -276,10 +312,12 @@ func TestSign(t *testing.T) {
 				errs = append(errs, err.Error())
 				//require.Contains(t, tc.expected, []string{err.Error()})
 			}
-			err = c.Verify([]byte(tc.payload), sig, tc.digest, tc.publicKeyPath)
-			if err != nil {
-				errs = append(errs, err.Error())
-				require.Equal(t, tc.expected, errs)
+			if tc.mechanism != c.MlDsa && tc.mechanism != c.SlhDsa { // Need PQC golang crypto verification support
+				err = c.Verify([]byte(tc.payload), sig, tc.digest, tc.publicKeyPath)
+				if err != nil {
+					errs = append(errs, err.Error())
+					require.Equal(t, tc.expected, errs)
+				}
 			}
 
 		})

cmd/vsign/cli/verify/verify.go

@@ -86,7 +86,7 @@ func VerifyCmd(ctx context.Context, verifyOpts options.VerifyOptions, args []str
 		mod = signers.ByFileName(verifyOpts.SignaturePath)
 	}
 	if mod == nil {
-		return fmt.Errorf("unknown filetype: %v", err.Error())
+		return fmt.Errorf("unknown filetype")
 	}
 
 	if mod.VerifyStream != nil {

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7
 	github.com/mattetti/filebuffer v1.0.1
 	github.com/pkg/errors v0.9.1
-	github.com/sigstore/sigstore v1.8.5
+	github.com/sigstore/sigstore v1.8.6
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
 	golang.org/x/crypto v0.24.0
@@ -45,21 +45,21 @@ require (
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
 	github.com/aliyun/credentials-go v1.3.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
-	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
@@ -115,7 +115,7 @@ require (
 	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20240613153800-a69ba997609e // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

go.sum

@@ -113,41 +113,41 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
 github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU=
 github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
-github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
-github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=
-github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=
 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
 github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU=
 github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
 github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
@@ -416,8 +416,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/letsencrypt/boulder v0.0.0-20240613153800-a69ba997609e h1:+e81SDvSs49Z03S3S7OhoYjT2Ryv73ErLA/ExMm0FEg=
-github.com/letsencrypt/boulder v0.0.0-20240613153800-a69ba997609e/go.mod h1:xN4NICCU1WBlUv60BGgMyGuungNTy/aQqjEntJWmgaM=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
@@ -539,8 +539,8 @@ github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc
 github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.5 h1:8NrF2tGlvOvFnaRJcU+VehwG4W/Zb2/7Khavm5PGRGI=
-github.com/sigstore/sigstore v1.8.5/go.mod h1:fJgbV5XFUbrhFAZSlv0ol7QJeH2PIUJJbfDEwUf3bvQ=
+github.com/sigstore/sigstore v1.8.6 h1:g066b/Nw5r5oxhNv4XqJUUzVcyf1b07itUueiQe7rZM=
+github.com/sigstore/sigstore v1.8.6/go.mod h1:UOBrJd9JBQ81DrkpGljzsIFXEtfC30raHvLWFWG857U=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=

pkg/crypto/crypto.go

@@ -14,13 +14,9 @@ import (
 	"hash"
 	"math/big"
 	"os"
-)
 
-type alg struct {
-	Name      string
-	Mechanism int
-	Size      int //bytes
-}
+	"golang.org/x/crypto/sha3"
+)
 
 type PSSMechanism struct {
 	Mechanism int
@@ -64,24 +60,9 @@ const Mgf1Sha256 = 2
 const Mgf1Sha384 = 3
 const Mgf1Sha512 = 4
 
-func getSupportedMechanisms() []alg {
-	return []alg{
-		{Name: "RsaPkcs", Mechanism: RsaPkcs, Size: 32},
-		{Name: "EcDsaSha256", Mechanism: EcDsaSha256, Size: 64},
-		{Name: "EcDsaSha384", Mechanism: EcDsaSha384, Size: 96},
-		{Name: "EcDsaSha512", Mechanism: EcDsaSha512, Size: 132},
-		{Name: "EdDsa", Mechanism: EdDsa, Size: 64},
-	}
-}
-
-func getMechanismSize(mechanism int) int {
-	for _, m := range getSupportedMechanisms() {
-		if m.Mechanism == mechanism {
-			return m.Size
-		}
-	}
-	return 0
-}
+// Experimental PQC support
+const MlDsa = 2147483650
+const SlhDsa = 2147483652
 
 func GetPSSMechanism(digest string) PSSMechanism {
 	switch digest {
@@ -112,6 +93,8 @@ func GetHasher(digest string) (hash.Hash, crypto.Hash, []byte) {
 		return crypto.Hash.New(crypto.SHA384), crypto.SHA384, []byte{0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}
 	case "sha512":
 		return crypto.Hash.New(crypto.SHA512), crypto.SHA512, []byte{0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}
+	case "shake":
+		return sha3.New256(), crypto.SHA256, nil
 	default:
 		return crypto.Hash.New(crypto.SHA256), crypto.SHA256, []byte{0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}
 	}
@@ -161,9 +144,11 @@ func EncodeASN1(rawBase64sig string, mechanism int) ([]byte, error) {
 	}
 
 	switch mechanism {
-	case RsaPkcs, RsaSha1, RsaSha256, RsaSha384, RsaSha512, RsaPkcsPss, RsaPssSha1, RsaPssSha256, RsaPssSha384, RsaPssSha512:
+	case RsaPkcs, EdDsa, RsaSha1, RsaSha256, RsaSha384, RsaSha512, RsaPkcsPss, RsaPssSha1, RsaPssSha256, RsaPssSha384, RsaPssSha512:
 		return sigbytes, nil
-	case EcDsa, EcDsaSha1, EcDsaSha224, EcDsaSha256, EcDsaSha384, EcDsaSha512, EdDsa:
+	case MlDsa, SlhDsa: // Experimental PQC support
+		return sigbytes, nil
+	case EcDsa, EcDsaSha1, EcDsaSha224, EcDsaSha256, EcDsaSha384, EcDsaSha512:
 		r := new(big.Int).SetBytes(sigbytes[0 : len(sigbytes)/2])
 		s := new(big.Int).SetBytes(sigbytes[len(sigbytes)/2:])
 		components := sig{r, s}
@@ -193,7 +178,7 @@ func Verify(data []byte, signature []byte, digest string, publicKeyPath string)
 
 	pemBytes, err := os.ReadFile(publicKeyPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("public key not found: %v", err.Error())
 	}
 
 	block, _ := pem.Decode(pemBytes)
@@ -211,18 +196,19 @@ func Verify(data []byte, signature []byte, digest string, publicKeyPath string)
 		if !ecdsa.VerifyASN1(publicKey, hasher.Sum(nil), signature) {
 			return fmt.Errorf("failed verification")
 		}
-	case *ed25519.PublicKey:
-		if !ed25519.Verify(*publicKey, data, signature) {
+	case ed25519.PublicKey:
+		if !ed25519.Verify(publicKey, data, signature) {
 			return fmt.Errorf("failed verification")
 		}
 	case *rsa.PublicKey:
-
 		if err := rsa.VerifyPKCS1v15(publicKey, hashAlgo, hasher.Sum(nil), signature); err != nil {
 			er1 := rsa.VerifyPSS(publicKey, hashAlgo, hasher.Sum(nil), signature, nil)
 			if er1 != nil {
 				return fmt.Errorf("failed verification: %v", er1.Error())
 			}
 		}
+	default:
+		return fmt.Errorf("invalid mechanism and/or currently not supported")
 	}
 
 	//Verification successful