Merge pull request #2281 from mtrmac/rekor-sha-comment

Add a comment about Rekor 1.3.5
containers · Feb 6, 2024 · d50fa90 · d50fa90
2 parents 6306ca0 + 083f562
commit d50fa90
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go
@@ -219,6 +219,10 @@ func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unver
 	if hashedRekordV001.Data.Hash.Algorithm == nil {
 		return time.Time{}, NewInvalidSignatureError(`Missing "data.hash.algorithm" field in hashedrekord`)
 	}
+	// FIXME: Rekor 1.3.5 has added SHA-386 and SHA-512 as recognized values.
+	// Eventually we should support them as well; doing that cleanly would require updqating to Rekor 1.3.5, which requires Go 1.21.
+	// Short-term, Cosign (as of 2024-02 and Cosign 2.2.3) only produces and accepts SHA-256, so right now that’s not a compatibility
+	// issue.
 	if *hashedRekordV001.Data.Hash.Algorithm != models.HashedrekordV001SchemaDataHashAlgorithmSha256 {
 		return time.Time{}, NewInvalidSignatureError(fmt.Sprintf(`Unexpected "data.hash.algorithm" value %#v`, *hashedRekordV001.Data.Hash.Algorithm))
 	}