From 083f562d711abf8ba66bbd9070792add0a24c4ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Mon, 5 Feb 2024 21:10:37 +0100
Subject: [PATCH] Add a comment about Rekor 1.3.5
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Should not change behavior.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 signature/internal/rekor_set.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go
index d86e98a45..50243da33 100644
--- a/signature/internal/rekor_set.go
+++ b/signature/internal/rekor_set.go
@@ -219,6 +219,10 @@ func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unver
 	if hashedRekordV001.Data.Hash.Algorithm == nil {
 		return time.Time{}, NewInvalidSignatureError(`Missing "data.hash.algorithm" field in hashedrekord`)
 	}
+	// FIXME: Rekor 1.3.5 has added SHA-386 and SHA-512 as recognized values.
+	// Eventually we should support them as well; doing that cleanly would require updqating to Rekor 1.3.5, which requires Go 1.21.
+	// Short-term, Cosign (as of 2024-02 and Cosign 2.2.3) only produces and accepts SHA-256, so right now that’s not a compatibility
+	// issue.
 	if *hashedRekordV001.Data.Hash.Algorithm != models.HashedrekordV001SchemaDataHashAlgorithmSha256 {
 		return time.Time{}, NewInvalidSignatureError(fmt.Sprintf(`Unexpected "data.hash.algorithm" value %#v`, *hashedRekordV001.Data.Hash.Algorithm))
 	}