Merge branch 'main' into ww/use-keydetails

pyproject.toml

@@ -34,7 +34,7 @@ dependencies = [
   "requests",
   "rich ~= 13.0",
   "rfc8785 ~= 0.1.2",
-  "sigstore-protobuf-specs ~= 0.3",
+  "sigstore-protobuf-specs ~= 0.3.1",
   # NOTE(ww): Under active development, so strictly pinned.
   "sigstore-rekor-types == 0.0.12",
   "tuf >= 2.1,< 4.0",

sigstore/_utils.py

@@ -77,7 +77,8 @@ class BundleType(str, Enum):
 
     BUNDLE_0_1 = "application/vnd.dev.sigstore.bundle+json;version=0.1"
     BUNDLE_0_2 = "application/vnd.dev.sigstore.bundle+json;version=0.2"
-    BUNDLE_0_3 = "application/vnd.dev.sigstore.bundle+json;version=0.3"
+    BUNDLE_0_3_ALT = "application/vnd.dev.sigstore.bundle+json;version=0.3"
+    BUNDLE_0_3 = "application/vnd.dev.sigstore.bundle.v0.3+json"
 
     def __str__(self) -> str:
         """Returns the variant's string value."""

sigstore/verify/models.py

@@ -180,7 +180,7 @@ def _verify_bundle(self) -> None:
             raise InvalidBundle(f"unsupported bundle format: {self._inner.media_type}")
 
         # Extract the signing certificate.
-        if media_type == BundleType.BUNDLE_0_3:
+        if media_type in (BundleType.BUNDLE_0_3, BundleType.BUNDLE_0_3_ALT):
             # For "v3" bundles, the signing certificate is the only one present.
             leaf_cert = load_der_x509_certificate(
                 self._inner.verification_material.certificate.raw_bytes

test/unit/assets/bundle_cve_2022_36056.txt.sigstore

@@ -1,5 +1,5 @@
 {
-    "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.3",
+    "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
     "verificationMaterial": {
         "certificate": {
             "rawBytes": "MIIC1TCCAlqgAwIBAgIUJr7mMojh1Oa9vVrbOBBwKRnPDhQwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwMzE1MjAxNzA2WhcNMjQwMzE1MjAyNzA2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbhRwArjwQ6hh2GoqrM9QCmMBxeKPLA35VxEWtAM4LaHj0yJd8JV8GV0eaPEjnMiC/Y92GU39iPVWmKYqIa9yZ6OCAXkwggF1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUEK6qVW+7VoizwygGTpYPKi9sAmAwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIwYDVR0RAQH/BBkwF4EVd2lsbGlhbUB5b3NzYXJpYW4ubmV0MCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABjkPC13IAAAQDAEcwRQIhAKu8giO4JLjCB12g9bnqXNvLuRbcvFqTysjymJRXXGXPAiAhdLH8tY1S+gjUBew/be3YxndS/S88d/hSWbunUuANYjAKBggqhkjOPQQDAwNpADBmAjEAv1NAfS3UM3PVdMnom8CpFSgkTcWSt73md3+PVGpnEruaZSM4w/M932587R+McvL+AjEA1elUEuYaPTAkm1JHDNGSMRDNFkqXGtjAar6QCYkEJI20d2MIaOy8unvvIs54LxxJ"

test/unit/assets/bundle_v3.txt

@@ -0,0 +1,5 @@
+DO NOT MODIFY ME!
+
+this is the input for bundle_v3, which tests support for "v3" bundles.
+
+DO NOT MODIFY ME!

test/unit/assets/bundle_v3.txt.sigstore

@@ -0,0 +1,53 @@
+{
+    "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+    "verificationMaterial": {
+        "certificate": {
+            "rawBytes": "MIIC1DCCAlqgAwIBAgIUO3tlVbLtvLPp+6zGOtep1SPkRigwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNDAyMTkxOTA5WhcNMjQwNDAyMTkyOTA5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENdrfpgNU1Rjmz+j65rpJWKc08ruKYy4FX7nmmOnbauFZimsQXrdyDSXKNRtEXX4X3t/Amt+euwPDBh+eq7BCnqOCAXkwggF1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUGRlBhD0wvzAfLb2dMWOgPrrJuRkwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIwYDVR0RAQH/BBkwF4EVd2lsbGlhbUB5b3NzYXJpYW4ubmV0MCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABjqBAQZ4AAAQDAEcwRQIgeWUmtnD0MFUl5kkX7nbMdLWCsDGIPzdIlN+WaZF0TmkCIQC7+31saqrFe9RmduVZ2dxXhUPrajltuSDHb1vSGOcuHjAKBggqhkjOPQQDAwNoADBlAjEAn2+uuLHsnH9Db7zkIdF65YhiXbgMMF//iHc+B/QETK0HYVcOPTK3p46FUzXFD6xrAjAO2hrkfjBKANKjJJxHV3FVrtS+TR0GCP0HzC3D7Br95TXzfO7+j4Dd8/N/aAr6Ibs="
+        },
+        "tlogEntries": [
+            {
+                "logIndex": "25915956",
+                "logId": {
+                    "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
+                },
+                "kindVersion": {
+                    "kind": "hashedrekord",
+                    "version": "0.0.1"
+                },
+                "integratedTime": "1712085549",
+                "inclusionPromise": {
+                    "signedEntryTimestamp": "MEYCIQD2KXW1NppUhkPPzGR8NrUIyN+MzZSSqGZQO7CzvhSnYgIhAO9AHzjbsr1AHXRHmEpdPZcoFHEwwMTgfqwjoOXVMmqN"
+                },
+                "inclusionProof": {
+                    "logIndex": "25901137",
+                    "rootHash": "iGAoHccJIyFemFxmEftti2YC8hvPqixBi5y1EyvfF4c=",
+                    "treeSize": "25901138",
+                    "hashes": [
+                        "UHUr+lvxENI+G902oEsFW5ovQILgqO9mUWWxvvwHZZc=",
+                        "IcMBsbH3GRW8FX2CiL/ljMb45vzmENmhp5Yp/7IW998=",
+                        "SxC6nr0zP+a6kWb6nO2fmEtz8BYAbqEXc+dsqGLdRPM=",
+                        "sppZRSz/vdeLlavgvICrXHLeReMTJw98bs9HJ0I8WnE=",
+                        "c8lCSuBS6MzrRnt6OiyYjqhTyxUI/22gpVB7dblfDis=",
+                        "eJk64J6cMpIljPSX/72kH0kiIeElyypQm5vJ2gMMyHw=",
+                        "hbIK+jmAwQjU7Yi3iKvnfR1u7GNippk7QsRwJXIuRaw=",
+                        "tpHWIEB2vNU5ZmC68dj1Hh9cwQK083ozogA6zJ3cJ8A=",
+                        "arvuzAipUJ14nDj14OBlvkMSicjdsE9Eus3hq9Jpqdk=",
+                        "Edul4W41O3EfxKEEMlX2nW0+GTgCv00nGmcpwhALgVA=",
+                        "rBWB37+HwkTZgDv0rMtGBUoDI0UZqcgDZp48M6CaUlA="
+                    ],
+                    "checkpoint": {
+                        "envelope": "rekor.sigstage.dev - 8050909264565447525\n25901138\niGAoHccJIyFemFxmEftti2YC8hvPqixBi5y1EyvfF4c=\n\n\u2014 rekor.sigstage.dev 0y8wozBFAiAMJJLbnNOnmizMbVBz9/A/qnMK15BudWoZkuE+obD6CAIhAJf6A3h2iOpuhz/duEhG3fbAQG9PXln4wXPHFBT5wT1a\n"
+                    }
+                },
+                "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZTZhZTlkZTU4YzExNzdiZWE2MTViNGZjYmZiMmZkNjg4ZThjNGI1MWMyZTU2YjZhMzhlODE3ODMzZWMyNGEyIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRFFTSmk5YWVydFFobVQrY2UxaktOZENlNEtTY3NLR3E5ZlBtMzQyMkRCU0FpRUFoajFzeFo5Nm9ySVRzUXh5TUxJRFJKaW1wb3kxSjFNeWZsY1FWd2tremhzPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXhSRU5EUVd4eFowRjNTVUpCWjBsVlR6TjBiRlppVEhSMlRGQndLelo2UjA5MFpYQXhVMUJyVW1sbmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFUVhsTlZHdDRUMVJCTlZkb1kwNU5hbEYzVGtSQmVVMVVhM2xQVkVFMVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZPWkhKbWNHZE9WVEZTYW0xNksybzJOWEp3U2xkTFl6QTRjblZMV1hrMFJsZzNibTBLYlU5dVltRjFSbHBwYlhOUldISmtlVVJUV0V0T1VuUkZXRmcwV0ROMEwwRnRkQ3RsZFhkUVJFSm9LMlZ4TjBKRGJuRlBRMEZZYTNkblowWXhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZIVW14Q0NtaEVNSGQyZWtGbVRHSXlaRTFYVDJkUWNuSktkVkpyZDBoM1dVUldVakJxUWtKbmQwWnZRVlZqV1ZsM2NHaFNPRmx0THpVNU9XSXdRbEp3TDFndkwzSUtZalozZDBsM1dVUldVakJTUVZGSUwwSkNhM2RHTkVWV1pESnNjMkpIYkdoaVZVSTFZak5PZWxsWVNuQlpWelIxWW0xV01FMURkMGREYVhOSFFWRlJRZ3BuTnpoM1FWRkZSVWh0YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPWE5pTW1Sd1ltazVkbGxZVmpCaFJFRjFRbWR2Y2tKblJVVkJXVTh2Q2sxQlJVbENRMEZOU0cxb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01YzJJeVpIQmlhVGwyV1ZoV01HRkVRMEpwWjFsTFMzZFpRa0pCU0ZjS1pWRkpSVUZuVWpoQ1NHOUJaVUZDTWtGRGMzZDJUbmh2YVUxdWFUUmtaMjFMVmpVd1NEQm5OVTFhV1VNNGNIZDZlVEUxUkZGUU5ubHlTVm8yUVVGQlFncHFjVUpCVVZvMFFVRkJVVVJCUldOM1VsRkpaMlZYVlcxMGJrUXdUVVpWYkRWcmExZzNibUpOWkV4WFEzTkVSMGxRZW1SSmJFNHJWMkZhUmpCVWJXdERDa2xSUXpjck16RnpZWEZ5Um1VNVVtMWtkVlphTW1SNFdHaFZVSEpoYW14MGRWTkVTR0l4ZGxOSFQyTjFTR3BCUzBKblozRm9hMnBQVUZGUlJFRjNUbThLUVVSQ2JFRnFSVUZ1TWl0MWRVeEljMjVJT1VSaU4zcHJTV1JHTmpWWmFHbFlZbWROVFVZdkwybElZeXRDTDFGRlZFc3dTRmxXWTA5UVZFc3pjRFEyUmdwVmVsaEdSRFo0Y2tGcVFVOHlhSEpyWm1wQ1MwRk9TMnBLU25oSVZqTkdWbkowVXl0VVVqQkhRMUF3U0hwRE0wUTNRbkk1TlZSWWVtWlBOeXRxTkVSa0NqZ3ZUaTloUVhJMlNXSnpQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0="
+            }
+        ]
+    },
+    "messageSignature": {
+        "messageDigest": {
+            "algorithm": "SHA2_256",
+            "digest": "Xmrp3ljBF3vqYVtPy/sv1ojoxLUcLla2o46BeDPsJKI="
+        },
+        "signature": "MEUCIDQSJi9aertQhmT+ce1jKNdCe4KScsKGq9fPm3422DBSAiEAhj1sxZ96orITsQxyMLIDRJimpoy1J1MyflcQVwkkzhs="
+    }
+}

test/unit/assets/bundle_v3_alt.txt

@@ -0,0 +1,6 @@
+DO NOT MODIFY ME!
+
+this is the input for bundle_v3_alt, which tests support for "v3" bundles
+with the older ("alternate") v3 media type.
+
+DO NOT MODIFY ME!

test/unit/assets/bundle_v3_alt.txt.sigstore

@@ -0,0 +1,55 @@
+{
+    "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.3",
+    "verificationMaterial": {
+        "certificate": {
+            "rawBytes": "MIIC1TCCAlqgAwIBAgIUM8X9bqAVFpaofemSrcgku8oJ/T8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNDAyMTkyMDE2WhcNMjQwNDAyMTkzMDE2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4tx/Vclr8Yr3ArUW9kIEFuR4mynLKKScX2ECX+I4WsXi6Q/0JUoVM2B/U3e97BZcl/bWHEToeshhWiQLaGztX6OCAXkwggF1MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU7611Rsd/9kcw/cE/Fe3B5fUfpt0wHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIwYDVR0RAQH/BBkwF4EVd2lsbGlhbUB5b3NzYXJpYW4ubmV0MCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBigYKKwYBBAHWeQIEAgR8BHoAeAB2ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABjqBBR8IAAAQDAEcwRQIhAOb1ZBDYuTNMa1RVLWvER4K51+ugnGYPCZKCXwx3hb+DAiBXX1DDn6Xv9B/RC5s3ZMQfbZ6jN7DFXQqDi/r3GLMP2DAKBggqhkjOPQQDAwNpADBmAjEAvXkFJvo2uuPZ7L5aRixEkysAF24+vRmISzcE2qTrGbzmqCW1AFzbnFsLhllo8IEJAjEAgEr9lfJZJCDLE1kV9M3/nfsPD/6ZNtDbU0vRjeygnXgsXJkrf96SjZCCfIlzxczF"
+        },
+        "tlogEntries": [
+            {
+                "logIndex": "25915997",
+                "logId": {
+                    "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
+                },
+                "kindVersion": {
+                    "kind": "hashedrekord",
+                    "version": "0.0.1"
+                },
+                "integratedTime": "1712085616",
+                "inclusionPromise": {
+                    "signedEntryTimestamp": "MEUCIQCDbNwTMuX7lJt//HauYK0/RZ6UbKbYVR+vEr7rns4/ngIgSwRaRO2ody7uWMtIwe/ZRKwvl7+3Kn3IYKZDEj6CX8w="
+                },
+                "inclusionProof": {
+                    "logIndex": "25901178",
+                    "rootHash": "q0g3yMEVgKep9vgSfpTBZYld9mlsniTqXHzBAorxMtE=",
+                    "treeSize": "25901179",
+                    "hashes": [
+                        "6HxJ5B0YCXus8f+tO/yVTLFaLZfwjiaOnBOmhSzIo8k=",
+                        "Oa+3NjADjkBP1F7UrrJ8l7melp/y6mIlgHuEEGdSDrI=",
+                        "B4/zyNNgeuMr+zPZ/+mSVl//HFmVSxVWsNL1dHh4hw0=",
+                        "NzOg27Ucfb8sHqU9tZnKC5VZFuIsRpDYoqmBAPzB42g=",
+                        "SxC6nr0zP+a6kWb6nO2fmEtz8BYAbqEXc+dsqGLdRPM=",
+                        "sppZRSz/vdeLlavgvICrXHLeReMTJw98bs9HJ0I8WnE=",
+                        "c8lCSuBS6MzrRnt6OiyYjqhTyxUI/22gpVB7dblfDis=",
+                        "eJk64J6cMpIljPSX/72kH0kiIeElyypQm5vJ2gMMyHw=",
+                        "hbIK+jmAwQjU7Yi3iKvnfR1u7GNippk7QsRwJXIuRaw=",
+                        "tpHWIEB2vNU5ZmC68dj1Hh9cwQK083ozogA6zJ3cJ8A=",
+                        "arvuzAipUJ14nDj14OBlvkMSicjdsE9Eus3hq9Jpqdk=",
+                        "Edul4W41O3EfxKEEMlX2nW0+GTgCv00nGmcpwhALgVA=",
+                        "rBWB37+HwkTZgDv0rMtGBUoDI0UZqcgDZp48M6CaUlA="
+                    ],
+                    "checkpoint": {
+                        "envelope": "rekor.sigstage.dev - 8050909264565447525\n25901179\nq0g3yMEVgKep9vgSfpTBZYld9mlsniTqXHzBAorxMtE=\n\n\u2014 rekor.sigstage.dev 0y8wozBFAiAt/kYsQHQLeEo7R5UmNw7n7Mhn07ihpmFDC0zF1OfHSAIhAPCVUCdlUxnW7tz9Ob3IsX7e3St7pMwz32414GQZ6woa\n"
+                    }
+                },
+                "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0MTkxZTZiNGUyYjAyNjBlNmUyOTdkNDc5N2QyYTg3MzU4NDk2NWFmZWYwMjFiZjIyZjJiYjdiZWM0MTEwMmQwIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNVeFo1V1Z0SG9oUEVIVzZwZ0hUQTBvMFoyWGdtUklGOEUvKzBQVGE5YWVRSWdPblRMZHNpYnhXbFpkVlNtckJzNEN3R2JuRXloT0dKc0Z0KzQ2anpjQU1VPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTXhWRU5EUVd4eFowRjNTVUpCWjBsVlRUaFlPV0p4UVZaR2NHRnZabVZ0VTNKaloydDFPRzlLTDFRNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDVFUVhsTlZHdDVUVVJGTWxkb1kwNU5hbEYzVGtSQmVVMVVhM3BOUkVVeVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVUwZEhndlZtTnNjamhaY2pOQmNsVlhPV3RKUlVaMVVqUnRlVzVNUzB0VFkxZ3lSVU1LV0N0Sk5GZHpXR2syVVM4d1NsVnZWazB5UWk5Vk0yVTVOMEphWTJ3dllsZElSVlJ2WlhOb2FGZHBVVXhoUjNwMFdEWlBRMEZZYTNkblowWXhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlUzTmpFeENsSnpaQzg1YTJOM0wyTkZMMFpsTTBJMVpsVm1jSFF3ZDBoM1dVUldVakJxUWtKbmQwWnZRVlZqV1ZsM2NHaFNPRmx0THpVNU9XSXdRbEp3TDFndkwzSUtZalozZDBsM1dVUldVakJTUVZGSUwwSkNhM2RHTkVWV1pESnNjMkpIYkdoaVZVSTFZak5PZWxsWVNuQlpWelIxWW0xV01FMURkMGREYVhOSFFWRlJRZ3BuTnpoM1FWRkZSVWh0YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPWE5pTW1Sd1ltazVkbGxZVmpCaFJFRjFRbWR2Y2tKblJVVkJXVTh2Q2sxQlJVbENRMEZOU0cxb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01YzJJeVpIQmlhVGwyV1ZoV01HRkVRMEpwWjFsTFMzZFpRa0pCU0ZjS1pWRkpSVUZuVWpoQ1NHOUJaVUZDTWtGRGMzZDJUbmh2YVUxdWFUUmtaMjFMVmpVd1NEQm5OVTFhV1VNNGNIZDZlVEUxUkZGUU5ubHlTVm8yUVVGQlFncHFjVUpDVWpoSlFVRkJVVVJCUldOM1VsRkphRUZQWWpGYVFrUlpkVlJPVFdFeFVsWk1WM1pGVWpSTE5URXJkV2R1UjFsUVExcExRMWgzZUROb1lpdEVDa0ZwUWxoWU1VUkVialpZZGpsQ0wxSkROWE16V2sxUlptSmFObXBPTjBSR1dGRnhSR2t2Y2pOSFRFMVFNa1JCUzBKblozRm9hMnBQVUZGUlJFRjNUbkFLUVVSQ2JVRnFSVUYyV0d0R1NuWnZNblYxVUZvM1REVmhVbWw0Uld0NWMwRkdNalFyZGxKdFNWTjZZMFV5Y1ZSeVIySjZiWEZEVnpGQlJucGlia1p6VEFwb2JHeHZPRWxGU2tGcVJVRm5SWEk1YkdaS1drcERSRXhGTVd0V09VMHpMMjVtYzFCRUx6WmFUblJFWWxVd2RsSnFaWGxuYmxobmMxaEthM0ptT1RaVENtcGFRME5tU1d4NmVHTjZSZ290TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0="
+            }
+        ]
+    },
+    "messageSignature": {
+        "messageDigest": {
+            "algorithm": "SHA2_256",
+            "digest": "QZHmtOKwJg5uKX1Hl9Koc1hJZa/vAhvyLyu3vsQRAtA="
+        },
+        "signature": "MEUCIQCUxZ5WVtHohPEHW6pgHTA0o0Z2XgmRIF8E/+0PTa9aeQIgOnTLdsibxWlZdVSmrBs4CwGbnEyhOGJsFt+46jzcAMU="
+    }
+}

test/unit/verify/test_verifier.py

@@ -68,8 +68,11 @@ def test_verifier_multiple_verifications(signing_materials, null_policy):
         assert verifier.verify(file.read_bytes(), bundle, null_policy)
 
 
-def test_verifier_bundle(signing_bundle, null_policy, mock_staging_tuf):
-    (file, bundle) = signing_bundle("bundle.txt")
+@pytest.mark.parametrize(
+    "filename", ("bundle.txt", "bundle_v3.txt", "bundle_v3_alt.txt")
+)
+def test_verifier_bundle(signing_bundle, null_policy, mock_staging_tuf, filename):
+    (file, bundle) = signing_bundle(filename)
 
     verifier = Verifier.staging()
     assert verifier.verify(file.read_bytes(), bundle, null_policy)