Skip to content

sigstore: reject duplicate-log SCTs (SPEC §5.2)#101

Merged
sachaservan merged 1 commit into
mainfrom
fix/sigstore-duplicate-sct-log
Jun 29, 2026
Merged

sigstore: reject duplicate-log SCTs (SPEC §5.2)#101
sachaservan merged 1 commit into
mainfrom
fix/sigstore-duplicate-sct-log

Conversation

@lsd-cat

@lsd-cat lsd-cat commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator

Add an explicit guard: a leaf certificate whose embedded SCT list contains two or more SCTs sharing the same CT log ID is rejected, so a single CT log cannot contribute more than one SCT toward the requirement.

sigstore-python already rejects this case incidentally via its exactly-one-SCT rule, but reject_duplicate_sct_logs makes the rejection principled and on the same per-log-id basis as tinfoil-rs/-js/-go. It runs ahead of verify_dsse; single-SCT (real Fulcio) bundles are unaffected.


Summary by cubic

Enforces SPEC §5.2 by rejecting bundles whose signing certificate includes multiple SCTs from the same CT log. Adds a pre-verification guard so a single log cannot count more than once; real Fulcio single-SCT bundles are unaffected.

  • New Features
    • Added reject_duplicate_sct_logs to detect duplicate SCT log IDs and raise VerificationError.
    • Runs before DSSE verification to fail fast and align with tinfoil-rs/tinfoil-js/tinfoil-go beyond sigstore-python’s generic exactly-one-SCT check.

Written for commit f5e8289. Summary will update on new commits.

Review in cubic

Add an explicit anti-amplification guard: a leaf certificate whose embedded
SCT list contains two or more SCTs sharing the same CT log ID is rejected, so
a single (compromised or replayed) CT log cannot contribute more than one SCT
toward the requirement.

sigstore-python already rejects this case incidentally via its exactly-one-SCT
rule, but reject_duplicate_sct_logs makes the rejection principled and on the
same per-log-id basis as tinfoil-rs/-js/-go. It runs ahead of verify_dsse;
single-SCT (real Fulcio) bundles are unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic

Comment thread src/tinfoil/sigstore.py
@sachaservan sachaservan merged commit 797c332 into main Jun 29, 2026
2 checks passed
@sachaservan sachaservan deleted the fix/sigstore-duplicate-sct-log branch June 29, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants