Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid signature does not lead to failed verification #351

Open
miyunari opened this issue Jan 27, 2025 · 1 comment · May be fixed by #352
Open

Invalid signature does not lead to failed verification #351

miyunari opened this issue Jan 27, 2025 · 1 comment · May be fixed by #352
Labels
bug Something isn't working

Comments

@miyunari
Copy link
Contributor

Description

I am using the verify.py script to check if a model has been modified. The change gets detected, but it seems still all checks are passed.

Here is how I run the model validation cli:

Init Containers:
  model-validation:
    Image:         ghcr.io/miyunari/model-transparency-cli:latest
    Image ID:      ghcr.io/miyunari/model-transparency-cli@sha256:3ffaa0edb5f2c925b4b0ab1d029496b6631303e0ab898ebc58ff1e4c725ff6b5
    Command:
      verify
      --model_path=/data
      --sig_path=/data/model.sig
      sigstore
      --identity
      https://github.com/miyunari/model-validation-controller/.github/workflows/sign-model.yaml@refs/tags/v0.0.2
      --identity-provider
      https://token.actions.githubusercontent.com

And here are the logs of the initcontainer:

INFO:__main__:Creating verifier for sigstore
INFO:tuf.api._payload:No signature for keyid f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f
INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
INFO:tuf.api._payload:No signature for keyid ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c
INFO:__main__:Verifying model signature from /data/model.sig
ERROR:__main__:verification failed: the manifests do not match             <<---------------------------------
INFO:__main__:all checks passed

Version

1fa9614
@miyunari miyunari added the bug Something isn't working label Jan 27, 2025
This was referenced Jan 27, 2025
Closed
Open
@mihaimaruseac
Copy link
Collaborator

Oh, it seems at the selected version (1fa9614) there is no exit present. That got fixed in #348 . But we still need to be consistent w.r.t exit/sys.exit/os._exit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: ensure verify terminates on model validation failure miyunari/model-transparency
2 participants
@mihaimaruseac @miyunari