Merge pull request #1063 from sigstore/dsse-version-fix

aaronlew02 · web-flow · commit bc1980b0706a · 2025-09-05T12:50:19.000-04:00
fix: Reject unsupported DSSE version
diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java b/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
@@ -339,7 +339,7 @@ private void checkMessageSignature(
             "Could not encode leaf certificate for comparison", e);
       }
     } else {
-      throw new KeylessVerificationException("Unsupported hashedrekord version");
+      throw new KeylessVerificationException("Unsupported hashedrekord version: " + version);
     }
   }
 
@@ -505,6 +505,8 @@ private void checkDsseEnvelope(
         throw new KeylessVerificationException(
             "Could not encode leaf certificate for comparison", e);
       }
+    } else {
+      throw new KeylessVerificationException("Unsupported DSSE version: " + version);
     }
   }
 }
diff --git a/sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java b/sigstore-java/src/test/java/dev/sigstore/KeylessVerifierTest.java
@@ -573,7 +573,7 @@ public void testVerify_unsupportedRekorVersion_rekorV2() throws Exception {
                     Path.of(artifact),
                     Bundle.from(new StringReader(invalidBundleFile)),
                     VerificationOptions.empty()));
-    Assertions.assertEquals("Unsupported hashedrekord version", ex.getMessage());
+    Assertions.assertEquals("Unsupported hashedrekord version: 0.0.3", ex.getMessage());
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -339,7 +339,7 @@ private void checkMessageSignature(`
`339`	`339`	`"Could not encode leaf certificate for comparison", e);`
`340`	`340`	`}`
`341`	`341`	`} else {`
`342`		`- throw new KeylessVerificationException("Unsupported hashedrekord version");`
	`342`	`+ throw new KeylessVerificationException("Unsupported hashedrekord version: " + version);`
`343`	`343`	`}`
`344`	`344`	`}`
`345`	`345`
`@@ -505,6 +505,8 @@ private void checkDsseEnvelope(`
`505`	`505`	`throw new KeylessVerificationException(`
`506`	`506`	`"Could not encode leaf certificate for comparison", e);`
`507`	`507`	`}`
	`508`	`+ } else {`
	`509`	`+ throw new KeylessVerificationException("Unsupported DSSE version: " + version);`
`508`	`510`	`}`
`509`	`511`	`}`
`510`	`512`	`}`
Original file line number	Diff line number	Diff line change
`@@ -573,7 +573,7 @@ public void testVerify_unsupportedRekorVersion_rekorV2() throws Exception {`
`573`	`573`	`Path.of(artifact),`
`574`	`574`	`Bundle.from(new StringReader(invalidBundleFile)),`
`575`	`575`	`VerificationOptions.empty()));`
`576`		`- Assertions.assertEquals("Unsupported hashedrekord version", ex.getMessage());`
	`576`	`+ Assertions.assertEquals("Unsupported hashedrekord version: 0.0.3", ex.getMessage());`
`577`	`577`	`}`
`578`	`578`
`579`	`579`	`@Test`