Fix DSSE predicate check (GHSA-w6c6-c85g-mmv6) by Hayden-IO · Pull Request #4801 · sigstore/cosign (original) (raw)

AttestationToPayloadJSON parses the attestation and checks that the predicate type matches the expected type provided by the user. Previously, when this function was called for old-format bundles and detached signatures, any error returned was silently ignored, so malformed attestations would be accepted and cosign would report a successful verification. For new-format bundles, this check was never performed at all, so the attestaion would be accepted even if it did not match the type given by the user. This change ensures that errors are handled correctly and that the check is performed for both paths.

Signed-off-by: Colleen Murphy colleenmurphy@google.com

Signed-off-by: Hayden 8418760+Hayden-IO@users.noreply.github.com

cmurphy previously approved these changes Apr 6, 2026

cosign now enforces using the --type field to specify the predicate for verification with the new bundle format. The CLI uses "custom" by default, so it will always be set. In the e2e tests, it wasn't being set and the tests were using a made-up predicate name, so we add that parameter to make the tests conform.

Signed-off-by: Colleen Murphy colleenmurphy@google.com

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})