fix for extracting JWT subject by bdehamer · Pull Request #1485 · sigstore/sigstore-js (original) (raw)

Summary

Addresses an issue in the signing logic where the incorrect claim was extracted from the OIDC token when calculating the proof-of-possession for Fulcio.

With the new logic, we'll first check for a (verified) email claim and use that value if present. If not email claim is present it will fallback to using the sub claim.