release: v0.11.6 (G11.0.5 / F25 corrective -- al-Furqan)#25
Merged
Conversation
…entity literal vs regex) Closes F25 LOW per Round 32 audit sections 2-3. Replaces regex .* with literal ci.yml in the gate11-rust-smoke-test job's identity-pattern construction; sigstore-python's Identity policy does literal set-membership matching against the certificate's SANs (per sigstore.verify.policy.Identity .verify), not regex matching. Adds two pinning tests pinning the substrate contract: Identity is literal-only at v1, and composition / per-OIDC-claim policies (AllOf, AnyOf, GitHubWorkflowRef/Name/Repository/SHA/Trigger, OIDCSourceRepositoryURI) are NOT wired in verification.py. Empirical proof of F22 + F23 + F24 + F25 chain closure: failure mode shift across v0.11.0 -> v0.11.6 reads CASM-V-001 (F22) -> CASM-V-021 (F23) -> CASM-V-021 (F24) -> CASM-V-032 (F25) -> green. Substrate change: 1 line in ci.yml (.* -> ci.yml; 2 chars deleted, 6 chars inserted) + 1 new test file with 2 tests. Test count 597 -> 599. Option B (substrate IdentityPattern) deferred per section 17 incremental-velocity. Option C (CASM-V-021 split) still deferred. Local verification (sandbox): - pytest -q -> 552 passed, 47 skipped (599 collected, +2 from v0.11.5: tests/test_gate11_step6_identity_literal_only.py) - ruff check + ruff format --check + mypy clean - release_sweep.py clean (README pins synchronized to v0.11.6) - Em-dash check (extended scope) clean - furqan-lint version -> furqan-lint 0.11.6 - YAML parses cleanly Per v1.2 audit C-1 fix: pinning test 1 uses public-API only (no isinstance against non-runtime-checkable Protocol). Per v1.2 audit A-1 fix: pinning test 2's forbidden list includes 8 empirically-verified policy classes including GitHubWorkflowRepository.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes F25 LOW per Round 32 audit sections 2-3.
Replaces regex
.*with literalci.ymlin the gate11-rust-smoke-test job's identity-pattern construction. sigstore-python'sIdentitypolicy does literal set-membership matching against the certificate's SANs (persigstore.verify.policy.Identity.verify); regex patterns do not match because the literal.*substring is not in the actual SAN. The corrective makes the workflow's declared identity match the substrate's literal-only semantics.Empirical proof of F22 + F23 + F24 + F25 chain closure completes after merge: failure-mode chain across v0.11.0 -> v0.11.6 reads CASM-V-001 -> CASM-V-021 -> CASM-V-021 -> CASM-V-032 -> green. Per the structural-honesty discipline, the CI surface (smoke-test green/red) now matches the substrate behavior (verifier dispatch correct + signing dependencies installed + TrustedRoot import resolves + identity policy matches actual SAN) for the first time in the project's Sigstore-CASM history.
Substrate change: 1 line in ci.yml (.* -> ci.yml; 2 chars deleted, 6 chars inserted) + 1 new test file with 2 tests pinning the substrate contract:
test_step6_identity_policy_is_literal_only-- pins sigstore-python's Identity literal-membership contract via public API only (regex-method-name absence on Identity's public surface). Per v1.2 audit C-1 fix: no isinstance against VerificationPolicy (it is a non-runtime-checkable typing.Protocol; the call raises TypeError at runtime).test_step6_composition_policies_not_wired_in_v1-- pins that composition / per-OIDC-claim policies (AllOf, AnyOf, GitHubWorkflowRef, GitHubWorkflowName, GitHubWorkflowRepository, GitHubWorkflowSHA, GitHubWorkflowTrigger, OIDCSourceRepositoryURI) are NOT wired in verification.py. Per v1.2 audit A-1 fix: GitHubWorkflowRepository included in the empirically-verified 8-entry inventory.Test count 597 -> 599 (+2). Option B (substrate IdentityPattern policy) deferred as enhancement scope; Option C (CASM-V-021 split) still deferred.
Refer to CHANGELOG.md v0.11.6 entry for full closure ledger.