diff --git a/errors/errors.go b/errors/errors.go index 49e0947f2..cfed1a0a8 100644 --- a/errors/errors.go +++ b/errors/errors.go @@ -40,5 +40,6 @@ var ( ErrorRekorPubKey = errors.New("error retrieving Rekor public keys") ErrorInvalidPackageName = errors.New("invalid package name") ErrorInvalidSubject = errors.New("invalid subject") + ErrorInvalidHash = errors.New("invalid hash") ErrorNotPresent = errors.New("not present") ) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 47f40ed09..28a8dc383 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -181,10 +181,8 @@ func verifyDigest(prov slsaprovenance.Provenance, expectedHash string) error { // 8 bit represented in hex, so 8/2=4. bitLength := len(expectedHash) * 4 expectedAlgo := fmt.Sprintf("sha%v", bitLength) - // TODO(#630): Add subject digest minimum bit length check. - // sha1 is 160 bit (FWIW). - if bitLength == 160 { - expectedAlgo = "sha1" + if bitLength < 256 { + return fmt.Errorf("%w: expected minimum 256-bit. Got %d", serrors.ErrorInvalidHash, bitLength) } for _, subject := range subjects { diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index bfe59cf02..de4b57b0d 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -99,6 +99,21 @@ func Test_VerifyDigest(t *testing.T) { artifactHash string expected error }{ + { + name: "invalid short hash", + prov: &testProvenance{ + subjects: []intoto.Subject{ + { + Digest: common.DigestSet{ + "sha1": "4506290e2e8feb1f34b27a044f7cc863c830ef6b", + }, + }, + }, + }, + // NOTE: the hash is one character short of sha256 hash. + artifactHash: "0ae7e4fa71686538440012ee36a2634dbaa19df2dd16a466f52411fb348bbc4", + expected: serrors.ErrorInvalidHash, + }, { name: "invalid dsse: no sha256 subject digest", prov: &testProvenance{