Summary

Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject.

Details

In lib/sigstore/verifier.rb, the verify method calls verify_in_toto (line 176) without capturing or checking its return value:

verify_in_toto(input, in_toto)

When verify_in_toto detects a digest mismatch, it returns a VerificationFailure object. Because the caller discards this return value, execution unconditionally falls through to return VerificationSuccess. This is the only verification sub-check in the method (out of 12) whose failure is not propagated.

The message_signature code path is not affected.

Impact

An attacker who possesses a valid signed DSSE bundle containing an in-toto attestation for artifact A can present it as a valid attestation for a different artifact B. All other verification checks (DSSE envelope signature, certificate chain, Rekor inclusion, SCTs, policy) pass because they are independent of the artifact content. Only the in-toto subject digest check detects the mismatch, and its result is discarded.

This allows an attacker to bypass artifact-to-attestation binding for any consumer that relies on Sigstore::Verifier#verify to validate DSSE/in-toto bundles.

Workarounds

None. Consumers cannot work around this without patching the library.