Skip to content

fix: pkcs cert chain crash + b64 encode cert in bundle + missing tlog entry#615

Merged
mihaimaruseac merged 1 commit intosigstore:mainfrom
sampras343:fix/pkcs11-issues
Feb 19, 2026
Merged

fix: pkcs cert chain crash + b64 encode cert in bundle + missing tlog entry#615
mihaimaruseac merged 1 commit intosigstore:mainfrom
sampras343:fix/pkcs11-issues

Conversation

@sampras343
Copy link
Copy Markdown
Contributor

@sampras343 sampras343 commented Feb 18, 2026

Summary

This PR addresses bug fixes for the following issues:

Checklist
  • All commits are signed-off, using DCO
  • All new code has docstrings and type annotations
  • All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
  • Public facing changes are paired with documentation changes
  • Release note has been added to CHANGELOG.md if needed

@sampras343 sampras343 marked this pull request as ready for review February 18, 2026 18:51
@sampras343 sampras343 requested review from a team as code owners February 18, 2026 18:51
stefanberger
stefanberger reviewed Feb 19, 2026
View reviewed changes
Comment thread src/model_signing/_signing/sign_pkcs11.py
raw_bytes=base64.b64encode(
certificate.public_bytes(
encoding=serialization.Encoding.DER
)
Copy link
Copy Markdown
Contributor

@stefanberger stefanberger Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this. This was something I forgot to change when moving to 'sigstore models'.

stefanberger
stefanberger reviewed Feb 19, 2026
View reviewed changes
Comment thread src/model_signing/_signing/sign_pkcs11.py
certificates=chain
)
),
tlog_entries=[],
Copy link
Copy Markdown
Contributor

@stefanberger stefanberger Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same with this.

stefanberger
stefanberger reviewed Feb 19, 2026
View reviewed changes
Comment thread src/model_signing/_signing/sign_certificate.py
self._trust_chain = x509.load_pem_x509_certificates(
b"".join([path.read_bytes() for path in certificate_chain_paths])
chain_bytes = b"".join(
[path.read_bytes() for path in certificate_chain_paths]
Copy link
Copy Markdown
Contributor

@stefanberger stefanberger Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this fixes an issue when no certificate_chain_paths entries are provided? So certfificate_chain_paths is []?

Copy link
Copy Markdown
Member

@mihaimaruseac mihaimaruseac Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

>>> from cryptography import x509
>>> x509.load_pem_x509_certificates(b"")
Traceback (most recent call last):
  File "<python-input-2>", line 1, in <module>
    x509.load_pem_x509_certificates(b"")
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
>>> x509.load_pem_x509_certificates(b"".join([]))
Traceback (most recent call last):
  File "<python-input-3>", line 1, in <module>
    x509.load_pem_x509_certificates(b"".join([]))
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming

Thank you for fixing

mihaimaruseac
mihaimaruseac approved these changes Feb 19, 2026
View reviewed changes
Comment thread src/model_signing/_signing/sign_certificate.py
self._trust_chain = x509.load_pem_x509_certificates(
b"".join([path.read_bytes() for path in certificate_chain_paths])
chain_bytes = b"".join(
[path.read_bytes() for path in certificate_chain_paths]
Copy link
Copy Markdown
Member

@mihaimaruseac mihaimaruseac Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

>>> from cryptography import x509
>>> x509.load_pem_x509_certificates(b"")
Traceback (most recent call last):
  File "<python-input-2>", line 1, in <module>
    x509.load_pem_x509_certificates(b"")
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
>>> x509.load_pem_x509_certificates(b"".join([]))
Traceback (most recent call last):
  File "<python-input-3>", line 1, in <module>
    x509.load_pem_x509_certificates(b"".join([]))
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming

Thank you for fixing

@mihaimaruseac mihaimaruseac merged commit 9958fbc into sigstore:main Feb 19, 2026
52 checks passed
This was referenced Feb 19, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

@stefanberger stefanberger stefanberger approved these changes

@SequeI SequeI SequeI approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sampras343 @mihaimaruseac @stefanberger @SequeI