Skip to content

Return verification #1490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Return verification #1490

wants to merge 5 commits into from

Conversation

@indexzero
Copy link

@indexzero indexzero commented Sep 28, 2025

Howdy all 👋 looking forward to contributing to the project. Many thanks to @wlynch and @hectorj2f for helping me ramp up on the codebases 🫶

Summary

Fixes #1489

This PR updates the behavior of verify to be consistent with the sigstore-go implementation. This result is returned to but not consumed by cosign so the corresponding packages/cli functionality was not updated as part of this PR to maximize cohesion

Release Note

  • verify(bundle[, payload][, options]) now returns a Signer object containing the public key and identity information from the verification.

n.b. the above was not marked as BREAKING as it – imho – technically a bug since it is a patch to match the existing sigstore-go implementation. I defer to the maintainers on that of course, but wanted to share the thought process 🙏

Documentation

Updated README.md to indicate the new return

Additional Remarks

🤖 claude helped here, but all of the packages/* code itself was 100% old fashioned fingers on keyboard. I don't use jest often so it was helpful in adding the test coverage for this change. No offense will be taken if it is updated or removed.

@indexzero indexzero requested a review from a team as a code owner September 28, 2025 04:01
@changeset-bot
Copy link

changeset-bot bot commented Sep 28, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 2d7da9b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@hectorj2f
Copy link

hectorj2f commented Sep 29, 2025

LGTM

@hectorj2f
Copy link

hectorj2f commented Oct 16, 2025

friendly ping @bdehamer

bdehamer
bdehamer requested changes Oct 16, 2025
View reviewed changes
Copy link
Collaborator

@bdehamer bdehamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@indexzero Thanks for contributing this change!

Everything looks great. My only request is that you also run npx changeset and commit the resulting changeset file (minor version bump to the sigstore package).

@indexzero
Copy link
Author

indexzero commented Nov 4, 2025

@bdehamer roger that! I had put this down for the few weeks around JSConf, but will button it up this week for a final review & merge 🫶

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdehamer bdehamer bdehamer requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

verify behavior is not consistent with sigstore-go

3 participants

@indexzero @hectorj2f @bdehamer