Follow-up from the 2026-04-30 14-perspective audit (summary in audit/2026-04-30/findings.md, finding C-4 / CRITICAL). Three independent reviewers (cryptographer, red-team, supply-chain engineer) converged on this same gap.
Background
Issue #12 added the SPKI pinning infrastructure (src/lib/src/signature/keyless/cert_pinning.rs), but the pins are not enforced at the TLS layer. ureq does not expose a ServerCertVerifier hook, so today:
- Pins are computed and validated against the leaf cert post-handshake.
- Mismatches are logged, not rejected.
- Even
WSC_REQUIRE_CERT_PINNING=1 only escalates the log level — the TLS handshake completes regardless.
- An attacker with a valid WebPKI cert for
fulcio.sigstore.dev (e.g. compromised CA, mis-issued cert) bypasses the defence entirely.
This is a silent posture downgrade vs the protection the SPKI infrastructure suggests is in place.
Scope
Replace ureq with an HTTP client that exposes a custom rustls::ServerCertVerifier, so pin validation can fail the handshake itself.
Likely candidate: reqwest with rustls-tls feature (or direct hyper-rustls for finer control). Touches every Sigstore call site:
src/lib/src/signature/keyless/signer.rs (Fulcio cert request)src/lib/src/signature/keyless/rekor.rs / rekor_verifier.rs (Rekor entry submit + lookup)src/lib/src/signature/keyless/oidc.rs (OIDC discovery, JWKS fetch)src/lib/src/signature/keyless/cert_pinning.rs (becomes the verifier impl rather than a post-hoc validator)
Acceptance
Related
Follow-up from the 2026-04-30 14-perspective audit (summary in
audit/2026-04-30/findings.md, finding C-4 / CRITICAL). Three independent reviewers (cryptographer, red-team, supply-chain engineer) converged on this same gap.Background
Issue #12 added the SPKI pinning infrastructure (
src/lib/src/signature/keyless/cert_pinning.rs), but the pins are not enforced at the TLS layer.ureqdoes not expose aServerCertVerifierhook, so today:WSC_REQUIRE_CERT_PINNING=1only escalates the log level — the TLS handshake completes regardless.fulcio.sigstore.dev(e.g. compromised CA, mis-issued cert) bypasses the defence entirely.This is a silent posture downgrade vs the protection the SPKI infrastructure suggests is in place.
Scope
Replace
ureqwith an HTTP client that exposes a customrustls::ServerCertVerifier, so pin validation can fail the handshake itself.Likely candidate:
reqwestwithrustls-tlsfeature (or directhyper-rustlsfor finer control). Touches every Sigstore call site:src/lib/src/signature/keyless/signer.rs(Fulcio cert request)src/lib/src/signature/keyless/rekor.rs/rekor_verifier.rs(Rekor entry submit + lookup)src/lib/src/signature/keyless/oidc.rs(OIDC discovery, JWKS fetch)src/lib/src/signature/keyless/cert_pinning.rs(becomes the verifier impl rather than a post-hoc validator)Acceptance
ServerCertVerifierinterface.WSC_REQUIRE_CERT_PINNING=1becomes redundant (pinning is the only mode); deprecate the env var.Related
audit/2026-04-30/findings.mdfinding C-4