sigstore · bdehamer · May 31, 2023 · May 26, 2023 · May 29, 2023
@@ -99,7 +99,7 @@ describe('format', () => {
         // This hard-coded hash value helps us detect if we've unintentionally
         // changed the hashing algorithm.
         expect(entry.spec.content.hash?.value).toBe(
-          '91a5eb7452452720d704da5442acb9703252b3ab7be51ec155a244f5c9aa5ec8'
+          '37d47ab456ca63a84f6457be655dd49799542f2e1db5d05160b214fb0b9a7f55'
         );
       });
     });
@@ -129,7 +129,7 @@ describe('format', () => {
         // This hard-coded hash value helps us detect if we've unintentionally
         // changed the hashing algorithm.
         expect(entry.spec.content.hash?.value).toBe(
-          '295fd391f3b3f349cdaa686befaa765d90c0b411a0811e45f8bc481338a51622'
+          'f39ab279af9d9be421342ce4c8e5c422b5bc3dd20602703b1893283a934fbe72'
         );
       });
     });
@@ -163,7 +163,7 @@ describe('format', () => {
         // This hard-coded hash value helps us detect if we've unintentionally
         // changed the hashing algorithm.
         expect(entry.spec.content.hash?.value).toBe(
-          '91a5eb7452452720d704da5442acb9703252b3ab7be51ec155a244f5c9aa5ec8'
+          '37d47ab456ca63a84f6457be655dd49799542f2e1db5d05160b214fb0b9a7f55'
         );
       });
     });

@@ -78,7 +78,7 @@ function toProposedIntotoV002Entry(
   const payloadHash = crypto.hash(envelope.payload).toString('hex');
 
   // Calculate the value for the hash field in the Rekor entry
-  const envelopeHash = calculateDSSEHash(envelope);
+  const envelopeHash = calculateDSSEHash(envelope, signature);
 
   // Collect values for re-creating the DSSE envelope.
   // Double-encode payload and signature cause that's what Rekor expects
@@ -123,11 +123,19 @@ function toProposedIntotoV002Entry(
 //  * signature is base64 encoded (only the first signature is used)
 //  * keyid is included ONLY if it is NOT an empty string
 //  * The resulting JSON is canonicalized and hashed to a hex string
-function calculateDSSEHash(envelope: Envelope): string {
+function calculateDSSEHash(
+  envelope: Envelope,
+  signature: SignatureMaterial
+): string {
   const dsse: ProposedIntotoEntry['spec']['content']['envelope'] = {
     payloadType: envelope.payloadType,
     payload: envelope.payload.toString('base64'),
-    signatures: [{ sig: envelope.signatures[0].sig.toString('base64') }],
+    signatures: [
+      {
+        sig: envelope.signatures[0].sig.toString('base64'),
+        publicKey: toPublicKey(signature),
+      },
+    ],
   };
 
   // If the keyid is an empty string, Rekor seems to remove it altogether.

@@ -2,7 +2,7 @@
 set -ex
 
 # Check-out Rekor repo
-REF=4bb6f441c1b27ccc7e625c721c7d3203acc7b313
+REF=576458cb53269ed54dccf8a43271ee02a785c191
 REKOR_DIR=/tmp/rekor
 
 rm -rf ${REKOR_DIR}