Summary
The blocking Evidence Pointer Contract gate establishes signer identity from fields the pointer itself supplies, not from a cryptographic verification of the bundle's signature. A committed pointer can therefore claim an allowlisted signer (issuer/identity) and pass the blocking gate, even if the referenced bundle was not actually signed by that identity. The cryptographic OCI signature verification is a separate, currently warning-only check.
Evidence
pkg/evidence/verifier/discover.go checkPointerFile (~L156-186):
- reads
signer := ptr.Attestations[0].Signer — the signer block carried in the committed pointer,
- derives the source slug from those supplied
issuer/identity values (SourceSlug),
- checks path ownership + allowlist
Classify against the same supplied values.
Nothing in this blocking path pulls the bundle and verifies a Fulcio/Rekor signature actually binds that identity to the bundle digest. So the gate trusts a claimed identity.
Impact
A contributor (or a compromised/typo'd pointer) can commit a pointer that names an allowlisted community/partner signer it does not control and pass the blocking gate. Corroboration/consensus downstream may then count it. Severity depends on whether the warning-only OCI verification is later promoted to blocking.
Fix options
- Make the pointer-contract gate cryptographically verify the bundle signature (pull the referrer, verify Fulcio cert identity + Rekor inclusion) before trusting the signer block — i.e. promote the OCI verification from warning-only to blocking in the gate path.
- Or document clearly that the on-disk gate establishes a claimed (not cryptographically proven) signer, and that trust derives from the separate signature-verification step.
Related
Summary
The blocking Evidence Pointer Contract gate establishes signer identity from fields the pointer itself supplies, not from a cryptographic verification of the bundle's signature. A committed pointer can therefore claim an allowlisted signer (issuer/identity) and pass the blocking gate, even if the referenced bundle was not actually signed by that identity. The cryptographic OCI signature verification is a separate, currently warning-only check.
Evidence
pkg/evidence/verifier/discover.gocheckPointerFile(~L156-186):signer := ptr.Attestations[0].Signer— the signer block carried in the committed pointer,issuer/identityvalues (SourceSlug),Classifyagainst the same supplied values.Nothing in this blocking path pulls the bundle and verifies a Fulcio/Rekor signature actually binds that identity to the bundle digest. So the gate trusts a claimed identity.
Impact
A contributor (or a compromised/typo'd pointer) can commit a pointer that names an allowlisted community/partner signer it does not control and pass the blocking gate. Corroboration/consensus downstream may then count it. Severity depends on whether the warning-only OCI verification is later promoted to blocking.
Fix options
Related
demos/evidence.md) now describes the pointer's signer as claimed at gate time and links here.