Riccardo Schirone

icon company Trail of Bits icon location Milano icon location Passionate about Security, CTF player with fuffateam, member of Codejitsu CGC team

Results 270 comments of Riccardo Schirone

Allow configurable signing algorithms

I'm experimenting with allowing passing a list of valid signing algorithms from a `Policy`. So each key type can be validated with multiple signing algorithms, if necessary. The correct verifier...

bug: Langfuse run not found in on_chain_ned with LangChain AgentExecutor

Even with 2.26.3 i'm still receiving a very similar error with the react-based prompt. ``` Traceback (most recent call last): File "/.venv/lib/python3.10/site-packages/langfuse/callback/langchain.py", line 522, in on_tool_end raise Exception("run not found")...

bug: Langfuse run not found in on_chain_ned with LangChain AgentExecutor

@marcklingen sorry for the delay. Here's a reproducer: ```python import os import langfuse.callback from langchain.agents import AgentExecutor, create_react_agent from langchain.prompts import PromptTemplate from langchain_core.runnables import RunnableConfig, RunnablePassthrough from langchain.tools import...

Allow configurable signing algorithms

Some notes. ECDSA is assumed in the following places: - [cosign.GeneratePrivateKey](https://github.com/sigstore/cosign/blob/main/pkg/cosign/keys.go#L73-L75), used from `GenerateKeyPair`(called when doing `cosign generate-key-pair`) and from `signerFromNewKey` (called when doing `cosign sign-blob` and generating an ephemeral...

Allow configurable signing algorithms

@caretak3r yes, see https://github.com/sigstore/cosign/pull/4050 and https://github.com/sigstore/cosign/pull/3497 .

Consider to use external library for the web-server

@jvoisin would windbg/gdb/llbm be flexible enough to allow rz-pipe through them? (i know nothing about those protocols, sorry).

Clarifications on cryptographic agility and versions

> What do you think about adding an optional PublicKeyIdentifier to the bundle as part of VerificationMaterial? I thought we did not want to add this kind of information to...

Clarifications on cryptographic agility and versions

> There is one problem though, how do we differentiate between P384/SHA384 and P384/SHA256? And that's where I think a flag --allow-deprecated can be provided, to let the verifier perform...

Clarifications on cryptographic agility and versions

> Yeah exactly. I'm thinking that for older versions they can silently fallback (fi this is our desired mode to not break existing clients). But from the newer versions of...

Clarifications on cryptographic agility and versions

> To clarify what we mean by "fallback", are we saying that current clients verifying v3 bundles should attempt to verify ECDSA signatures for P384 with both SHA256 and SHA384,...