Skip to content

fix: Attested signature verification gets options#45

Closed
Peeja wants to merge 1 commit into
mainfrom
petra/fix/attested-sig-verification-gets-options
Closed

fix: Attested signature verification gets options#45
Peeja wants to merge 1 commit into
mainfrom
petra/fix/attested-sig-verification-gets-options

Conversation

@Peeja

@Peeja Peeja commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

We need to pass the current resolvers and verifier factories down recursively into the attested signature verification. This broke in #37, which just missed plugging tab A into slot B.

We need to pass the current resolvers and verifier factories down
recursively into the attested signature verification.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a regression in attested signature verification by ensuring the same validator configuration (notably DID resolvers and verifier factories) used by top-level token validation is also applied when validating the nested proof-invocation inside an attested signature. This restores correct recursive verification behavior that broke in PR #37.

Changes:

  • Thread validator options into attestation.Verifier and pass them to validator.ValidateInvocation.
  • Update attestation.NewVerifierFactory to pass the active DID resolver and verifier-factory registry down into AttestedVerifier.
  • Add a regression test covering chained did:mailto attestation (root → service → alice).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
attestation/verifier.go Stores validator options on the attested verifier and uses them during invocation validation.
attestation/verificationmethod.go Passes resolver + verifier-factory options into AttestedVerifier to enable recursive verification.
attestation/signer_test.go Adds a test ensuring chained attestations validate with the same resolver/factory configuration as ValidateToken.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 38 to +45
v, err := newMultiVerifier(ctx, verifierFactories, doc.CapabilityInvocation.All())
if err != nil {
return nil, fmt.Errorf("failed to derive multi-verifier: %w", err)
}
return AttestedVerifier(ctx, authorityDid, v), nil
return AttestedVerifier(ctx, authorityDid, v,
validator.WithDIDResolver(resolver),
validator.WithVerifierFactories(verifierFactories),
), nil
Comment thread attestation/verifier.go
Comment on lines 54 to 60
if inv.Subject() != v.authorityID {
return false
}

if validator.ValidateInvocation(v.ctx, inv) != nil {
if validator.ValidateInvocation(v.ctx, inv, v.validationOptions...) != nil {
return false
}
@frrist

frrist commented Jun 29, 2026

Copy link
Copy Markdown
Member

@Peeja is this a complement or alternative to #43?

@Peeja Peeja closed this Jun 29, 2026
@Peeja

Peeja commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

@frrist Whoops, I thought I closed this already. This was an alternative, and then as I was writing out the comparison I realized that yours was just more correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants