js · @sigstore/coreHeads-up
@sigstore/core preAuthEncoding uses ascii encoding allowing payloadType mutation
The preAuthEncoding function uses Node.
What changed
The preAuthEncoding function uses Node.js 'ascii' encoding, which truncates non-ASCII characters to their low byte, enabling payloadType mutation after signing without invalidating the signature.
Who it affects
All users of @sigstore/core who rely on DSSE type-binding guarantees.
What to do today
Update @sigstore/core to a patched version once available, or replace 'ascii' encoding with 'utf8' in your own usage of preAuthEncoding.
The trail
Collected→
Audited→
Written→
Published