Specify sha256 in TSA request (#1373)

ramonpetgrave64 · web-flow · commit 572ccac5cf4b · 2025-05-09T18:56:27.000+03:00
* request timestamp with sha256

Signed-off-by: Ramon Petgrave &lt;ramon.petgrave64@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ All versions prior to 0.9.0 are untracked.
 
 ### Fixed
 
+* TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.
+  [#1373](https://github.com/sigstore/sigstore-python/pull/1373)
+
 * Fixed the certificate calidity period check for Timestamp Authorities (TSA).
   Certificates need not have and end date, while still requiring a start date.
   [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
diff --git a/sigstore/_internal/timestamp.py b/sigstore/_internal/timestamp.py
@@ -26,6 +26,7 @@
     TimeStampResponse,
     decode_timestamp_response,
 )
+from rfc3161_client.base import HashAlgorithm
 
 from sigstore._internal import USER_AGENT
 
@@ -93,7 +94,11 @@ def request_timestamp(self, signature: bytes) -> TimeStampResponse:
         # Build the timestamp request
         try:
             timestamp_request = (
-                TimestampRequestBuilder().data(signature).nonce(nonce=True).build()
+                TimestampRequestBuilder()
+                .hash_algorithm(HashAlgorithm.SHA256)
+                .data(signature)
+                .nonce(nonce=True)
+                .build()
             )
         except ValueError as error:
             msg = f"invalid request: {error}"
diff --git a/test/unit/internal/test_timestamping.py b/test/unit/internal/test_timestamping.py
@@ -15,6 +15,7 @@
 import requests
 
 from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError
+from sigstore._utils import sha256_digest
 
 
 @pytest.mark.timestamp_authority
@@ -23,6 +24,13 @@ def test_sign_request(self, tsa_url: str):
         tsa = TimestampAuthorityClient(tsa_url)
         response = tsa.request_timestamp(b"hello")
         assert response
+        assert (
+            response.tst_info.message_imprint.message == sha256_digest(b"hello").digest
+        )
+        assert (
+            response.tst_info.message_imprint.hash_algorithm.dotted_string
+            == "2.16.840.1.101.3.4.2.1"
+        )  # SHA256 OID
 
     def test_sign_request_invalid_url(self):
         tsa = TimestampAuthorityClient("http://fake-url")
