(fix): hang after browser OIDC authentication

[sampras343]

Summary

Fix HTTP keep-alive deadlock in the OIDC redirect server that caused the CLI to hang for ~60 seconds after successful browser authentication.
Add missing end_headers() calls, close_connection = True on all handler paths, and a 1-second socket timeout on the handler class.

Closes #1697

Why:

After a user completes browser-based OIDC authentication (e.g. sigstore sign), the CLI would hang for approximately 60 seconds before continuing, even though the browser immediately showed "sigstore authentication successful!"

Release Note

Added the below:

Fixed ~60s hang after completing browser-based OIDC authentication. 
The OIDC redirect server had incomplete HTTP responses and no connection 
management, causing a keep-alive deadlock with the browser.

Documentation

None

[woodruffw]

@sampras343 is there a corresponding issue for this?

[sampras343]

@sampras343 is there a corresponding issue for this?

@woodruffw I couldn't find any corresponding issue for this behavior. But it persists on sigstore v4.2.0

[sampras343]

I added some timestamp and delta logs at this stage just to debug:

python -m sigstore sign /tmp/test-sigstore.txt --overwrite
[TIMING] [main-thread] entering _OAuthFlow context (server starting)  (delta: +0.000s, total: 0.000s)
[TIMING] [server-thread] do_GET entered for /  (delta: +0.000s, total: 0.000s)
[TIMING] [server-thread] auth request path: sending 302 redirect  (delta: +0.000s, total: 0.000s)
[TIMING] [server-thread] auth request path: 302 sent (NO close_connection)  (delta: +0.000s, total: 0.001s)
[TIMING] [server-thread] do_GET returning for /  (delta: +0.000s, total: 0.001s)
Waiting for browser interaction...
[TIMING] [main-thread] polling for auth_response  (delta: +0.212s, total: 0.212s)
[TIMING] [server-thread] do_GET entered for /auth/callback?code=rbtkzs4n2zc37cxt6auwuj24v&state=8c8c3422-9449-46f7-94d1-d461f6776037  (delta: +4.891s, total: 4.892s)
[TIMING] [server-thread] callback path: sending 200 + HTML  (delta: +0.000s, total: 4.892s)
[TIMING] [server-thread] callback path: auth_response set (NO close_connection)  (delta: +0.001s, total: 4.892s)
[TIMING] [server-thread] do_GET returning for /auth/callback?code=rbtkzs4n2zc37cxt6auwuj24v&state=8c8c3422-9449-46f7-94d1-d461f6776037  (delta: +0.000s, total: 4.892s)
[TIMING] [main-thread] auth_response received, exiting poll loop  (delta: +4.906s, total: 5.117s)
[TIMING] [main-thread] exited _OAuthFlow context (server.shutdown + thread.join completed)  (delta: +57.853s, total: 62.970s)
Using ephemeral certificate:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[19:34:31] INFO     Transparency log entry created at index: xxx
_cli.py:729
Sigstore bundle written to /tmp/test-sigstore.txt.sigstore.json

The delta between auth_response received and exited _OAuthFlow context is about +57.853s without the fix.

[sampras343]

Applied the fix and with the same logs, below are the results:

python -m sigstore sign /tmp/test-sigstore.txt --overwrite
[TIMING] [main-thread] entering _OAuthFlow context (server starting)  (delta: +0.000s, total: 0.000s)
Waiting for browser interaction...
[TIMING] [main-thread] polling for auth_response  (delta: +0.213s, total: 0.213s)
[TIMING] [server-thread] do_GET entered for /  (delta: +0.000s, total: 0.000s)
[TIMING] [server-thread] auth request path: sending 302 redirect  (delta: +0.000s, total: 0.000s)
[TIMING] [server-thread] auth request path: 302 sent + close_connection  (delta: +0.001s, total: 0.001s)
[TIMING] [server-thread] do_GET returning for /  (delta: +0.000s, total: 0.001s)
[TIMING] [server-thread] do_GET entered for /auth/callback?code=mlfgmfueufax75adqvrto6a6c&state=75df7305-70a2-43a4-99ea-df42d169c9ec  (delta: +4.537s, total: 4.538s)
[TIMING] [server-thread] callback path: sending 200 + HTML  (delta: +0.000s, total: 4.539s)
[TIMING] [server-thread] callback path: auth_response set + close_connection  (delta: +0.001s, total: 4.539s)
[TIMING] [server-thread] do_GET returning for /auth/callback?code=mlfgmfueufax75adqvrto6a6c&state=75df7305-70a2-43a4-99ea-df42d169c9ec  (delta: +0.000s, total: 4.539s)
[TIMING] [main-thread] auth_response received, exiting poll loop  (delta: +4.605s, total: 4.818s)
[TIMING] [main-thread] exited _OAuthFlow context (server.shutdown + thread.join completed)  (delta: +0.441s, total: 5.259s)
Using ephemeral certificate:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

[19:38:43] INFO     Transparency log entry created at index: xxx
_cli.py:729
Sigstore bundle written to /tmp/test-sigstore.txt.sigstore.json

The delta between auth_response received and exited _OAuthFlow context is about +0.441s with the fix.

[woodruffw]

@woodruffw I couldn't find any corresponding issue for this behavior. But it persists on sigstore v4.2.0

Okay. In the future please file an issue before opening a PR, it makes triaging these things easier.

Could you share a reproducer example that hangs for you? I just tried this and couldn't reproduce a hang:

touch empty
uvx sigstore sign empty

Yielded:

Waiting for browser interaction...
Using ephemeral certificate:
-----BEGIN CERTIFICATE-----
MIIC1DCCAlmgAwIBAgIUbDUPqP+dNhIaLkVgzmLxgXzYFAswCgYIKoZIzj0EAwMw
NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
cm1lZGlhdGUwHhcNMjYwMjEzMjI1MzM0WhcNMjYwMjEzMjMwMzM0WjAAMFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAExTiBoul5MLgB/NQCiZb3Lm3DacReTzdmW4gp
FwpwGf1RyYK/N0bCIJx6VpCJZcc1JyHpOnH7+MWnXTZmzy+zaaOCAXgwggF0MA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUx2Sx
n9mF69NOyCTBDq17PLqfeOowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
ZD8wIwYDVR0RAQH/BBkwF4EVd2lsbGlhbUB5b3NzYXJpYW4ubmV0MCwGCisGAQQB
g78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDAuBgorBgEEAYO/
MAEIBCAMHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCBiQYKKwYBBAHW
eQIEAgR7BHkAdwB1AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAAB
nFk1pccAAAQDAEYwRAIgEpdYkIu/GVivsB6btjJCPMjwXQZ8noRjpBm1JKJt0PYC
IGQj1g+GKKk3LoeSrAHEtZqyqVqxm5U5e52UH8FNqr9UMAoGCCqGSM49BAMDA2kA
MGYCMQDvfRn7JBzbXKSYLv9E43KkXetJCHQ/4gTp8/myHNgboQmJDhavZKIL+uCZ
X1FO2mgCMQDuwlEEALxY2JW52PAs8luJyAhHi/hLk0EzVoUDJ4WEoK1aVjUn6Z57
e+NIX5U8CFc=
-----END CERTIFICATE-----

[17:53:34] INFO     Transparency log entry created at index: 951949484                  _cli.py:729
Sigstore bundle written to empty.sigstore.json

(That's with v4.2.0, on Python 3.14.3)

[sampras343]

I tried with the exact example as yours, additionally logging the timestamps of each stdout

touch emptydata
uvx sigstore sign emptydata 2>&1 | awk '{ print strftime("%H:%M:%S"), $0; fflush() }'

Results:

+ 23:56:48 Waiting for browser interaction...
+ 23:59:28 [23:59:28] INFO     Transparency log entry created at index: xxx                                                                                                                                                                                                                         _cli.py:729
23:59:28 Using ephemeral certificate:
23:59:28 -----BEGIN CERTIFICATE-----
23:59:28 MIICyTCCAk6gAwIBAgIUFKQH32C0IVdQ0Wc5ZmG67NyYOf8wCgYIKoZIzj0EAwMw
23:59:28 NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
23:59:28 cm1lZGlhdGUwHhcNMjYwMjEzMjM1OTI3WhcNMjYwMjE0MDAwOTI3WjAAMFkwEwYH
23:59:28 KoZIzj0CAQYIKoZIzj0DAQcDQgAEoZ4vKp82XX48+/QhtmzZH7BVN7D4Ewrf4zE5
23:59:28 c4WKUrut2JCXfcSxs70v4HN2n9vIE0g2dGW/y60XSWWbe49hMqOCAW0wggFpMA4G
23:59:28 A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUG1X6
23:59:28 2rmVCwiGK9UOAH6KLswTa/owHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
23:59:28 ZD8wHQYDVR0RAQH/BBMwEYEPc2FjbUByZWRoYXQuY29tMCkGCisGAQQBg78wAQEE
23:59:28 G2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEEAYO/MAEIBB0MG2h0
23:59:28 dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHWeQIEAgR8BHoAeAB2
23:59:28 AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABnFlx+DcAAAQDAEcw
23:59:28 RQIgVvYCm25iRJLWc4E4lGyUqjCjWeAjh/TAxNplXRBCceQCIQCX4UX/GsGJrZAa
23:59:28 KCoYsugCcR6hZ3+M/zimPA0GEtoQOjAKBggqhkjOPQQDAwNpADBmAjEAo6heZyAF
23:59:28 K5GhTTH/HfKz9IhyCikE2xQ6ezjIBn6ySlvYZAorblZws25UkD94PltxAjEAmF2x
23:59:28 nnKMHFUrjQLCpCioWmAwTMKHwi9cABfin0qN72xrhZq6HybT42IsF41TINdm
23:59:28 -----END CERTIFICATE-----
23:59:28 
23:59:28 Sigstore bundle written to emptydata.sigstore.json

Assuming that the browser interaction took 5-10 seconds, the delta still remains at 2m40s

Another signing with the same emptydata:

uvx sigstore sign emptydata --overwrite 2>&1 | awk '{ print strftime("%H:%M:%S"), $0; fflush() }'

Output:

+ 00:06:08 Waiting for browser interaction...
+ 00:07:28 [00:07:28] INFO     Transparency log entry created at index: xxx                                                                                                                                                                                                                         _cli.py:729
00:07:28 Using ephemeral certificate:
00:07:28 -----BEGIN CERTIFICATE-----
00:07:28 MIICyDCCAk6gAwIBAgIUAlujDR1eR2YwmXDGDI0kbPFKbN4wCgYIKoZIzj0EAwMw
00:07:28 NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
00:07:28 cm1lZGlhdGUwHhcNMjYwMjE0MDAwNzI3WhcNMjYwMjE0MDAxNzI3WjAAMFkwEwYH
00:07:28 KoZIzj0CAQYIKoZIzj0DAQcDQgAEn3PSWlphDSbJksb4CHV0k+CzPWTI0TknCOgJ
00:07:28 MO85H/6rwTXmuR2KoqXohMBOKhZJZG+YYKS/LmM6jKfoBZp6j6OCAW0wggFpMA4G
00:07:28 A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU0mMR
00:07:28 z9Kjg3sYHQzDD0wMi+E+/RMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
00:07:28 ZD8wHQYDVR0RAQH/BBMwEYEPc2FjbUByZWRoYXQuY29tMCkGCisGAQQBg78wAQEE
00:07:28 G2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEEAYO/MAEIBB0MG2h0
00:07:28 dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHWeQIEAgR8BHoAeAB2
00:07:28 AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABnFl5TIUAAAQDAEcw
00:07:28 RQIhAN9ICGXC/V7mG8K4PeBjaEufdwUCV/51xL2j04dDXj+3AiAcXec6R5DjsFFv
00:07:28 Hwk9DcQ48QZvHgaFl6ADgoijypaJuTAKBggqhkjOPQQDAwNoADBlAjEAsvyfoslK
00:07:28 RDxy7Ff36O1e/IeoLbMLGrPg07xa1BNNzEYHu4i7MrJNCz88jrKRevgiAjBX1hC8
00:07:28 yXbdfycRsTVaeyW9GhNLJ6HjALFq8LYjK31Hxm7lawBn+KdXHA7P1POSlzQ=
00:07:28 -----END CERTIFICATE-----
00:07:28 
00:07:28 Sigstore bundle written to emptydata.sigstore.json

Assuming that the browser interaction took 5-10 seconds, the delta still remains at 1m20s

python --version --> Python 3.14.2

Output of pip list | grep sigstore -> sigstore 4.2.0

[sampras343]

Also, I'd imagine it's still better to create an issue and link it to the PR. Thoughts?

[woodruffw]

Okay, thanks for trying the reproducer. Could you share more about your host OS, and try running with debug logs?

Also, I'd imagine it's still better to create an issue and link it to the PR. Thoughts?

Yeah that's totally fine, it's more just the lack of an issue entirely. Without one and without a reproducer there's basically no way to evaluate the proposed change.

[sampras343]

Could you share more about your host OS, and try running with debug logs?

OS Info:
NAME="Fedora Linux"
VERSION="43 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=43
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 43 (Workstation Edition)"

Attaching logs after running in debug mode:

Command run:

touch emptydata
SIGSTORE_LOGLEVEL=DEBUG uvx sigstore sign emptydata --overwrite 2>&1 | awk '{ print strftime("%H:%M:%S"), $0; fflush() }'

Logs:

04:16:42 [04:16:42] DEBUG    parsed arguments Namespace(verbose=0, staging=False, instance=None, trust_config=None, subcommand='sign', identity_token=None, oidc_client_id='sigstore', oidc_client_secret=None, oidc_disable_ambient_providers=False, oidc_issuer=None,                  _cli.py:639
04:16:42                     oauth_force_oob=False, no_default_files=False, signature=None, certificate=None, bundle=None, output_directory=None, overwrite=True, files=[PosixPath('emptydata')])                                                                                                   
04:16:42            DEBUG    TUF metadata: /home/sacm/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev                                                                                                                                                             tuf.py:98
04:16:42            DEBUG    TUF targets cache: /home/sacm/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev                                                                                                                                                              tuf.py:99
04:16:42            DEBUG    Found and verified trusted root                                                                                                                                                                                                                              tuf.py:151
04:16:42            DEBUG    Found and verified signing config                                                                                                                                                                                                                            tuf.py:174
04:16:42            DEBUG    Fulcio client using URL: https://fulcio.sigstore.dev                                                                                                                                                                                                      client.py:166
+ 04:16:43 Waiting for browser interaction...
04:16:43 [04:16:43] DEBUG    GET: / with {'Host': 'localhost:42779', 'Connection': 'keep-alive', 'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'Upgrade-Insecure-Requests': '1',          oauth.py:137
04:16:43                     'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36', 'Accept':                                                                                                                                       
04:16:43                     'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document',               
04:16:43                     'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept-Language': 'en-US,en;q=0.9'}                                                                                                                                                                                     
04:16:49 [04:16:49] DEBUG    GET: /auth/callback?code=a6u47e3xo74hyiyqbgvvyxetf&state=faae093c-3c1d-4f3c-a4ff-5287f3aa9e7e with {'Host': 'localhost:42779', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)                oauth.py:137
04:16:49                     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site':                         
04:16:49                     'cross-site', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'Referer':               
+ 04:16:49                     'https://accounts.google.com/', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept-Language': 'en-US,en;q=0.9'}                                                                                                                                                     
+ 04:18:25 [04:18:25] DEBUG    Generating ephemeral keys...                                                                                                                                                                                                                                sign.py:106
04:18:25            DEBUG    Requesting ephemeral certificate...                                                                                                                                                                                                                         sign.py:108
04:18:25            DEBUG    Retrieving signed certificate...                                                                                                                                                                                                                            sign.py:142
04:18:26 [04:18:26] DEBUG    Found <Name(O=sigstore.dev,CN=sigstore-intermediate)> as issuer, verifying if it is a ca                                                                                                                                                                     sct.py:171
04:18:26            DEBUG    attempting to verify SCT with key ID dd3d306ac6c7113263191e1c99673702a24a5eb8de3cadff878a72802f29ee8e                                                                                                                                                        sct.py:226
04:18:26            DEBUG    Successfully verified SCT...                                                                                                                                                                                                                                sign.py:173
04:18:26            DEBUG    signing for emptydata                                                                                                                                                                                                                                       _cli.py:705
04:18:26            DEBUG    proposed: {"apiVersion": "0.0.1", "kind": "hashedrekord", "spec":
.
. SKIPPING BODY
.
04:18:26 -----END CERTIFICATE-----
04:18:26 
04:18:26 Sigstore bundle written to emptydata.sigstore.json

Approx delta: 1m 37s

Command run (fix included):

SIGSTORE_LOGLEVEL=DEBUG python -m sigstore sign emptydata --overwrite 2>&1 | awk '{ print strftime("%H:%M:%S"), $0; fflush() }'

04:29:57 [04:29:57] DEBUG    parsed arguments Namespace(verbose=0, staging=False, instance=None, trust_config=None, subcommand='sign', identity_token=None, oidc_client_id='sigstore', oidc_client_secret=None, oidc_disable_ambient_providers=False, oidc_issuer=None,                  _cli.py:639
04:29:57                     oauth_force_oob=False, no_default_files=False, signature=None, certificate=None, bundle=None, output_directory=None, overwrite=True, files=[PosixPath('emptydata')])                                                                                                   
04:29:57            DEBUG    TUF metadata: /home/sacm/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev                                                                                                                                                             tuf.py:98
04:29:57            DEBUG    TUF targets cache: /home/sacm/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev                                                                                                                                                              tuf.py:99
04:29:57            DEBUG    Found and verified trusted root                                                                                                                                                                                                                              tuf.py:151
04:29:57            DEBUG    Found and verified signing config                                                                                                                                                                                                                            tuf.py:174
04:29:57            DEBUG    Fulcio client using URL: https://fulcio.sigstore.dev                                                                                                                                                                                                      client.py:166
04:29:58 [04:29:58] DEBUG    GET: / with {'Host': 'localhost:37967', 'Connection': 'keep-alive', 'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'Upgrade-Insecure-Requests': '1',          oauth.py:140
04:29:58                     'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36', 'Accept':                                                                                                                                       
04:29:58                     'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document',               
04:29:58                     'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept-Language': 'en-US,en;q=0.9'}                                                                                                                                                                                     
+ 04:29:58 Waiting for browser interaction...
04:30:02 [04:30:02] DEBUG    GET: /auth/callback?code=u5nv5zerraajgcabuctdsr7ui&state=1a7b808c-6aaa-4a42-84b1-3a852c82be78 with {'Host': 'localhost:37967', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)                oauth.py:140
04:30:02                     AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site':                         
04:30:02                     'cross-site', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'sec-ch-ua': '"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'Referer':               
+ 04:30:02                     'https://accounts.google.com/', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept-Language': 'en-US,en;q=0.9'}                                                                                                                                                     
+ 04:30:03 [04:30:03] DEBUG    Generating ephemeral keys...                                                                                                                                                                                                                                sign.py:106
04:30:03            DEBUG    Requesting ephemeral certificate...                                                                                                                                                                                                                         sign.py:108
04:30:03            DEBUG    Retrieving signed certificate...                                                                                                                                                                                                                            sign.py:142
04:30:03            DEBUG    Found <Name(O=sigstore.dev,CN=sigstore-intermediate)> as issuer, verifying if it is a ca                                                                                                                                                                     sct.py:171
04:30:03            DEBUG    attempting to verify SCT with key ID dd3d306ac6c7113263191e1c99673702a24a5eb8de3cadff878a72802f29ee8e                                                                                                                                                        sct.py:226
04:30:03            DEBUG    Successfully verified SCT...                                                                                                                                                                                                                                sign.py:173
04:30:03            DEBUG    signing for emptydata                                                                                                                                                                                                                                       _cli.py:705
04:30:03            DEBUG    proposed: {"apiVersion": "0.0.1",
.
. SKIPPING BODY
.
04:30:04 -----END CERTIFICATE-----
04:30:04 
04:30:04 Sigstore bundle written to emptydata.sigstore.json

Approx delta: 1-2s

[jku]

For reference, I've never seen this issue either. I wonder what the missing piece is for reproduction?

Anyway, the PR seems correct to me.

[jku]

/gcbrun

[woodruffw]

For reference, I've never seen this issue either. I wonder what the missing piece is for reproduction?

Yeah, I tried some more and couldn't reproduce it. @sampras343 is there any chance you're behind a corporate MITM or other traffic-modifying proxy?

(But yeah, I agree the patch looks correct regardless, I'm okay with us merging it if we can't figure out the root cause here.)

[sampras343]

Yeah, I tried some more and couldn't reproduce it. @sampras343 is there any chance you're behind a corporate MITM or other traffic-modifying proxy?

Yes I am, but it's the same behavior with or without VPN.