1.0.1 FAIL: TestNewWitnessGroupFromPolicy_GroupN/group_numerical: witness_policy_test.go:114: NewWitnessGroupFromPolicy() failed: invalid witness config "witness w4 remora.n621....tw2 https://example.com/remora": unknown verifier algorithm

[jas4711]

Hi! Finally this package got accepted into Debian, to pave the way for cosign v3.x etc. I got a self-test failure that I'm going to skip for now, but wanted to report this:

=== RUN   TestNewWitnessGroupFromPolicy_GroupN
=== RUN   TestNewWitnessGroupFromPolicy_GroupN/group_numerical
    witness_policy_test.go:114: NewWitnessGroupFromPolicy() failed: invalid witness config "witness w4 remora.n621.de+da77ade7+BOvN63jn/bLvkieywe8R6UYAtVtNbZpXh34x7onlmtw2 https://example.com/remora": unknown verifier algorithm
=== RUN   TestNewWitnessGroupFromPolicy_GroupN/group_all
=== RUN   TestNewWitnessGroupFromPolicy_GroupN/group_any
--- FAIL: TestNewWitnessGroupFromPolicy_GroupN (0.00s)
    --- FAIL: TestNewWitnessGroupFromPolicy_GroupN/group_numerical (0.00s)
    --- PASS: TestNewWitnessGroupFromPolicy_GroupN/group_all (0.00s)
    --- PASS: TestNewWitnessGroupFromPolicy_GroupN/group_any (0.00s)
=== RUN   TestNewWitnessGroupFromPolicy_Errors

See build log: https://salsa.debian.org/jas/golang-github-transparency-dev-tessera/-/jobs/8998692

Note that Debian does not build using the dependency versions from go.mod but instead build using the packages which are in Debian. Thus there may be version mismatches for dependencies. I suspect this is what is causing the problem here. I have been reading code to try and guess which library it may be that is not using the right version, but I haven't been able to pinpoint it. Do you have any hints?

Btw, we use a simple patch to disable the failing self-test:

diff --git a/witness_policy_test.go b/witness_policy_test.go
index 3236428..0498faa 100644
--- a/witness_policy_test.go
+++ b/witness_policy_test.go
@@ -71,18 +71,6 @@ func TestNewWitnessGroupFromPolicy_GroupN(t *testing.T) {
                policy string
                wantN  int
        }{
-               {
-                       desc: "group numerical",
-                       policy: `
-witness w1 sigsum.org+e4ade967+AZuUY6B08pW3QVHu8uvsrxWPcAv9nykap2Nb4oxCee+r https://sigsum.org/witness/
-witness w2 example.com+3753d3de+AebBhMcghIUoavZpjuDofa4sW6fYHyVn7gvwDBfvkvuM https://example.com/witness/
-witness w3 example.com+3753d3de+AebBhMcghIUoavZpjuDofa4sW6fYHyVn7gvwDBfvkvuM https://example.com/witness/
-witness w4 remora.n621.de+da77ade7+BOvN63jn/bLvkieywe8R6UYAtVtNbZpXh34x7onlmtw2 https://example.com/remora
-group g1 2 w1 w2 w3 w4
-quorum g1
-`,
-                       wantN: 2,
-               },
                {
                        desc: "group all",
                        policy: `

Thanks,
Simon