From 9f283389682e05b5563192b626a07f80fe50a38e Mon Sep 17 00:00:00 2001
From: Luke Valenta <lvalenta@cloudflare.com>
Date: Mon, 20 Apr 2026 09:18:48 -0400
Subject: [PATCH] internal/witness: return 404 for unknown log, matching the
 spec

c2sp.org/tlog-witness says the witness MUST respond with "404 Not Found"
when the checkpoint origin is unknown. serveAddCheckpoint currently
collapses errUnknownLog and errInvalidSignature onto a single
StatusForbidden (403) case, which diverges from the spec and from
sigsum-go's sigsum-witness reference implementation [1], both of which
return 404 for an unknown origin and reserve 403 for "no trusted-key
signature verifies".

Split the switch so errUnknownLog returns 404 while errInvalidSignature
(and the new note.UnverifiedNoteError / note.InvalidSignatureError
mapping that feeds into it) continues to return 403.

[1] https://git.glasklar.is/sigsum/core/sigsum-go/-/blob/main/cmd/sigsum-witness/sigsum-witness.go#L154-L161
---
 internal/witness/witness.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/witness/witness.go b/internal/witness/witness.go
index 8419eaf..dfbe80f 100644
--- a/internal/witness/witness.go
+++ b/internal/witness/witness.go
@@ -301,7 +301,10 @@ func (w *Witness) serveAddCheckpoint(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 	switch err {
-	case errUnknownLog, errInvalidSignature:
+	case errUnknownLog:
+		http.Error(rw, err.Error(), http.StatusNotFound)
+		return
+	case errInvalidSignature:
 		http.Error(rw, err.Error(), http.StatusForbidden)
 		return
 	case errBadRequest: