fix(signing): validate whitespace-only sub claims

Add strings.TrimSpace() check to reject whitespace-only sub claims,
preventing confusing error messages later in the extraction process.

- Trim whitespace before checking if sub claim is empty
- Add test case for whitespace-only sub claim validation

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/signing/attestation.go

@@ -418,7 +418,7 @@ func extractBuilderIDFromOIDC(ctx context.Context, githubCtx *GitHubContext) (st
 
 	// Extract the sub claim (required for Fulcio certificate identity)
 	sub, ok := claims["sub"].(string)
-	if !ok || sub == "" {
+	if !ok || strings.TrimSpace(sub) == "" {
 		return "", fmt.Errorf("sub claim not found or empty in OIDC token")
 	}
 

pkg/leeway/signing/attestation_test.go

@@ -1417,6 +1417,28 @@ func TestExtractBuilderIDFromOIDC(t *testing.T) {
 			expectError: true,
 			errorMsg:    "sub claim not found",
 		},
+		{
+			name: "whitespace-only sub claim",
+			setupServer: func() *httptest.Server {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					header := base64EncodeForTest(`{"alg":"RS256","typ":"JWT"}`)
+					payload := base64EncodeForTest(`{"sub": "   ", "aud": "sigstore"}`)
+					signature := base64EncodeForTest("fake-signature")
+					token := fmt.Sprintf("%s.%s.%s", header, payload, signature)
+					
+					w.Header().Set("Content-Type", "application/json")
+					if err := json.NewEncoder(w).Encode(map[string]string{"value": token}); err != nil {
+						t.Errorf("Failed to encode response: %v", err)
+					}
+				}))
+			},
+			githubCtx: &GitHubContext{
+				ServerURL:  "https://github.com",
+				Repository: "org/repo",
+			},
+			expectError: true,
+			errorMsg:    "sub claim not found or empty",
+		},
 		{
 			name: "job_workflow_ref in top-level claim (not in sub)",
 			setupServer: func() *httptest.Server {