udpate the options

pkg/cmd/attestation/verify/options.go

@@ -84,6 +84,16 @@ func (opts *Options) AreFlagsValid() error {
 		return fmt.Errorf("limit %d not allowed, must be between 1 and 1000", opts.Limit)
 	}
 
+	// Check that the bundle-from-registry flag is only used with OCI artifact paths
+	if opts.UseBundleFromRegistry && !strings.HasPrefix(opts.ArtifactPath, "oci://") {
+		return fmt.Errorf("bundle-from-registry flag can only be used with OCI artifact paths")
+	}
+
+	// Check that both the bundle-from-registry and bundle-path flags are not used together
+	if opts.UseBundleFromRegistry && opts.BundlePath != "" {
+		return fmt.Errorf("bundle-from-registry flag cannot be used with bundle-path flag")
+	}
+
 	return nil
 }
 

pkg/cmd/attestation/verify/options_test.go

@@ -116,4 +116,47 @@ func TestSetPolicyFlags(t *testing.T) {
 		require.Equal(t, "sigstore", opts.Owner)
 		require.Equal(t, "^https://github/foo", opts.SANRegex)
 	})
+
+	t.Run("returns error when UseBundleFromRegistry is true and ArtifactPath is not an OCI path", func(t *testing.T) {
+		opts := Options{
+			ArtifactPath:          publicGoodArtifactPath,
+			DigestAlgorithm:       "sha512",
+			Owner:                 "sigstore",
+			UseBundleFromRegistry: true,
+			Limit:                 1,
+		}
+
+		err := opts.AreFlagsValid()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "bundle-from-registry flag can only be used with OCI artifact paths")
+	})
+
+	t.Run("does not return error when UseBundleFromRegistry is true and ArtifactPath is an OCI path", func(t *testing.T) {
+		opts := Options{
+			ArtifactPath:          "oci://sigstore/sigstore-js:2.1.0",
+			DigestAlgorithm:       "sha512",
+			OIDCIssuer:            "some issuer",
+			Owner:                 "sigstore",
+			UseBundleFromRegistry: true,
+			Limit:                 1,
+		}
+
+		err := opts.AreFlagsValid()
+		require.NoError(t, err)
+	})
+
+	t.Run("returns error when UseBundleFromRegistry is true and BundlePath is provided", func(t *testing.T) {
+		opts := Options{
+			ArtifactPath:          "oci://sigstore/sigstore-js:2.1.0",
+			BundlePath:            publicGoodBundlePath,
+			DigestAlgorithm:       "sha512",
+			Owner:                 "sigstore",
+			UseBundleFromRegistry: true,
+			Limit:                 1,
+		}
+
+		err := opts.AreFlagsValid()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "bundle-from-registry flag cannot be used with bundle-path flag")
+	})
 }

pkg/cmd/attestation/verify/verify.go

@@ -150,7 +150,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 	// general flags
 	verifyCmd.Flags().StringVarP(&opts.BundlePath, "bundle", "b", "", "Path to bundle on disk, either a single bundle in a JSON file or a JSON lines file with multiple bundles")
 	cmdutil.DisableAuthCheckFlag(verifyCmd.Flags().Lookup("bundle"))
-	verifyCmd.Flags().BoolVarP(&opts.UseBundleFromRegistry, "bundle-from-registry", "", false, "Use the bundle from the OCI registry")
+	verifyCmd.Flags().BoolVarP(&opts.UseBundleFromRegistry, "bundle-from-registry", "", false, "Use the bundle from the OCI registry when artifact is an OCI image")
 	cmdutil.StringEnumFlag(verifyCmd, &opts.DigestAlgorithm, "digest-alg", "d", "sha256", []string{"sha256", "sha512"}, "The algorithm used to compute a digest of the artifact")
 	verifyCmd.Flags().StringVarP(&opts.Owner, "owner", "o", "", "GitHub organization to scope attestation lookup by")
 	verifyCmd.Flags().StringVarP(&opts.Repo, "repo", "R", "", "Repository name in the format <owner>/<repo>")