From 1ffd22565d31252fd4bd2b813efa2e90763f7dde Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Tue, 3 Dec 2024 11:52:08 -0700
Subject: [PATCH] inverse logic for less nesting

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/verification/sigstore.go | 55 ++++++++++----------
 1 file changed, 27 insertions(+), 28 deletions(-)

diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index e520e1b0c..e6c3b976b 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -104,38 +104,37 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE
 					return nil, "", err
 				}
 
-				if len(lowestCert.Issuer.Organization) == 0 {
+				// if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it
+				if len(lowestCert.Issuer.Organization) == 0 || lowestCert.Issuer.Organization[0] != issuer {
 					continue
 				}
 
-				if lowestCert.Issuer.Organization[0] == issuer {
-					// Determine what policy to use with this trusted root.
-					//
-					// Note that we are *only* inferring the policy with the
-					// issuer. We *must* use the trusted root provided.
-					if issuer == PublicGoodIssuerOrg {
-						if v.NoPublicGood {
-							return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance")
-						}
-						verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot)
-						if err != nil {
-							return nil, "", err
-						}
-						return verifier, issuer, nil
-					} else if issuer == GitHubIssuerOrg {
-						verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot)
-						if err != nil {
-							return nil, "", err
-						}
-						return verifier, issuer, nil
-					} else {
-						// Make best guess at reasonable policy
-						customVerifier, err := newCustomVerifier(trustedRoot)
-						if err != nil {
-							return nil, "", fmt.Errorf("failed to create custom verifier: %v", err)
-						}
-						return customVerifier, issuer, nil
+				// Determine what policy to use with this trusted root.
+				//
+				// Note that we are *only* inferring the policy with the
+				// issuer. We *must* use the trusted root provided.
+				if issuer == PublicGoodIssuerOrg {
+					if v.NoPublicGood {
+						return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance")
 					}
+					verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot)
+					if err != nil {
+						return nil, "", err
+					}
+					return verifier, issuer, nil
+				} else if issuer == GitHubIssuerOrg {
+					verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot)
+					if err != nil {
+						return nil, "", err
+					}
+					return verifier, issuer, nil
+				} else {
+					// Make best guess at reasonable policy
+					customVerifier, err := newCustomVerifier(trustedRoot)
+					if err != nil {
+						return nil, "", fmt.Errorf("failed to create custom verifier: %v", err)
+					}
+					return customVerifier, issuer, nil
 				}
 			}
 			line, readError = reader.ReadBytes('\n')