From 28c2308458261f3961d25bde6bd7091062c41825 Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Thu, 10 Oct 2024 11:22:22 -0400
Subject: [PATCH] While we're at it, let's ensure VerifyCertExtensions can't be
 tricked the same way.

---
 pkg/cmd/attestation/verification/extensions.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index 2ffb11a9d..94ba88208 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -16,12 +16,19 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 		return errors.New("no attestations proccessing results")
 	}
 
+	var atLeastOneVerified bool
 	for _, attestation := range results {
 		if err := verifyCertExtensions(attestation, tenant, owner, repo, issuer); err != nil {
 			return err
 		}
+		atLeastOneVerified = true
+	}
+
+	if atLeastOneVerified {
+		return nil
+	} else {
+		return ErrNoAttestationsVerified
 	}
-	return nil
 }
 
 func verifyCertExtensions(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {