return the last verification error for now

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 12:38:37 -06:00 · 2024-10-31 12:38:37 -06:00 · 4bd46334ff
commit 4bd46334ff
parent 26e04932f2
2 changed files with 13 additions and 5 deletions
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@ -16,17 +16,20 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 		return errors.New("no attestations proccessing results")
 	}

+	var lastErr error
 	for _, attestation := range results {
-		if err := verifyCertExtension(attestation, tenant, owner, repo, issuer); err == nil {
+		err := verifyCertExtension(attestation, tenant, owner, repo, issuer)
+		if err == nil {
 			// if at least one attestation is verified, we're good as verification
 			// is defined as successful if at least one attestation is verified
 			return nil
 		}
+		lastErr = err
 	}

 	// if we have exited the for loop without returning early due to successful
 	// verification, we need to return an error
-	return ErrNoAttestationsVerified
+	return lastErr
 }

 func verifyCertExtension(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@ -199,22 +199,27 @@ func (v *LiveSigstoreVerifier) verify(attestation *api.Attestation, policy verif
 }

 func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) ([]*AttestationProcessingResult, error) {
-	results := make([]*AttestationProcessingResult, 0)
+	if len(attestations) == 0 {
+		return nil, ErrNoAttestationsVerified
+	}

+	results := make([]*AttestationProcessingResult, 0)
+	var lastError error
 	totalAttestations := len(attestations)
 	for i, a := range attestations {
 		v.config.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations)

 		apr, err := v.verify(a, policy)
 		if err != nil {
-			// move onto the next attestation if verification fails
+			lastError = err
+			// move onto the next attestation in the for loop if verification fails
 			continue
 		}
 		results = append(results, apr)
 	}

 	if len(results) == 0 {
-		return nil, ErrNoAttestationsVerified
+		return nil, lastError
 	}

 	return results, nil