Merge pull request #9742 from cli/phillmv/fail-verification-if-no-attestations

`LiveSigstoreVerifier.Verify` should error if no attestations are present
2024-10-21 13:01:37 -04:00 · 2024-10-21 13:01:37 -04:00 · 857854d1b3
commit 857854d1b3
parent d2a9d1c90b a8b3f050ac
3 changed files with 39 additions and 7 deletions
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@ -16,12 +16,19 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 		return errors.New("no attestations proccessing results")
 	}

+	var atLeastOneVerified bool
 	for _, attestation := range results {
 		if err := verifyCertExtensions(attestation, tenant, owner, repo, issuer); err != nil {
 			return err
 		}
+		atLeastOneVerified = true
+	}
+
+	if atLeastOneVerified {
+		return nil
+	} else {
+		return ErrNoAttestationsVerified
 	}
-	return nil
 }

 func verifyCertExtensions(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@ -4,6 +4,7 @@ import (
 	"bufio"
 	"bytes"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"os"

@ -48,6 +49,8 @@ type LiveSigstoreVerifier struct {
 	config SigstoreConfig
 }

+var ErrNoAttestationsVerified = errors.New("no attestations were verified")
+
 // NewLiveSigstoreVerifier creates a new LiveSigstoreVerifier struct
 // that is used to verify artifacts and attestations against the
 // Public Good, GitHub, or a custom trusted root.
@ -170,18 +173,20 @@ func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, err
 }

 func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
-	// initialize the processing results before attempting to verify
+	// initialize the processing apResults before attempting to verify
 	// with multiple verifiers
-	results := make([]*AttestationProcessingResult, len(attestations))
+	apResults := make([]*AttestationProcessingResult, len(attestations))
 	for i, att := range attestations {
 		apr := &AttestationProcessingResult{
 			Attestation: att,
 		}
-		results[i] = apr
+		apResults[i] = apr
 	}

+	var atLeastOneVerified bool
+
 	totalAttestations := len(attestations)
-	for i, apr := range results {
+	for i, apr := range apResults {
 		v.config.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations)

 		// determine which verifier should attempt verification against the bundle
@ -212,10 +217,15 @@ func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve
 			"SUCCESS - attestation signature verified with \"%s\"\n", issuer,
 		))
 		apr.VerificationResult = result
+		atLeastOneVerified = true
 	}

-	return &SigstoreResults{
-		VerifyResults: results,
+	if atLeastOneVerified {
+		return &SigstoreResults{
+			VerifyResults: apResults,
+		}
+	} else {
+		return &SigstoreResults{Error: ErrNoAttestationsVerified}
 	}
 }

--- a/pkg/cmd/attestation/verification/sigstore_integration_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go
@ -85,6 +85,21 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 		require.Len(t, res.VerifyResults, 0)
 		require.ErrorContains(t, res.Error, "unsupported bundle version")
 	})
+
+	t.Run("with no attestations", func(t *testing.T) {
+		attestations := []*api.Attestation{}
+		require.Len(t, attestations, 0)
+
+		verifier := NewLiveSigstoreVerifier(SigstoreConfig{
+			Logger:      io.NewTestHandler(),
+			TrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"),
+		})
+
+		res := verifier.Verify(attestations, publicGoodPolicy(t))
+		require.Len(t, res.VerifyResults, 0)
+		require.NotNil(t, res.Error)
+	})
+
 }

 func publicGoodPolicy(t *testing.T) verify.PolicyBuilder {