diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index 6d093a5d7..1915152dc 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, // TODO: handle proxima prefix expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } @@ -19,7 +19,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, // TODO: handle proxima prefix expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI - if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { + if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI) } } diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go index a8579b578..dcbfb1ba2 100644 --- a/pkg/cmd/attestation/verification/mock_verifier.go +++ b/pkg/cmd/attestation/verification/mock_verifier.go @@ -31,7 +31,9 @@ func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve Signature: &verify.SignatureVerificationResult{ Certificate: &certificate.Summary{ Extensions: certificate.Extensions{ - BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main", + BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main", + SourceRepositoryOwnerURI: "https://github.com/sigstore", + SourceRepositoryURI: "https://github.com/sigstore/sigstore-js", }, }, }, diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 182a66012..8d06617f3 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -340,14 +340,32 @@ func TestRunVerify(t *testing.T) { require.Nil(t, runVerify(&opts)) }) + t.Run("with owner which not matches SourceRepositoryOwnerURI", func(t *testing.T) { + opts := publicGoodOpts + opts.BundlePath = "" + opts.Owner = "owner" + + err := runVerify(&opts) + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://github.com/sigstore") + }) + t.Run("with repo", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = "" - opts.Repo = "github/example" + opts.Repo = "sigstore/sigstore-js" require.Nil(t, runVerify(&opts)) }) + t.Run("with repo which not matches SourceRepositoryURI", func(t *testing.T) { + opts := publicGoodOpts + opts.BundlePath = "" + opts.Repo = "wrong/example" + + err := runVerify(&opts) + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong/example, got https://github.com/sigstore/sigstore-js") + }) + t.Run("with invalid repo", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = ""