From dc4e9cb5323ebbad58030a4c3bdb3930e6c54547 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 12:11:25 -0700 Subject: [PATCH 1/6] handle attest case insensitivity --- .../attestation/verification/extensions.go | 27 +++++++++++++++++++ pkg/cmd/attestation/verify/policy.go | 17 ++++-------- pkg/cmd/attestation/verify/verify.go | 6 +++++ 3 files changed, 38 insertions(+), 12 deletions(-) create mode 100644 pkg/cmd/attestation/verification/extensions.go diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go new file mode 100644 index 000000000..ffbefb9d3 --- /dev/null +++ b/pkg/cmd/attestation/verification/extensions.go @@ -0,0 +1,27 @@ +package verification + +import ( + "fmt" + "strings" +) + +func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error { + for _, attestation := range results { + if owner != "" { + expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) + sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI + if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) + } + } + + if repo != "" { + expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) + sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI + if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { + return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI) + } + } + } + return nil +} diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 959bd08a9..938e8048f 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -21,7 +21,7 @@ const ( ) func expandToGitHubURL(ownerOrRepo string) string { - return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo) + return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo) } func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) { @@ -42,17 +42,10 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error return verify.SubjectAlternativeNameMatcher{}, nil } -func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions { - extensions := certificate.Extensions{ - SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner), - RunnerEnvironment: runnerEnv, +func buildCertExtensions(runnerEnv string) certificate.Extensions { + return certificate.Extensions{ + RunnerEnvironment: runnerEnv, } - - // if opts.Repo is set, set the SourceRepositoryURI field before returning the extensions - if opts.Repo != "" { - extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo) - } - return extensions } func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) { @@ -66,7 +59,7 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol return nil, err } - extensions := buildCertExtensions(opts, runnerEnv) + extensions := buildCertExtensions(runnerEnv) certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) if err != nil { diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 16b9477e8..e1a5b1c50 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -235,6 +235,12 @@ func runVerify(opts *Options) error { return sigstoreRes.Error } + // Verify extensions + if err := verification.VerifyCertExtensions(sigstoreRes.VerifyResults, opts.Owner, opts.Repo); err != nil { + opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Verification failed")) + return err + } + opts.Logger.Println(opts.Logger.ColorScheme.Green("✓ Verification succeeded!\n")) // If an exporter is provided with the --json flag, write the results to the terminal in JSON format From c1adb1a6cfcb932660dd852bb01284a4d836de85 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 12:24:27 -0700 Subject: [PATCH 2/6] added --- .../verification/extensions_test.go | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 pkg/cmd/attestation/verification/extensions_test.go diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go new file mode 100644 index 000000000..829ebb231 --- /dev/null +++ b/pkg/cmd/attestation/verification/extensions_test.go @@ -0,0 +1,41 @@ +package verification + +import ( + "testing" + + "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" + "github.com/sigstore/sigstore-go/pkg/verify" + "github.com/stretchr/testify/require" +) + +func TestVerifyCertExtensions(t *testing.T) { + results := []*AttestationProcessingResult{ + { + VerificationResult: &verify.VerificationResult{ + Signature: &verify.SignatureVerificationResult{ + Certificate: &certificate.Summary{ + Extensions: certificate.Extensions{ + SourceRepositoryOwnerURI: "https://github.com/owner", + SourceRepositoryURI: "https://github.com/owner/repo", + }, + }, + }, + }, + }, + } + + err := VerifyCertExtensions(results, "owner", "owner/repo") + require.NoError(t, err) + + err = VerifyCertExtensions(results, "", "owner/repo") + require.NoError(t, err) + + err = VerifyCertExtensions(results, "owner", "") + require.NoError(t, err) + + err = VerifyCertExtensions(results, "wrong", "") + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner") + + err = VerifyCertExtensions(results, "", "wrong") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo") +} From e21e5ef5c5d4fabc0848b3f52b8351f3d5fa0b74 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 13:09:28 -0700 Subject: [PATCH 3/6] update test --- .../attestation/verification/extensions.go | 4 +-- .../verification/extensions_test.go | 31 ++++++++++++------- pkg/cmd/attestation/verify/options_test.go | 4 +-- pkg/cmd/attestation/verify/verify_test.go | 16 +++++----- 4 files changed, 32 insertions(+), 23 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index ffbefb9d3..cadb2668f 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, if owner != "" { expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } } @@ -18,7 +18,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, if repo != "" { expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI - if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { + if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI) } } diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go index 829ebb231..c04d29664 100644 --- a/pkg/cmd/attestation/verification/extensions_test.go +++ b/pkg/cmd/attestation/verification/extensions_test.go @@ -24,18 +24,27 @@ func TestVerifyCertExtensions(t *testing.T) { }, } - err := VerifyCertExtensions(results, "owner", "owner/repo") - require.NoError(t, err) + t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) { + err := VerifyCertExtensions(results, "owner", "owner/repo") + require.NoError(t, err) + }) + t.Run("VerifyCertExtensions with repo", func(t *testing.T) { + err := VerifyCertExtensions(results, "", "owner/repo") + require.NoError(t, err) + }) - err = VerifyCertExtensions(results, "", "owner/repo") - require.NoError(t, err) + t.Run("VerifyCertExtensions with owner", func(t *testing.T) { + err := VerifyCertExtensions(results, "owner", "") + require.NoError(t, err) + }) - err = VerifyCertExtensions(results, "owner", "") - require.NoError(t, err) + t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) { + err := VerifyCertExtensions(results, "wrong", "") + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner") + }) - err = VerifyCertExtensions(results, "wrong", "") - require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner") - - err = VerifyCertExtensions(results, "", "wrong") - require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo") + t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) { + err := VerifyCertExtensions(results, "", "wrong") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo") + }) } diff --git a/pkg/cmd/attestation/verify/options_test.go b/pkg/cmd/attestation/verify/options_test.go index a7430017e..aea131b27 100644 --- a/pkg/cmd/attestation/verify/options_test.go +++ b/pkg/cmd/attestation/verify/options_test.go @@ -70,7 +70,7 @@ func TestSetPolicyFlags(t *testing.T) { opts.SetPolicyFlags() require.Equal(t, "sigstore", opts.Owner) require.Equal(t, "sigstore/sigstore-js", opts.Repo) - require.Equal(t, "^https://github.com/sigstore/sigstore-js/", opts.SANRegex) + require.Equal(t, "(?i)^https://github.com/sigstore/sigstore-js/", opts.SANRegex) }) t.Run("does not set SANRegex when SANRegex and Repo are provided", func(t *testing.T) { @@ -99,7 +99,7 @@ func TestSetPolicyFlags(t *testing.T) { opts.SetPolicyFlags() require.Equal(t, "sigstore", opts.Owner) - require.Equal(t, "^https://github.com/sigstore/", opts.SANRegex) + require.Equal(t, "(?i)^https://github.com/sigstore/", opts.SANRegex) }) t.Run("does not set SANRegex when SANRegex and Owner are provided", func(t *testing.T) { diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index f0cc21709..182a66012 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -76,7 +76,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -91,7 +91,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -105,7 +105,7 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", Limit: 30, - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: true, @@ -133,7 +133,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -147,7 +147,7 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", Limit: 101, - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -161,7 +161,7 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", Limit: 0, - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: true, @@ -176,7 +176,7 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", SAN: "https://github.com/sigstore/", - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: true, @@ -191,7 +191,7 @@ func TestNewVerifyCmd(t *testing.T) { Limit: 30, OIDCIssuer: GitHubOIDCIssuer, Owner: "sigstore", - SANRegex: "^https://github.com/sigstore/", + SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsExporter: true, From 580ddf69979777481acd2b4d0cff92eb8795a204 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 13:14:16 -0700 Subject: [PATCH 4/6] minor fix --- pkg/cmd/attestation/verification/extensions.go | 13 +++++++------ pkg/cmd/attestation/verify/policy.go | 11 ++++------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index cadb2668f..6d093a5d7 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -7,15 +7,16 @@ import ( func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error { for _, attestation := range results { - if owner != "" { - expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) - sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { - return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) - } + // TODO: handle proxima prefix + expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) + sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI + if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } + // if repo is set, check the SourceRepositoryURI field if repo != "" { + // TODO: handle proxima prefix expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 938e8048f..4d850ddcc 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -21,6 +21,7 @@ const ( ) func expandToGitHubURL(ownerOrRepo string) string { + // TODO: handle proxima prefix return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo) } @@ -42,12 +43,6 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error return verify.SubjectAlternativeNameMatcher{}, nil } -func buildCertExtensions(runnerEnv string) certificate.Extensions { - return certificate.Extensions{ - RunnerEnvironment: runnerEnv, - } -} - func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) { sanMatcher, err := buildSANMatcher(opts) if err != nil { @@ -59,7 +54,9 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol return nil, err } - extensions := buildCertExtensions(runnerEnv) + extensions := certificate.Extensions{ + RunnerEnvironment: runnerEnv, + } certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) if err != nil { From 596ee8bd7116c659e3cba95a792d327171732f15 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 13:22:49 -0700 Subject: [PATCH 5/6] update test --- pkg/cmd/attestation/verification/extensions_test.go | 6 +----- pkg/cmd/attestation/verify/verify_integration_test.go | 6 +++--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go index c04d29664..7aec4ec45 100644 --- a/pkg/cmd/attestation/verification/extensions_test.go +++ b/pkg/cmd/attestation/verification/extensions_test.go @@ -28,10 +28,6 @@ func TestVerifyCertExtensions(t *testing.T) { err := VerifyCertExtensions(results, "owner", "owner/repo") require.NoError(t, err) }) - t.Run("VerifyCertExtensions with repo", func(t *testing.T) { - err := VerifyCertExtensions(results, "", "owner/repo") - require.NoError(t, err) - }) t.Run("VerifyCertExtensions with owner", func(t *testing.T) { err := VerifyCertExtensions(results, "owner", "") @@ -44,7 +40,7 @@ func TestVerifyCertExtensions(t *testing.T) { }) t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) { - err := VerifyCertExtensions(results, "", "wrong") + err := VerifyCertExtensions(results, "owner", "wrong") require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo") }) } diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 6833043b8..9ad7a87a3 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -60,7 +60,7 @@ func TestVerifyIntegration(t *testing.T) { err := runVerify(&opts) require.Error(t, err) - require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/sigstore/fakerepo\", got \"https://github.com/sigstore/sigstore-js\"") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/sigstore/fakerepo, got https://github.com/sigstore/sigstore-js") }) t.Run("with invalid owner", func(t *testing.T) { @@ -69,7 +69,7 @@ func TestVerifyIntegration(t *testing.T) { err := runVerify(&opts) require.Error(t, err) - require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryOwnerURI to be \"https://github.com/fakeowner\", got \"https://github.com/sigstore\"") + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/fakeowner, got https://github.com/sigstore") }) t.Run("with invalid owner and invalid repo", func(t *testing.T) { @@ -78,7 +78,7 @@ func TestVerifyIntegration(t *testing.T) { err := runVerify(&opts) require.Error(t, err) - require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/fakeowner/fakerepo\"") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/fakeowner/fakerepo, got https://github.com/sigstore/sigstore-js") }) } From 1eaf712dd13c976b5225279a5e7e66564a7f03f1 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Wed, 31 Jul 2024 07:29:43 -0700 Subject: [PATCH 6/6] update test and remove logic to check SourceRepositoryOwnerURI is empty string --- .../attestation/verification/extensions.go | 4 ++-- .../attestation/verification/mock_verifier.go | 4 +++- pkg/cmd/attestation/verify/verify_test.go | 20 ++++++++++++++++++- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index 6d093a5d7..1915152dc 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, // TODO: handle proxima prefix expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } @@ -19,7 +19,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, // TODO: handle proxima prefix expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI - if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { + if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI) } } diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go index a8579b578..dcbfb1ba2 100644 --- a/pkg/cmd/attestation/verification/mock_verifier.go +++ b/pkg/cmd/attestation/verification/mock_verifier.go @@ -31,7 +31,9 @@ func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve Signature: &verify.SignatureVerificationResult{ Certificate: &certificate.Summary{ Extensions: certificate.Extensions{ - BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main", + BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main", + SourceRepositoryOwnerURI: "https://github.com/sigstore", + SourceRepositoryURI: "https://github.com/sigstore/sigstore-js", }, }, }, diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 182a66012..8d06617f3 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -340,14 +340,32 @@ func TestRunVerify(t *testing.T) { require.Nil(t, runVerify(&opts)) }) + t.Run("with owner which not matches SourceRepositoryOwnerURI", func(t *testing.T) { + opts := publicGoodOpts + opts.BundlePath = "" + opts.Owner = "owner" + + err := runVerify(&opts) + require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://github.com/sigstore") + }) + t.Run("with repo", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = "" - opts.Repo = "github/example" + opts.Repo = "sigstore/sigstore-js" require.Nil(t, runVerify(&opts)) }) + t.Run("with repo which not matches SourceRepositoryURI", func(t *testing.T) { + opts := publicGoodOpts + opts.BundlePath = "" + opts.Repo = "wrong/example" + + err := runVerify(&opts) + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong/example, got https://github.com/sigstore/sigstore-js") + }) + t.Run("with invalid repo", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = ""