If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.
This commit is contained in:
Phill MV
parent
dfddb16ba3
commit
aaea0166e2
2 changed files with 31 additions and 6 deletions
|
|
@ -4,6 +4,7 @@ import (
|
|||
"bufio"
|
||||
"bytes"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
|
|
@ -48,6 +49,8 @@ type LiveSigstoreVerifier struct {
|
|||
config SigstoreConfig
|
||||
}
|
||||
|
||||
var ErrNoAttestationsVerified = errors.New("no attestations were verified")
|
||||
|
||||
// NewLiveSigstoreVerifier creates a new LiveSigstoreVerifier struct
|
||||
// that is used to verify artifacts and attestations against the
|
||||
// Public Good, GitHub, or a custom trusted root.
|
||||
|
|
@ -170,18 +173,20 @@ func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, err
|
|||
}
|
||||
|
||||
func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
||||
// initialize the processing results before attempting to verify
|
||||
// initialize the processing apResults before attempting to verify
|
||||
// with multiple verifiers
|
||||
results := make([]*AttestationProcessingResult, len(attestations))
|
||||
apResults := make([]*AttestationProcessingResult, len(attestations))
|
||||
for i, att := range attestations {
|
||||
apr := &AttestationProcessingResult{
|
||||
Attestation: att,
|
||||
}
|
||||
results[i] = apr
|
||||
apResults[i] = apr
|
||||
}
|
||||
|
||||
var atLeastOneVerified bool
|
||||
|
||||
totalAttestations := len(attestations)
|
||||
for i, apr := range results {
|
||||
for i, apr := range apResults {
|
||||
v.config.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations)
|
||||
|
||||
// determine which verifier should attempt verification against the bundle
|
||||
|
|
@ -212,10 +217,15 @@ func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve
|
|||
"SUCCESS - attestation signature verified with \"%s\"\n", issuer,
|
||||
))
|
||||
apr.VerificationResult = result
|
||||
atLeastOneVerified = true
|
||||
}
|
||||
|
||||
return &SigstoreResults{
|
||||
VerifyResults: results,
|
||||
if atLeastOneVerified {
|
||||
return &SigstoreResults{
|
||||
VerifyResults: apResults,
|
||||
}
|
||||
} else {
|
||||
return &SigstoreResults{Error: ErrNoAttestationsVerified}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -85,6 +85,21 @@ func TestLiveSigstoreVerifier(t *testing.T) {
|
|||
require.Len(t, res.VerifyResults, 0)
|
||||
require.ErrorContains(t, res.Error, "unsupported bundle version")
|
||||
})
|
||||
|
||||
t.Run("with no attestations", func(t *testing.T) {
|
||||
attestations := []*api.Attestation{}
|
||||
require.Len(t, attestations, 0)
|
||||
|
||||
verifier := NewLiveSigstoreVerifier(SigstoreConfig{
|
||||
Logger: io.NewTestHandler(),
|
||||
TrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"),
|
||||
})
|
||||
|
||||
res := verifier.Verify(attestations, publicGoodPolicy(t))
|
||||
require.Len(t, res.VerifyResults, 0)
|
||||
require.NotNil(t, res.Error)
|
||||
})
|
||||
|
||||
}
|
||||
|
||||
func publicGoodPolicy(t *testing.T) verify.PolicyBuilder {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue