From aaea0166e2824f12454c8f7d785bd7481eddebe1 Mon Sep 17 00:00:00 2001 From: Phill MV Date: Wed, 9 Oct 2024 16:51:00 -0400 Subject: [PATCH] If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error. --- pkg/cmd/attestation/verification/sigstore.go | 22 ++++++++++++++----- .../verification/sigstore_integration_test.go | 15 +++++++++++++ 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index ca4015db2..e237a3eb9 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -4,6 +4,7 @@ import ( "bufio" "bytes" "crypto/x509" + "errors" "fmt" "os" @@ -48,6 +49,8 @@ type LiveSigstoreVerifier struct { config SigstoreConfig } +var ErrNoAttestationsVerified = errors.New("no attestations were verified") + // NewLiveSigstoreVerifier creates a new LiveSigstoreVerifier struct // that is used to verify artifacts and attestations against the // Public Good, GitHub, or a custom trusted root. @@ -170,18 +173,20 @@ func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, err } func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults { - // initialize the processing results before attempting to verify + // initialize the processing apResults before attempting to verify // with multiple verifiers - results := make([]*AttestationProcessingResult, len(attestations)) + apResults := make([]*AttestationProcessingResult, len(attestations)) for i, att := range attestations { apr := &AttestationProcessingResult{ Attestation: att, } - results[i] = apr + apResults[i] = apr } + var atLeastOneVerified bool + totalAttestations := len(attestations) - for i, apr := range results { + for i, apr := range apResults { v.config.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations) // determine which verifier should attempt verification against the bundle @@ -212,10 +217,15 @@ func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve "SUCCESS - attestation signature verified with \"%s\"\n", issuer, )) apr.VerificationResult = result + atLeastOneVerified = true } - return &SigstoreResults{ - VerifyResults: results, + if atLeastOneVerified { + return &SigstoreResults{ + VerifyResults: apResults, + } + } else { + return &SigstoreResults{Error: ErrNoAttestationsVerified} } } diff --git a/pkg/cmd/attestation/verification/sigstore_integration_test.go b/pkg/cmd/attestation/verification/sigstore_integration_test.go index 97b44581e..1d3ec2d75 100644 --- a/pkg/cmd/attestation/verification/sigstore_integration_test.go +++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go @@ -85,6 +85,21 @@ func TestLiveSigstoreVerifier(t *testing.T) { require.Len(t, res.VerifyResults, 0) require.ErrorContains(t, res.Error, "unsupported bundle version") }) + + t.Run("with no attestations", func(t *testing.T) { + attestations := []*api.Attestation{} + require.Len(t, attestations, 0) + + verifier := NewLiveSigstoreVerifier(SigstoreConfig{ + Logger: io.NewTestHandler(), + TrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"), + }) + + res := verifier.Verify(attestations, publicGoodPolicy(t)) + require.Len(t, res.VerifyResults, 0) + require.NotNil(t, res.Error) + }) + } func publicGoodPolicy(t *testing.T) verify.PolicyBuilder {