Make verifier choice more explicit
Signed-off-by: Trevor Rosen <trevrosen@github.com>
This commit is contained in:
Trevor Rosen
parent
d5399b79b9
commit
b6013cf409
2 changed files with 29 additions and 5 deletions
|
|
@ -63,30 +63,39 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro
|
|||
Logger: config.Logger,
|
||||
NoPublicGood: config.NoPublicGood,
|
||||
}
|
||||
// if a custom trusted root is set, configure custom verifiers
|
||||
// if a custom trusted root is set, configure custom verifiers and assume no Public Good or GitHub verifiers
|
||||
// are needed
|
||||
if config.TrustedRoot != "" {
|
||||
customVerifiers, err := createCustomVerifiers(config.TrustedRoot, config.NoPublicGood)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, fmt.Errorf("error creating custom verifiers: %s", err)
|
||||
}
|
||||
liveVerifier.Custom = customVerifiers
|
||||
return liveVerifier, nil
|
||||
}
|
||||
|
||||
// No custom trusted root is set, so configure Public Good and GitHub verifiers
|
||||
if !config.NoPublicGood {
|
||||
publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient)
|
||||
if err != nil {
|
||||
// Log warning but continue - PGI unavailability should not block GitHub attestation verification
|
||||
config.Logger.VerbosePrintf("Warning: failed to initialize Public Good verifier: %v\n", err)
|
||||
config.Logger.VerbosePrintf("Warning: failed to initialize Sigstore Public Good verifier: %v\n", err)
|
||||
config.Logger.VerbosePrintf("Continuing without Public Good Instance verification\n")
|
||||
} else {
|
||||
liveVerifier.PublicGood = publicGoodVerifier
|
||||
}
|
||||
}
|
||||
|
||||
github, err := newGitHubVerifier(config.TrustDomain, config.TUFMetadataDir, config.HttpClient)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
config.Logger.VerbosePrintf("Warning: failed to initialize GitHub verifier: %v\n", err)
|
||||
} else {
|
||||
liveVerifier.GitHub = github
|
||||
}
|
||||
|
||||
if liveVerifier.noVerifierSet() {
|
||||
return nil, fmt.Errorf("no valid Sigstore verifiers could be initialized")
|
||||
}
|
||||
liveVerifier.GitHub = github
|
||||
|
||||
return liveVerifier, nil
|
||||
}
|
||||
|
|
@ -378,3 +387,7 @@ func newPublicGoodVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verif
|
|||
|
||||
return sv, nil
|
||||
}
|
||||
|
||||
func (v *LiveSigstoreVerifier) noVerifierSet() bool {
|
||||
return v.PublicGood == nil && v.GitHub == nil && len(v.Custom) == 0
|
||||
}
|
||||
|
|
|
|||
|
|
@ -56,3 +56,14 @@ func TestGetBundleIssuer(t *testing.T) {
|
|||
// Integration tests cover the actual functionality
|
||||
t.Skip("getBundleIssuer requires a valid bundle which needs integration test setup")
|
||||
}
|
||||
|
||||
func TestLiveSigstoreVerifier_noVerifierSet(t *testing.T) {
|
||||
verifier := &LiveSigstoreVerifier{
|
||||
Logger: io.NewTestHandler(),
|
||||
NoPublicGood: true,
|
||||
PublicGood: nil,
|
||||
GitHub: nil,
|
||||
}
|
||||
|
||||
require.True(t, verifier.noVerifierSet())
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue