From b6013cf4093dfb8ce63a790011044f68c438d3a2 Mon Sep 17 00:00:00 2001
From: Trevor Rosen <trevrosen@github.com>
Date: Fri, 24 Oct 2025 13:42:58 -0500
Subject: [PATCH] Make verifier choice more explicit

Signed-off-by: Trevor Rosen <trevrosen@github.com>
---
 pkg/cmd/attestation/verification/sigstore.go  | 23 +++++++++++++++----
 .../attestation/verification/sigstore_test.go | 11 +++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index 2ff75d159..e76d55a6b 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -63,30 +63,39 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, erro
 		Logger:       config.Logger,
 		NoPublicGood: config.NoPublicGood,
 	}
-	// if a custom trusted root is set, configure custom verifiers
+	// if a custom trusted root is set, configure custom verifiers and assume no Public Good or GitHub verifiers
+	// are needed
 	if config.TrustedRoot != "" {
 		customVerifiers, err := createCustomVerifiers(config.TrustedRoot, config.NoPublicGood)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error creating custom verifiers: %s", err)
 		}
 		liveVerifier.Custom = customVerifiers
 		return liveVerifier, nil
 	}
+
+	// No custom trusted root is set, so configure Public Good and GitHub verifiers
 	if !config.NoPublicGood {
 		publicGoodVerifier, err := newPublicGoodVerifier(config.TUFMetadataDir, config.HttpClient)
 		if err != nil {
 			// Log warning but continue - PGI unavailability should not block GitHub attestation verification
-			config.Logger.VerbosePrintf("Warning: failed to initialize Public Good verifier: %v\n", err)
+			config.Logger.VerbosePrintf("Warning: failed to initialize Sigstore Public Good verifier: %v\n", err)
 			config.Logger.VerbosePrintf("Continuing without Public Good Instance verification\n")
 		} else {
 			liveVerifier.PublicGood = publicGoodVerifier
 		}
 	}
+
 	github, err := newGitHubVerifier(config.TrustDomain, config.TUFMetadataDir, config.HttpClient)
 	if err != nil {
-		return nil, err
+		config.Logger.VerbosePrintf("Warning: failed to initialize GitHub verifier: %v\n", err)
+	} else {
+		liveVerifier.GitHub = github
+	}
+
+	if liveVerifier.noVerifierSet() {
+		return nil, fmt.Errorf("no valid Sigstore verifiers could be initialized")
 	}
-	liveVerifier.GitHub = github
 
 	return liveVerifier, nil
 }
@@ -378,3 +387,7 @@ func newPublicGoodVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verif
 
 	return sv, nil
 }
+
+func (v *LiveSigstoreVerifier) noVerifierSet() bool {
+	return v.PublicGood == nil && v.GitHub == nil && len(v.Custom) == 0
+}
diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go
index 33812172d..78269d008 100644
--- a/pkg/cmd/attestation/verification/sigstore_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_test.go
@@ -56,3 +56,14 @@ func TestGetBundleIssuer(t *testing.T) {
 	// Integration tests cover the actual functionality
 	t.Skip("getBundleIssuer requires a valid bundle which needs integration test setup")
 }
+
+func TestLiveSigstoreVerifier_noVerifierSet(t *testing.T) {
+	verifier := &LiveSigstoreVerifier{
+		Logger:       io.NewTestHandler(),
+		NoPublicGood: true,
+		PublicGood:   nil,
+		GitHub:       nil,
+	}
+
+	require.True(t, verifier.noVerifierSet())
+}