From cfbc1c7e105b80b317115973e1c4e7f8011b7ecd Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Mon, 18 Nov 2024 12:16:12 -0700
Subject: [PATCH] wording

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/verification/policy.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/attestation/verification/policy.go b/pkg/cmd/attestation/verification/policy.go
index 395575574..4765a8672 100644
--- a/pkg/cmd/attestation/verification/policy.go
+++ b/pkg/cmd/attestation/verification/policy.go
@@ -65,15 +65,13 @@ The following policy criteria will be enforced against all attestations:
 	}
 
 	if c.Certificate.RunnerEnvironment == GitHubRunner {
-		info += "\n- Attestation must be signed by a certificate that was generated by a Action workflow executed in a GitHub hosted runner"
-	}
-
-	if c.SANRegex != "" {
-		info += fmt.Sprintf("\n- Attestation must be signed by a certificate with a Subject Alternative Name matching the regex %s", c.SANRegex)
+		info += "\n- Attestation's signing certificate must be generated by an Action workflow executed in a GitHub hosted runner"
 	}
 
 	if c.SAN != "" {
-		info += fmt.Sprintf("\n- Attestation must be signed by a certificate with a Subject Alternative Name matching the exact value %s", c.SAN)
+		info += fmt.Sprintf("\n- Attestation's signing certificate must have a Subject Alternative Name matching the exact value %s", c.SAN)
+	} else if c.SANRegex != "" {
+		info += fmt.Sprintf("\n- Attestation's signing certificate must have a Subject Alternative Name matching the regex %s", c.SANRegex)
 	}
 
 	return info