From 6a7243bb7b116b795dfed8758f6a36e56deebee8 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 10:54:22 -0700 Subject: [PATCH 1/7] remove unneeded nesting Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 33 ++++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index 66005d62e69..e520e1b0ca1 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -41,7 +41,11 @@ type SigstoreVerifier interface { } type LiveSigstoreVerifier struct { - config SigstoreConfig + TrustedRoot string + Logger *io.Handler + NoPublicGood bool + // If tenancy mode is not used, trust domain is empty + TrustDomain string } var ErrNoAttestationsVerified = errors.New("no attestations were verified") @@ -51,7 +55,10 @@ var ErrNoAttestationsVerified = errors.New("no attestations were verified") // Public Good, GitHub, or a custom trusted root. func NewLiveSigstoreVerifier(config SigstoreConfig) *LiveSigstoreVerifier { return &LiveSigstoreVerifier{ - config: config, + TrustedRoot: config.TrustedRoot, + Logger: config.Logger, + NoPublicGood: config.NoPublicGood, + TrustDomain: config.TrustDomain, } } @@ -72,10 +79,10 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE } issuer := leafCert.Issuer.Organization[0] - if v.config.TrustedRoot != "" { - customTrustRoots, err := os.ReadFile(v.config.TrustedRoot) + if v.TrustedRoot != "" { + customTrustRoots, err := os.ReadFile(v.TrustedRoot) if err != nil { - return nil, "", fmt.Errorf("unable to read file %s: %v", v.config.TrustedRoot, err) + return nil, "", fmt.Errorf("unable to read file %s: %v", v.TrustedRoot, err) } reader := bufio.NewReader(bytes.NewReader(customTrustRoots)) @@ -107,7 +114,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE // Note that we are *only* inferring the policy with the // issuer. We *must* use the trusted root provided. if issuer == PublicGoodIssuerOrg { - if v.config.NoPublicGood { + if v.NoPublicGood { return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") } verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) @@ -136,15 +143,15 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE return nil, "", fmt.Errorf("unable to use provided trusted roots") } - if leafCert.Issuer.Organization[0] == PublicGoodIssuerOrg && !v.config.NoPublicGood { + if leafCert.Issuer.Organization[0] == PublicGoodIssuerOrg && !v.NoPublicGood { publicGoodVerifier, err := newPublicGoodVerifier() if err != nil { return nil, "", fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) } return publicGoodVerifier, issuer, nil - } else if leafCert.Issuer.Organization[0] == GitHubIssuerOrg || v.config.NoPublicGood { - ghVerifier, err := newGitHubVerifier(v.config.TrustDomain) + } else if leafCert.Issuer.Organization[0] == GitHubIssuerOrg || v.NoPublicGood { + ghVerifier, err := newGitHubVerifier(v.TrustDomain) if err != nil { return nil, "", fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) } @@ -174,12 +181,12 @@ func (v *LiveSigstoreVerifier) verify(attestation *api.Attestation, policy verif return nil, fmt.Errorf("failed to find recognized issuer from bundle content: %v", err) } - v.config.Logger.VerbosePrintf("Attempting verification against issuer \"%s\"\n", issuer) + v.Logger.VerbosePrintf("Attempting verification against issuer \"%s\"\n", issuer) // attempt to verify the attestation result, err := verifier.Verify(attestation.Bundle, policy) // if verification fails, create the error and exit verification early if err != nil { - v.config.Logger.VerbosePrint(v.config.Logger.ColorScheme.Redf( + v.Logger.VerbosePrint(v.Logger.ColorScheme.Redf( "Failed to verify against issuer \"%s\" \n\n", issuer, )) @@ -188,7 +195,7 @@ func (v *LiveSigstoreVerifier) verify(attestation *api.Attestation, policy verif // if verification is successful, add the result // to the AttestationProcessingResult entry - v.config.Logger.VerbosePrint(v.config.Logger.ColorScheme.Greenf( + v.Logger.VerbosePrint(v.Logger.ColorScheme.Greenf( "SUCCESS - attestation signature verified with \"%s\"\n", issuer, )) @@ -208,7 +215,7 @@ func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve var lastError error totalAttestations := len(attestations) for i, a := range attestations { - v.config.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations) + v.Logger.VerbosePrintf("Verifying attestation %d/%d against the configured Sigstore trust roots\n", i+1, totalAttestations) apr, err := v.verify(a, policy) if err != nil { From 1ffd22565d31252fd4bd2b813efa2e90763f7dde Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 11:52:08 -0700 Subject: [PATCH 2/7] inverse logic for less nesting Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 55 ++++++++++---------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index e520e1b0ca1..e6c3b976b4c 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -104,38 +104,37 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE return nil, "", err } - if len(lowestCert.Issuer.Organization) == 0 { + // if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it + if len(lowestCert.Issuer.Organization) == 0 || lowestCert.Issuer.Organization[0] != issuer { continue } - if lowestCert.Issuer.Organization[0] == issuer { - // Determine what policy to use with this trusted root. - // - // Note that we are *only* inferring the policy with the - // issuer. We *must* use the trusted root provided. - if issuer == PublicGoodIssuerOrg { - if v.NoPublicGood { - return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") - } - verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, "", err - } - return verifier, issuer, nil - } else if issuer == GitHubIssuerOrg { - verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, "", err - } - return verifier, issuer, nil - } else { - // Make best guess at reasonable policy - customVerifier, err := newCustomVerifier(trustedRoot) - if err != nil { - return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) - } - return customVerifier, issuer, nil + // Determine what policy to use with this trusted root. + // + // Note that we are *only* inferring the policy with the + // issuer. We *must* use the trusted root provided. + if issuer == PublicGoodIssuerOrg { + if v.NoPublicGood { + return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") } + verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) + if err != nil { + return nil, "", err + } + return verifier, issuer, nil + } else if issuer == GitHubIssuerOrg { + verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) + if err != nil { + return nil, "", err + } + return verifier, issuer, nil + } else { + // Make best guess at reasonable policy + customVerifier, err := newCustomVerifier(trustedRoot) + if err != nil { + return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) + } + return customVerifier, issuer, nil } } line, readError = reader.ReadBytes('\n') From d737d3b933d8e30e00792538d8b845fde8bc79dc Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 12:19:28 -0700 Subject: [PATCH 3/7] more logic updating to remove nesting Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 155 +++++++++++-------- 1 file changed, 90 insertions(+), 65 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index e6c3b976b4c..a4042f7c9e8 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -62,6 +62,24 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) *LiveSigstoreVerifier { } } +func getBundleIssuer(b *bundle.Bundle) (string, error) { + if !b.MinVersion("0.2") { + return "", fmt.Errorf("unsupported bundle version: %s", b.MediaType) + } + verifyContent, err := b.VerificationContent() + if err != nil { + return "", fmt.Errorf("failed to get bundle verification content: %v", err) + } + leafCert := verifyContent.GetCertificate() + if leafCert == nil { + return "", fmt.Errorf("leaf cert not found") + } + if len(leafCert.Issuer.Organization) != 1 { + return "", fmt.Errorf("expected the leaf certificate issuer to only have one organization") + } + return leafCert.Issuer.Organization[0], nil +} + func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedEntityVerifier, string, error) { if !b.MinVersion("0.2") { return nil, "", fmt.Errorf("unsupported bundle version: %s", b.MediaType) @@ -79,86 +97,93 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE } issuer := leafCert.Issuer.Organization[0] - if v.TrustedRoot != "" { - customTrustRoots, err := os.ReadFile(v.TrustedRoot) + // if no custom trusted root is set, attempt to create a Public Good or + // GitHub Sigstore verifier + if v.TrustedRoot == "" { + if issuer == PublicGoodIssuerOrg { + if v.NoPublicGood { + return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") + } + + publicGoodVerifier, err := newPublicGoodVerifier() + if err != nil { + return nil, "", fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) + } + + return publicGoodVerifier, issuer, nil + } else if issuer == GitHubIssuerOrg { + ghVerifier, err := newGitHubVerifier(v.TrustDomain) + if err != nil { + return nil, "", fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) + } + + return ghVerifier, issuer, nil + } + + return nil, "", fmt.Errorf("leaf certificate issuer is not recognized") + } + + customTrustRoots, err := os.ReadFile(v.TrustedRoot) + if err != nil { + return nil, "", fmt.Errorf("unable to read file %s: %v", v.TrustedRoot, err) + } + + reader := bufio.NewReader(bytes.NewReader(customTrustRoots)) + var line []byte + var readError error + line, readError = reader.ReadBytes('\n') + for readError == nil { + // Load each trusted root + trustedRoot, err := root.NewTrustedRootFromJSON(line) if err != nil { - return nil, "", fmt.Errorf("unable to read file %s: %v", v.TrustedRoot, err) + return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) } - reader := bufio.NewReader(bytes.NewReader(customTrustRoots)) - var line []byte - var readError error - line, readError = reader.ReadBytes('\n') - for readError == nil { - // Load each trusted root - trustedRoot, err := root.NewTrustedRootFromJSON(line) + // Compare bundle leafCert issuer with trusted root cert authority + certAuthorities := trustedRoot.FulcioCertificateAuthorities() + for _, certAuthority := range certAuthorities { + lowestCert, err := getLowestCertInChain(&certAuthority) if err != nil { - return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) + return nil, "", err } - // Compare bundle leafCert issuer with trusted root cert authority - certAuthorities := trustedRoot.FulcioCertificateAuthorities() - for _, certAuthority := range certAuthorities { - lowestCert, err := getLowestCertInChain(&certAuthority) + // if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it + if len(lowestCert.Issuer.Organization) == 0 || lowestCert.Issuer.Organization[0] != issuer { + continue + } + + // Determine what policy to use with this trusted root. + // + // Note that we are *only* inferring the policy with the + // issuer. We *must* use the trusted root provided. + if issuer == PublicGoodIssuerOrg { + if v.NoPublicGood { + return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") + } + verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) if err != nil { return nil, "", err } - - // if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it - if len(lowestCert.Issuer.Organization) == 0 || lowestCert.Issuer.Organization[0] != issuer { - continue + return verifier, issuer, nil + } else if issuer == GitHubIssuerOrg { + verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) + if err != nil { + return nil, "", err } - - // Determine what policy to use with this trusted root. - // - // Note that we are *only* inferring the policy with the - // issuer. We *must* use the trusted root provided. - if issuer == PublicGoodIssuerOrg { - if v.NoPublicGood { - return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") - } - verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, "", err - } - return verifier, issuer, nil - } else if issuer == GitHubIssuerOrg { - verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, "", err - } - return verifier, issuer, nil - } else { - // Make best guess at reasonable policy - customVerifier, err := newCustomVerifier(trustedRoot) - if err != nil { - return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) - } - return customVerifier, issuer, nil + return verifier, issuer, nil + } else { + // Make best guess at reasonable policy + customVerifier, err := newCustomVerifier(trustedRoot) + if err != nil { + return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) } + return customVerifier, issuer, nil } - line, readError = reader.ReadBytes('\n') - } - return nil, "", fmt.Errorf("unable to use provided trusted roots") - } - - if leafCert.Issuer.Organization[0] == PublicGoodIssuerOrg && !v.NoPublicGood { - publicGoodVerifier, err := newPublicGoodVerifier() - if err != nil { - return nil, "", fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) } - - return publicGoodVerifier, issuer, nil - } else if leafCert.Issuer.Organization[0] == GitHubIssuerOrg || v.NoPublicGood { - ghVerifier, err := newGitHubVerifier(v.TrustDomain) - if err != nil { - return nil, "", fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) - } - - return ghVerifier, issuer, nil + line, readError = reader.ReadBytes('\n') } - return nil, "", fmt.Errorf("leaf certificate issuer is not recognized") + return nil, "", fmt.Errorf("unable to use provided trusted roots") } func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, error) { From f0f86ecd2331dff89ddeec28d77f21d2fe75fdc3 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 12:22:56 -0700 Subject: [PATCH 4/7] get bundle issuer in another func Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 59 ++++++++------------ 1 file changed, 24 insertions(+), 35 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index a4042f7c9e8..8934830aeb4 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -80,52 +80,36 @@ func getBundleIssuer(b *bundle.Bundle) (string, error) { return leafCert.Issuer.Organization[0], nil } -func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedEntityVerifier, string, error) { - if !b.MinVersion("0.2") { - return nil, "", fmt.Errorf("unsupported bundle version: %s", b.MediaType) - } - verifyContent, err := b.VerificationContent() - if err != nil { - return nil, "", fmt.Errorf("failed to get bundle verification content: %v", err) - } - leafCert := verifyContent.GetCertificate() - if leafCert == nil { - return nil, "", fmt.Errorf("leaf cert not found") - } - if len(leafCert.Issuer.Organization) != 1 { - return nil, "", fmt.Errorf("expected the leaf certificate issuer to only have one organization") - } - issuer := leafCert.Issuer.Organization[0] - +func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEntityVerifier, error) { // if no custom trusted root is set, attempt to create a Public Good or // GitHub Sigstore verifier if v.TrustedRoot == "" { if issuer == PublicGoodIssuerOrg { if v.NoPublicGood { - return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") + return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } publicGoodVerifier, err := newPublicGoodVerifier() if err != nil { - return nil, "", fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) + return nil, fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) } - return publicGoodVerifier, issuer, nil + return publicGoodVerifier, nil } else if issuer == GitHubIssuerOrg { ghVerifier, err := newGitHubVerifier(v.TrustDomain) if err != nil { - return nil, "", fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) + return nil, fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) } - return ghVerifier, issuer, nil + return ghVerifier, nil } - return nil, "", fmt.Errorf("leaf certificate issuer is not recognized") + return nil, fmt.Errorf("leaf certificate issuer is not recognized") } customTrustRoots, err := os.ReadFile(v.TrustedRoot) if err != nil { - return nil, "", fmt.Errorf("unable to read file %s: %v", v.TrustedRoot, err) + return nil, fmt.Errorf("unable to read file %s: %v", v.TrustedRoot, err) } reader := bufio.NewReader(bytes.NewReader(customTrustRoots)) @@ -136,7 +120,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE // Load each trusted root trustedRoot, err := root.NewTrustedRootFromJSON(line) if err != nil { - return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) + return nil, fmt.Errorf("failed to create custom verifier: %v", err) } // Compare bundle leafCert issuer with trusted root cert authority @@ -144,7 +128,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE for _, certAuthority := range certAuthorities { lowestCert, err := getLowestCertInChain(&certAuthority) if err != nil { - return nil, "", err + return nil, err } // if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it @@ -158,32 +142,32 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.Bundle) (*verify.SignedE // issuer. We *must* use the trusted root provided. if issuer == PublicGoodIssuerOrg { if v.NoPublicGood { - return nil, "", fmt.Errorf("detected public good instance but requested verification without public good instance") + return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) if err != nil { - return nil, "", err + return nil, err } - return verifier, issuer, nil + return verifier, nil } else if issuer == GitHubIssuerOrg { verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) if err != nil { - return nil, "", err + return nil, err } - return verifier, issuer, nil + return verifier, nil } else { // Make best guess at reasonable policy customVerifier, err := newCustomVerifier(trustedRoot) if err != nil { - return nil, "", fmt.Errorf("failed to create custom verifier: %v", err) + return nil, fmt.Errorf("failed to create custom verifier: %v", err) } - return customVerifier, issuer, nil + return customVerifier, nil } } line, readError = reader.ReadBytes('\n') } - return nil, "", fmt.Errorf("unable to use provided trusted roots") + return nil, fmt.Errorf("unable to use provided trusted roots") } func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, error) { @@ -199,8 +183,13 @@ func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, err } func (v *LiveSigstoreVerifier) verify(attestation *api.Attestation, policy verify.PolicyBuilder) (*AttestationProcessingResult, error) { + issuer, err := getBundleIssuer(attestation.Bundle) + if err != nil { + return nil, fmt.Errorf("failed to get bundle issuer: %v", err) + } + // determine which verifier should attempt verification against the bundle - verifier, issuer, err := v.chooseVerifier(attestation.Bundle) + verifier, err := v.chooseVerifier(issuer) if err != nil { return nil, fmt.Errorf("failed to find recognized issuer from bundle content: %v", err) } From 2a6ee87ba09a8aa1c0ee9172403cf93cf1a0572d Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 12:29:35 -0700 Subject: [PATCH 5/7] remove duplicate err checking Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 34 +++----------------- 1 file changed, 5 insertions(+), 29 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index 8934830aeb4..1b7e0654cec 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -88,22 +88,10 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEnti if v.NoPublicGood { return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } - - publicGoodVerifier, err := newPublicGoodVerifier() - if err != nil { - return nil, fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) - } - - return publicGoodVerifier, nil + return newPublicGoodVerifier() } else if issuer == GitHubIssuerOrg { - ghVerifier, err := newGitHubVerifier(v.TrustDomain) - if err != nil { - return nil, fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) - } - - return ghVerifier, nil + return newGitHubVerifier(v.TrustDomain) } - return nil, fmt.Errorf("leaf certificate issuer is not recognized") } @@ -144,24 +132,12 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEnti if v.NoPublicGood { return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } - verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, err - } - return verifier, nil + return newPublicGoodVerifierWithTrustedRoot(trustedRoot) } else if issuer == GitHubIssuerOrg { - verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot) - if err != nil { - return nil, err - } - return verifier, nil + return newGitHubVerifierWithTrustedRoot(trustedRoot) } else { // Make best guess at reasonable policy - customVerifier, err := newCustomVerifier(trustedRoot) - if err != nil { - return nil, fmt.Errorf("failed to create custom verifier: %v", err) - } - return customVerifier, nil + return newCustomVerifier(trustedRoot) } } line, readError = reader.ReadBytes('\n') From efca3bdfd97c77da707caa83308b733605409eae Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 12:34:33 -0700 Subject: [PATCH 6/7] try switch statement Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index 1b7e0654cec..c938dfccde9 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -84,15 +84,17 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEnti // if no custom trusted root is set, attempt to create a Public Good or // GitHub Sigstore verifier if v.TrustedRoot == "" { - if issuer == PublicGoodIssuerOrg { + switch issuer { + case PublicGoodIssuerOrg: if v.NoPublicGood { return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } return newPublicGoodVerifier() - } else if issuer == GitHubIssuerOrg { + case GitHubIssuerOrg: return newGitHubVerifier(v.TrustDomain) + default: + return nil, fmt.Errorf("leaf certificate issuer is not recognized") } - return nil, fmt.Errorf("leaf certificate issuer is not recognized") } customTrustRoots, err := os.ReadFile(v.TrustedRoot) @@ -128,14 +130,15 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEnti // // Note that we are *only* inferring the policy with the // issuer. We *must* use the trusted root provided. - if issuer == PublicGoodIssuerOrg { + switch issuer { + case PublicGoodIssuerOrg: if v.NoPublicGood { return nil, fmt.Errorf("detected public good instance but requested verification without public good instance") } return newPublicGoodVerifierWithTrustedRoot(trustedRoot) - } else if issuer == GitHubIssuerOrg { + case GitHubIssuerOrg: return newGitHubVerifierWithTrustedRoot(trustedRoot) - } else { + default: // Make best guess at reasonable policy return newCustomVerifier(trustedRoot) } From 3b043f6350940a0c76df2a5725e5d50ccc5b82cb Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 3 Dec 2024 12:37:42 -0700 Subject: [PATCH 7/7] comment Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verification/sigstore.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index c938dfccde9..4f94666e5a8 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -121,7 +121,7 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.SignedEnti return nil, err } - // if the custom trusted root issuer is not set or doesn't match the bundle's issuer, skip it + // if the custom trusted root issuer is not set or doesn't match the given issuer, skip it if len(lowestCert.Issuer.Organization) == 0 || lowestCert.Issuer.Organization[0] != issuer { continue }