Skip to content

Commit

Permalink
Detect if user supplied a valid protobuf bundle (#3931)
Browse files Browse the repository at this point in the history
Even if they leave off `--new-bundle-format`

Signed-off-by: Zach Steindler <steiza@github.com>
  • Loading branch information
steiza authored Nov 13, 2024
1 parent 93b72d2 commit 7952891
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 2 deletions.
2 changes: 1 addition & 1 deletion cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
return &options.PubKeyParseError{}
}

if c.KeyOpts.NewBundleFormat {
if c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath) {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/verify/verify_blob_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
return &options.KeyParseError{}
}

if c.KeyOpts.NewBundleFormat {
if c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath) {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
Expand Down
5 changes: 5 additions & 0 deletions cmd/cosign/cli/verify/verify_bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstra
return v.keyTrustedMaterial.PublicKeyVerifier(hint)
}

func checkNewBundle(bundlePath string) bool {
_, err := sgbundle.LoadJSONFromPath(bundlePath)
return err == nil
}

func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, slot, certOIDCIssuer, certOIDCIssuerRegex, certIdentity, certIdentityRegexp, githubWorkflowTrigger, githubWorkflowSHA, githubWorkflowName, githubWorkflowRepository, githubWorkflowRef, artifactRef string, sk, ignoreTlog, useSignedTimestamps, ignoreSCT bool) (*verify.VerificationResult, error) {
bundle, err := sgbundle.LoadJSONFromPath(bundlePath)
if err != nil {
Expand Down

0 comments on commit 7952891

Please sign in to comment.