remove keylessVerification param from loadCerts helper

cmd/cosign/cli/verify/verify.go

@@ -174,8 +174,10 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 			return fmt.Errorf("getting Rekor public keys: %w", err)
 		}
 	}
-	if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
-		return err
+	if keylessVerification(c.KeyRef, c.Sk) {
+		if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+			return err
+		}
 	}
 
 	keyRef := c.KeyRef
@@ -519,8 +521,7 @@ func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool {
 //
 // The co *cosign.CheckOpts is both input and output parameter - it gets updated
 // with the root and intermediate certificates needed for verification.
-func loadCerts(keylessVerification bool,
-	certChainFile string,
+func loadCerts(certChainFile string,
 	caRootsFile string,
 	caIntermediatesFile string,
 	co *cosign.CheckOpts) error {
@@ -564,7 +565,7 @@ func loadCerts(keylessVerification bool,
 			}
 		}
 
-	case keylessVerification:
+	default:
 		// This performs an online fetch of the Fulcio roots from a TUF repository.
 		// This is needed for verifying keyless certificates (both online and offline).
 		co.RootCerts, err = fulcio.GetRoots()
@@ -575,8 +576,6 @@ func loadCerts(keylessVerification bool,
 		if err != nil {
 			return fmt.Errorf("getting Fulcio intermediates: %w", err)
 		}
-
-	default: // do nothing if keylessVerification is false and no certChain or caRootsFile is provided
 	}
 
 	return nil

cmd/cosign/cli/verify/verify_attestation.go

@@ -157,8 +157,10 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		}
 	}
 
-	if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
-		return err
+	if keylessVerification(c.KeyRef, c.Sk) {
+		if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+			return err
+		}
 	}
 
 	keyRef := c.KeyRef

cmd/cosign/cli/verify/verify_blob.go

@@ -153,12 +153,10 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		}
 	}
 
-	if err := loadCerts(keylessVerification(c.KeyRef, c.Sk),
-		c.CertChain,
-		c.CARoots,
-		c.CAIntermediates,
-		co); err != nil {
-		return err
+	if keylessVerification(c.KeyRef, c.Sk) {
+		if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+			return err
+		}
 	}
 
 	// Keys are optional!

cmd/cosign/cli/verify/verify_blob_attestation.go

@@ -170,8 +170,10 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 			return fmt.Errorf("getting Rekor public keys: %w", err)
 		}
 	}
-	if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
-		return err
+	if keylessVerification(c.KeyRef, c.Sk) {
+		if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+			return err
+		}
 	}
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided

cmd/cosign/cli/verify/verify_test.go

@@ -275,17 +275,12 @@ func TestLoadCerts(t *testing.T) {
 		caIntermediates  string
 		co               *cosign.CheckOpts
 		sigstoreRootFile string
-		nonKeyless       bool
 		wantErr          bool
 	}{
 		{
 			name:    "default fulcio",
 			wantErr: false,
 		},
-		{
-			name:    "non-keyless no-op",
-			wantErr: false,
-		},
 		{
 			name:             "non-existent SIGSTORE_ROOT_FILE",
 			sigstoreRootFile: "tesdata/nosuch-asdfjkl.pem",
@@ -342,7 +337,7 @@ func TestLoadCerts(t *testing.T) {
 				tt.co = &cosign.CheckOpts{}
 			}
 
-			err := loadCerts(!tt.nonKeyless, tt.certChain, tt.caRoots, tt.caIntermediates, tt.co)
+			err := loadCerts(tt.certChain, tt.caRoots, tt.caIntermediates, tt.co)
 			if err == nil && tt.wantErr {
 				t.Fatalf("expected error but got none")
 			} else if err != nil && !tt.wantErr {