From b8c59979dce846c8a77d950ab35506823fa11abf Mon Sep 17 00:00:00 2001
From: Jason Hall <jason@chainguard.dev>
Date: Mon, 31 Jul 2023 13:16:04 -0400
Subject: [PATCH] improve error messages around bundle != payload hash (#3146)

Signed-off-by: Jason Hall <jason@chainguard.dev>
---
 pkg/cosign/verify.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
index 2ab846fe596..ee0e18ea085 100644
--- a/pkg/cosign/verify.go
+++ b/pkg/cosign/verify.go
@@ -1105,11 +1105,16 @@ func VerifyBundle(sig oci.Signature, co *CheckOpts) (bool, error) {
 	}
 
 	alg, bundlehash, err := bundleHash(bundle.Payload.Body.(string), signature)
+	if err != nil {
+		return false, fmt.Errorf("computing bundle hash: %w", err)
+	}
 	h := sha256.Sum256(payload)
 	payloadHash := hex.EncodeToString(h[:])
 
-	if alg != "sha256" || bundlehash != payloadHash {
-		return false, fmt.Errorf("matching bundle to payload: %w", err)
+	if alg != "sha256" {
+		return false, fmt.Errorf("unexpected algorithm: %q", alg)
+	} else if bundlehash != payloadHash {
+		return false, fmt.Errorf("matching bundle to payload: bundle=%q, payload=%q", bundlehash, payloadHash)
 	}
 	return true, nil
 }