Skip to content

Commit

Permalink
remove keylessVerification param from loadCerts helper
Browse files Browse the repository at this point in the history
Signed-off-by: Dmitry Savintsev <[email protected]>
  • Loading branch information
dmitris committed Jul 9, 2024
1 parent 7822766 commit c87566b
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 23 deletions.
13 changes: 6 additions & 7 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,10 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
return fmt.Errorf("getting Rekor public keys: %w", err)
}
}
if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
if keylessVerification(c.KeyRef, c.Sk) {
if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
}
}

keyRef := c.KeyRef
Expand Down Expand Up @@ -519,8 +521,7 @@ func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool {
//
// The co *cosign.CheckOpts is both input and output parameter - it gets updated
// with the root and intermediate certificates needed for verification.
func loadCerts(keylessVerification bool,
certChainFile string,
func loadCerts(certChainFile string,
caRootsFile string,
caIntermediatesFile string,
co *cosign.CheckOpts) error {
Expand Down Expand Up @@ -564,7 +565,7 @@ func loadCerts(keylessVerification bool,
}
}

case keylessVerification:
default:
// This performs an online fetch of the Fulcio roots from a TUF repository.
// This is needed for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
Expand All @@ -575,8 +576,6 @@ func loadCerts(keylessVerification bool,
if err != nil {
return fmt.Errorf("getting Fulcio intermediates: %w", err)
}

default: // do nothing if keylessVerification is false and no certChain or caRootsFile is provided
}

return nil
Expand Down
6 changes: 4 additions & 2 deletions cmd/cosign/cli/verify/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,10 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
}
}

if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
if keylessVerification(c.KeyRef, c.Sk) {
if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
}
}

keyRef := c.KeyRef
Expand Down
10 changes: 4 additions & 6 deletions cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,10 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
}
}

if err := loadCerts(keylessVerification(c.KeyRef, c.Sk),
c.CertChain,
c.CARoots,
c.CAIntermediates,
co); err != nil {
return err
if keylessVerification(c.KeyRef, c.Sk) {
if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
}
}

// Keys are optional!
Expand Down
6 changes: 4 additions & 2 deletions cmd/cosign/cli/verify/verify_blob_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,8 +170,10 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
return fmt.Errorf("getting Rekor public keys: %w", err)
}
}
if err := loadCerts(keylessVerification(c.KeyRef, c.Sk), c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
if keylessVerification(c.KeyRef, c.Sk) {
if err := loadCerts(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
return err
}
}

// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
Expand Down
7 changes: 1 addition & 6 deletions cmd/cosign/cli/verify/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,17 +275,12 @@ func TestLoadCerts(t *testing.T) {
caIntermediates string
co *cosign.CheckOpts
sigstoreRootFile string
nonKeyless bool
wantErr bool
}{
{
name: "default fulcio",
wantErr: false,
},
{
name: "non-keyless no-op",
wantErr: false,
},
{
name: "non-existent SIGSTORE_ROOT_FILE",
sigstoreRootFile: "tesdata/nosuch-asdfjkl.pem",
Expand Down Expand Up @@ -342,7 +337,7 @@ func TestLoadCerts(t *testing.T) {
tt.co = &cosign.CheckOpts{}
}

err := loadCerts(!tt.nonKeyless, tt.certChain, tt.caRoots, tt.caIntermediates, tt.co)
err := loadCerts(tt.certChain, tt.caRoots, tt.caIntermediates, tt.co)
if err == nil && tt.wantErr {
t.Fatalf("expected error but got none")
} else if err != nil && !tt.wantErr {
Expand Down

0 comments on commit c87566b

Please sign in to comment.