Skip to content

Commit c4f2bca

Browse files
alopez-susealopez-suse
committed
NVSHAS-8043: ignore sct and tlog when keys are empty
1 parent 8e9a13d commit c4f2bca

File tree

1 file changed

+14
-6
lines changed

1 file changed

+14
-6
lines changed

main.go

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,13 @@ type RootOfTrust struct {
3838
Verifiers []Verifier `json:"Verifiers"`
3939
}
4040

41+
func (r *RootOfTrust) IsPublic() bool {
42+
return r.RekorPublicKey == "" && r.RootCert == "" && r.SCTPublicKey == ""
43+
}
44+
4145
type Verifier struct {
4246
Name string `json:"Name"`
4347
Type string `json:"Type"`
44-
IgnoreTLog bool `json:"IgnoreTLog"`
45-
IgnoreSCT bool `json:"IgnoreSCT"`
4648
KeyPairOptions VerifierKeyPairOptions `json:"KeyPairOptions"`
4749
KeylessOptions VerifierKeylessOptions `json:"KeylessOptions"`
4850
}
@@ -131,7 +133,7 @@ func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature) (s
131133
}
132134
for _, verifier := range rootOfTrust.Verifiers {
133135
fmt.Printf("checking verifier %s\n", verifier.Name)
134-
err = setVerifierCosignOptions(&cosignOptions, verifier, ctx)
136+
err = setVerifierCosignOptions(&cosignOptions, verifier, rootOfTrust, ctx)
135137
if err != nil {
136138
return satisfiedVerifiers, fmt.Errorf("could not set cosign options for verifier %s: %s", verifier.Name, err.Error())
137139
}
@@ -214,7 +216,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
214216
return nil
215217
}
216218

217-
func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier, ctx context.Context) (err error) {
219+
func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier, rootOfTrust RootOfTrust, ctx context.Context) (err error) {
218220
switch verifier.Type {
219221
case "keypair":
220222
cosignOptions.SigVerifier, err = sig.LoadPublicKeyRaw([]byte(verifier.KeyPairOptions.PublicKey), crypto.SHA256)
@@ -231,7 +233,13 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier
231233
default:
232234
return fmt.Errorf("invalid verification type in config file, must be either \"keypair\" or \"keyless\", got \"%s\"", verifier.Type)
233235
}
234-
cosignOptions.IgnoreTlog = verifier.IgnoreTLog
235-
cosignOptions.IgnoreSCT = verifier.IgnoreSCT
236+
if !rootOfTrust.IsPublic() {
237+
if rootOfTrust.RekorPublicKey == "" {
238+
cosignOptions.IgnoreTlog = true
239+
}
240+
if rootOfTrust.SCTPublicKey == "" {
241+
cosignOptions.IgnoreSCT = true
242+
}
243+
}
236244
return nil
237245
}

0 commit comments

Comments
 (0)