Skip to content

Commit

Permalink
Don't fail open in VerifyBundle (#1648)
Browse files Browse the repository at this point in the history
We do need to accept a missing certificate here (to accept
raw signatures which are uploaded in a transparency log),
but that's not a reason to bypass all other checks in this function.

Signed-off-by: Miloslav Trmač <[email protected]>
  • Loading branch information
mtrmac authored Apr 26, 2022
1 parent db323cd commit d104fc4
Showing 1 changed file with 6 additions and 5 deletions.
11 changes: 6 additions & 5 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -757,13 +757,14 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) {
cert, err := sig.Cert()
if err != nil {
return false, err
} else if cert == nil {
return true, nil
}

// verify the cert against the integrated time
if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil {
return false, errors.Wrap(err, "checking expiry on cert")
if cert != nil {
// Verify the cert against the integrated time.
// Note that if the caller requires the certificate to be present, it has to ensure that itself.
if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil {
return false, errors.Wrap(err, "checking expiry on cert")
}
}

payload, err := sig.Payload()
Expand Down

0 comments on commit d104fc4

Please sign in to comment.