From d104fc40dc673ea5316b6978f6f1b63384e29b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 26 Apr 2022 20:24:26 +0200 Subject: [PATCH] Don't fail open in VerifyBundle (#1648) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We do need to accept a missing certificate here (to accept raw signatures which are uploaded in a transparency log), but that's not a reason to bypass all other checks in this function. Signed-off-by: Miloslav Trmač --- pkg/cosign/verify.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index f60c40ead31..ff1adb3ebc0 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -757,13 +757,14 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) { cert, err := sig.Cert() if err != nil { return false, err - } else if cert == nil { - return true, nil } - // verify the cert against the integrated time - if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil { - return false, errors.Wrap(err, "checking expiry on cert") + if cert != nil { + // Verify the cert against the integrated time. + // Note that if the caller requires the certificate to be present, it has to ensure that itself. + if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil { + return false, errors.Wrap(err, "checking expiry on cert") + } } payload, err := sig.Payload()