From 1edd4bf303d9fb6e4b3555b57c9eb54cf0267d85 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 12 Sep 2023 10:05:50 -0500 Subject: [PATCH 1/2] Fixes #3236, disable SCT checking for a cosign verification when using a public key Signed-off-by: John Kjell --- cmd/cosign/cli/verify/verify.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index c8d0f15d1ce..3629fff8755 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -202,7 +202,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { keyRef := c.KeyRef certRef := c.CertRef - if !c.IgnoreSCT { + // Ignore Signed Certificate Timestamp if the flag is set or a key is provided + if !c.IgnoreSCT || keyRef != "" { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err) From 7eef30210ec1c6b0791bdbddbb96f6d6b8263528 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 12 Sep 2023 16:09:28 -0500 Subject: [PATCH 2/2] Update additional verify functionality Signed-off-by: John Kjell --- cmd/cosign/cli/verify/verify_attestation.go | 3 ++- cmd/cosign/cli/verify/verify_blob.go | 3 ++- cmd/cosign/cli/verify/verify_blob_attestation.go | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 55971abd260..71eaaf0d42b 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -110,7 +110,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - if !c.IgnoreSCT { + // Ignore Signed Certificate Timestamp if the flag is set or a key is provided + if !c.IgnoreSCT || c.KeyRef != "" { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err) diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index b2f0561fb69..ccbec350652 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -285,7 +285,8 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { opts = append(opts, static.WithCertChain(certPEM, chainPEM)) } - if !c.IgnoreSCT { + // Ignore Signed Certificate Timestamp if the flag is set or a key is provided + if !c.IgnoreSCT || c.KeyRef != "" { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err) diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index d629a9c361d..079af421c49 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -189,7 +189,8 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st } } } - if !c.IgnoreSCT { + // Ignore Signed Certificate Timestamp if the flag is set or a key is provided + if !c.IgnoreSCT || c.KeyRef != "" { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err)