From 1378dbbaba5b8ab3a1346b9d1814059b9ab5fc48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 22 Mar 2022 19:14:07 +0100 Subject: [PATCH] Don't fail open in VerifyBundle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We do need to accept a missing certificate here (to accept raw signatures which are uploaded in a transparency log), but that's not a reason to bypass all other checks in this function. Signed-off-by: Miloslav Trmač --- pkg/cosign/verify.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index b00ed733c756..7d148893ce6c 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -752,13 +752,14 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) { cert, err := sig.Cert() if err != nil { return false, err - } else if cert == nil { - return true, nil } - // verify the cert against the integrated time - if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil { - return false, errors.Wrap(err, "checking expiry on cert") + if cert != nil { + // Verify the cert against the integrated time. + // Note that if the caller requires the certificate to be present, it has to ensure that itself. + if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil { + return false, errors.Wrap(err, "checking expiry on cert") + } } payload, err := sig.Payload()