Do not allow --trusted-root flag without --new-bundle-format

Signed-off-by: Cody Soyland <[email protected]>
sigstore · Feb 7, 2025 · a06f0eb · a06f0eb
1 parent a5bb207
commit a06f0eb
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -207,6 +207,9 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		return nil
 	}
 
+	if c.TrustedRootPath != "" {
+		return fmt.Errorf("--trusted-root only supported with --new-bundle-format")
+	}
 	if c.RFC3161TimestampPath != "" && !co.UseSignedTimestamps {
 		return fmt.Errorf("when specifying --rfc3161-timestamp-path, you must also specify --use-signed-timestamps or --timestamp-certificate-chain")
 	} else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps {