From a06f0eb16eb5144e43885d311f92a4632df01e59 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 7 Feb 2025 10:44:20 -0500
Subject: [PATCH] Do not allow --trusted-root flag without --new-bundle-format

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 cmd/cosign/cli/verify/verify_blob_attestation.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
index 38d2648c265..3d52db71370 100644
--- a/cmd/cosign/cli/verify/verify_blob_attestation.go
+++ b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -207,6 +207,9 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		return nil
 	}
 
+	if c.TrustedRootPath != "" {
+		return fmt.Errorf("--trusted-root only supported with --new-bundle-format")
+	}
 	if c.RFC3161TimestampPath != "" && !co.UseSignedTimestamps {
 		return fmt.Errorf("when specifying --rfc3161-timestamp-path, you must also specify --use-signed-timestamps or --timestamp-certificate-chain")
 	} else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps {