cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

`cosign sign-blob` throws away error from `VerifyTLogEntry`

Open znewman01 opened this issue 3 years ago • 1 comments
trafficstars

https://github.com/sigstore/cosign/commit/ac682db9511cc610d5a37704776300421d2c5e30 (CC @asraa) adds the following lines:

https://github.com/sigstore/cosign/blob/e74f180ce697dcde62dbe12f48f1a6a26522ea77/cmd/cosign/cli/verify/verify_blob.go#L328-L330

Either (1) this is inverted and it should return err or (2) it deserves a comment as to why silence this error (and possibly a log message).

This isn't necessarily misleading behavior to end-users: the return short-circuits and prevents us telling users that the verification was successful:

https://github.com/sigstore/cosign/blob/e74f180ce697dcde62dbe12f48f1a6a26522ea77/cmd/cosign/cli/verify/verify_blob.go#L337

znewman01 avatar May 02 '22 13:05 znewman01

Oh no!! Thank you for the catch. It should return an err in my opinion. That's checking the inclusion proof and signed entry timestamp -- I think that was erroneous.

:/ Regression testing... seems like an AI... I think I might be able to add one

asraa avatar May 02 '22 15:05 asraa

This is fixed now! Test here: https://github.com/sigstore/cosign/blob/c3c4ea961deb4ae2bc1bc5c632e269b2da129e85/cmd/cosign/cli/verify/verify_blob_test.go#L535

asraa avatar Oct 26 '22 20:10 asraa