feat: adds exit codes for verify errors

- adds the exit code to when cosign throws an error due to a user trying to verify an image tag that doesn't exist. - adds functionality with associated exit code for when there are no signatures found for an image Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
sigstore · Mar 12, 2023 · 1977cc8 · 1977cc8
1 parent f61cdf0
commit 1977cc8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/cmd/cosign/errors/exit_code_lookup.go b/cmd/cosign/errors/exit_code_lookup.go
@@ -22,6 +22,8 @@ import (
 // exitCodeLookup contains a map of errorTypes and their associated exitCodes.
 var exitCodeLookup = map[string]int{
 	verificationError.ErrNoMatchingSignaturesType: NoMatchingSignature,
+	verificationError.ErrImageTagNotFoundType:     NonExistentTag,
+	verificationError.ErrNoSignaturesFoundType:    ImageWithoutSignature,
 }
 
 func LookupExitCodeForErrorType(errorType string) int {

diff --git a/pkg/cosign/errors.go b/pkg/cosign/errors.go
@@ -24,6 +24,14 @@ var (
 	// NoMatchingSignatures
 	ErrNoMatchingSignaturesType    = "NoMatchingSignatures"
 	ErrNoMatchingSignaturesMessage = "no matching signatures"
+
+	// NonExistingTagType
+	ErrImageTagNotFoundType    = "ImageTagNotFound"
+	ErrImageTagNotFoundMessage = "image tag not found"
+
+	// NoSignaturesFound
+	ErrNoSignaturesFoundType    = "NoSignaturesFound"
+	ErrNoSignaturesFoundMessage = "no signatures found for image"
 )
 
 // VerificationError is the type of Go error that is used by cosign to surface

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -484,6 +484,12 @@ func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co
 	// entity that minimizes registry requests when supplied with a digest input
 	digest, err := ociremote.ResolveDigest(signedImgRef, co.RegistryClientOpts...)
 	if err != nil {
+		if strings.Contains(err.Error(), "MANIFEST_UNKNOWN") {
+			return nil, false, &VerificationError{
+				errorType: ErrImageTagNotFoundType,
+				message:   fmt.Sprintf("%s: %v", ErrImageTagNotFoundMessage, err),
+			}
+		}
 		return nil, false, err
 	}
 	h, err := v1.NewHash(digest.Identifier())
@@ -567,6 +573,13 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
 		return nil, false, err
 	}
 
+	if len(sl) == 0 {
+		return nil, false, &VerificationError{
+			errorType: ErrNoSignaturesFoundType,
+			message:   ErrNoSignaturesFoundMessage,
+		}
+	}
+
 	validationErrs := []string{}
 
 	for _, sig := range sl {