Don't fail open in VerifyBundle (#1648)

We do need to accept a missing certificate here (to accept raw signatures which are uploaded in a transparency log), but that's not a reason to bypass all other checks in this function. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
sigstore · Apr 26, 2022 · d104fc4 · d104fc4
1 parent db323cd
commit d104fc4
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -757,13 +757,14 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) {
 	cert, err := sig.Cert()
 	if err != nil {
 		return false, err
-	} else if cert == nil {
-		return true, nil
 	}
 
-	// verify the cert against the integrated time
-	if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil {
-		return false, errors.Wrap(err, "checking expiry on cert")
+	if cert != nil {
+		// Verify the cert against the integrated time.
+		// Note that if the caller requires the certificate to be present, it has to ensure that itself.
+		if err := CheckExpiry(cert, time.Unix(bundle.Payload.IntegratedTime, 0)); err != nil {
+			return false, errors.Wrap(err, "checking expiry on cert")
+		}
 	}
 
 	payload, err := sig.Payload()