Fixing issue 3743

[Meeki1l]

Summary

Fixes #3743.

When retrieving TSA Certs from the local TUF, an infinite loop occurs, since the GetTargetsByMeta function (used in the GetTufTargets function) returns all certificates of the TSA type.

Also if "tsa_leaf.crt.pem" is missing, panic occurs. This is due to the lack of checking for len(leaves) > 0 in the GetTSACerts function.

Release Note

Documentation

[haydentherapper]

LGTM, thanks for catching this.

cc @ianhundere

[haydentherapper]

nit, i'd just call this exists

[cpanato]

+1

[Meeki1l]

@haydentherapper Thanks for the comment. Done

[ianhundere]

@Meeki1l as @haydentherapper mentioned above, thanks for catching this / much appreciated. 🙇🏼

[haydentherapper]

PTAL at the failing test. You can look at https://github.com/sigstore/sigstore/blob/main/pkg/tuf/client_test.go for some examples, or stub out calls to TUF.

[Meeki1l]

@haydentherapper disable the falling autotests. I could not find a public TUF mirror with TSA certificates, so it is not possible to write normal autotests.

[codecov]

Codecov Report

Attention: Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.

Project coverage is 36.55%. Comparing base (2ef6022) to head (98bb588).
Report is 138 commits behind head on main.

Files	Patch %	Lines
pkg/cosign/tsa.go	5.88%	15 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3744      +/-   ##
==========================================
- Coverage   40.10%   36.55%   -3.55%     
==========================================
  Files         155      200      +45     
  Lines       10044    12232    +2188     
==========================================
+ Hits         4028     4472     +444     
- Misses       5530     7214    +1684     
- Partials      486      546      +60     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.