fix: fix intermediate certificate validation (#234)

Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>
slsa-framework · Aug 25, 2022 · 6fb4f7e · 6fb4f7e
1 parent ae29694
commit 6fb4f7e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       id-token: write # For signing.
       contents: write # For asset uploads.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.1
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
     with:
       go-version: 1.18
       config-file: .github/config-release.yml

diff --git a/pkg/provenance.go b/pkg/provenance.go
@@ -357,8 +357,9 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		}
 
 		co := &cosign.CheckOpts{
-			RootCerts:      fulcio.GetRoots(),
-			CertOidcIssuer: certOidcIssuer,
+			RootCerts:         fulcio.GetRoots(),
+			IntermediateCerts: fulcio.GetIntermediates(),
+			CertOidcIssuer:    certOidcIssuer,
 		}
 		verifier, err := cosign.ValidateAndUnpackCert(cert, co)
 		if err != nil {
@@ -376,7 +377,6 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		fmt.Fprintf(os.Stderr, "Verified against tlog entry %d\n", *entry.LogIndex)
 		return cert, nil
 	}
-
 	return nil, ErrorNoValidRekorEntries
 }