Merge pull request #1417 from fluxcd/switch-to-verify-ocirepo

Use the verify defined interface in OCIRepository
2024-03-27 09:55:49 +01:00 · 2024-03-27 09:55:49 +01:00 · 295fb73485
parent 55a2cdb9ae 12fb25fec2
commit 295fb73485
2 changed files with 11 additions and 17 deletions
--- a/internal/controller/ocirepository_controller.go
+++ b/internal/controller/ocirepository_controller.go
@ -644,7 +644,7 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 				return soci.VerificationResultFailed, err
 			}

-			signatureVerified := false
+			signatureVerified := soci.VerificationResultFailed
 			for k, data := range pubSecret.Data {
 				// search for public keys in the secret
 				if strings.HasSuffix(k, ".pub") {
@ -653,19 +653,19 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 						return soci.VerificationResultFailed, err
 					}

-					signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
-					if err != nil {
+					result, err := verifier.Verify(ctxTimeout, ref)
+					if err != nil || result == soci.VerificationResultFailed {
 						continue
 					}

-					if signatures != nil {
-						signatureVerified = true
+					if result == soci.VerificationResultSuccess {
+						signatureVerified = result
 						break
 					}
 				}
 			}

-			if !signatureVerified {
+			if signatureVerified == soci.VerificationResultFailed {
 				return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 			}

@ -689,16 +689,16 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			return soci.VerificationResultFailed, err
 		}

-		signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
+		result, err := verifier.Verify(ctxTimeout, ref)
 		if err != nil {
 			return soci.VerificationResultFailed, err
 		}

-		if len(signatures) > 0 {
-			return soci.VerificationResultSuccess, nil
+		if result == soci.VerificationResultFailed {
+			return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 		}

-		return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
+		return soci.VerificationResultSuccess, nil

 	case "notation":
 		// get the public keys from the given secret
--- a/internal/oci/cosign/cosign.go
+++ b/internal/oci/cosign/cosign.go
@ -27,7 +27,6 @@ import (
 	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/oci"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
@ -146,16 +145,11 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 	}, nil
 }

-// VerifyImageSignatures verify the authenticity of the given ref OCI image.
-func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
-	return cosign.VerifyImageSignatures(ctx, ref, v.opts)
-}
-
 // Verify verifies the authenticity of the given ref OCI image.
 // It returns a boolean indicating if the verification was successful.
 // It returns an error if the verification fails, nil otherwise.
 func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
-	signatures, _, err := v.VerifyImageSignatures(ctx, ref)
+	signatures, _, err := cosign.VerifyImageSignatures(ctx, ref, v.opts)
 	if err != nil {
 		return soci.VerificationResultFailed, err
 	}