Use the verify defined interface in OCIRepository

Signed-off-by: Soule BA <bah.soule@gmail.com>
2024-03-26 15:35:13 +01:00 · 2024-03-26 15:35:13 +01:00 · 7f3df76ccc
parent 55a2cdb9ae
commit 7f3df76ccc
2 changed files with 13 additions and 13 deletions
--- a/internal/controller/ocirepository_controller.go
+++ b/internal/controller/ocirepository_controller.go
@ -644,7 +644,7 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 				return soci.VerificationResultFailed, err
 			}
-			signatureVerified := false
+			signatureVerified := soci.VerificationResultFailed
 			for k, data := range pubSecret.Data {
 				// search for public keys in the secret
 				if strings.HasSuffix(k, ".pub") {
@ -653,19 +653,19 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 						return soci.VerificationResultFailed, err
 					}
-					signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
+					result, err := verifier.Verify(ctxTimeout, ref)
-					if err != nil {
+					if err != nil || result == soci.VerificationResultFailed {
 						continue
 					}
-					if signatures != nil {
+					if result == soci.VerificationResultSuccess {
-						signatureVerified = true
+						signatureVerified = result
 						break
 					}
 				}
 			}
-			if !signatureVerified {
+			if signatureVerified == soci.VerificationResultFailed {
 				return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 			}
@ -689,16 +689,16 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			return soci.VerificationResultFailed, err
 		}
-		signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
+		result, err := verifier.Verify(ctxTimeout, ref)
 		if err != nil {
 			return soci.VerificationResultFailed, err
 		}
-		if len(signatures) > 0 {
+		if result == soci.VerificationResultFailed {
-			return soci.VerificationResultSuccess, nil
+			return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 		}
-		return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
+		return soci.VerificationResultSuccess, nil
 	case "notation":
 		// get the public keys from the given secret
--- a/internal/oci/cosign/cosign.go
+++ b/internal/oci/cosign/cosign.go
@ -146,8 +146,8 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 	}, nil
 }
-// VerifyImageSignatures verify the authenticity of the given ref OCI image.
+// verifyImageSignatures verify the authenticity of the given ref OCI image.
-func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
+func (v *CosignVerifier) verifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
 	return cosign.VerifyImageSignatures(ctx, ref, v.opts)
 }
@ -155,7 +155,7 @@ func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Ref
 // It returns a boolean indicating if the verification was successful.
 // It returns an error if the verification fails, nil otherwise.
 func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
-	signatures, _, err := v.VerifyImageSignatures(ctx, ref)
+	signatures, _, err := v.verifyImageSignatures(ctx, ref)
 	if err != nil {
 		return soci.VerificationResultFailed, err
 	}