fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use the verify defined interface in OCIRepository 

Signed-off-by: Soule BA <bah.soule@gmail.com>
This commit is contained in:
Soule BA 2024-03-26 15:35:13 +01:00
parent 55a2cdb9ae
commit 7f3df76ccc
No known key found for this signature in database
GPG Key ID: 4D40965192802994
2 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
internal/controller/ocirepository_controller.go
View File

@ -644,7 +644,7 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
return soci.VerificationResultFailed, err
}
signatureVerified := false
signatureVerified := soci.VerificationResultFailed
for k, data := range pubSecret.Data {
// search for public keys in the secret
if strings.HasSuffix(k, ".pub") {
@ -653,19 +653,19 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
return soci.VerificationResultFailed, err
}
signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
if err != nil {
result, err := verifier.Verify(ctxTimeout, ref)
if err != nil || result == soci.VerificationResultFailed {
continue
}
if signatures != nil {
signatureVerified = true
if result == soci.VerificationResultSuccess {
signatureVerified = result
break
}
}
}
if !signatureVerified {
if signatureVerified == soci.VerificationResultFailed {
return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
}
@ -689,16 +689,16 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
return soci.VerificationResultFailed, err
}
signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
result, err := verifier.Verify(ctxTimeout, ref)
if err != nil {
return soci.VerificationResultFailed, err
}
if len(signatures) > 0 {
return soci.VerificationResultSuccess, nil
if result == soci.VerificationResultFailed {
return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
}
return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
return soci.VerificationResultSuccess, nil
case "notation":
// get the public keys from the given secret

6
internal/oci/cosign/cosign.go
View File

@ -146,8 +146,8 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
}, nil
}
// VerifyImageSignatures verify the authenticity of the given ref OCI image.
func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
// verifyImageSignatures verify the authenticity of the given ref OCI image.
func (v *CosignVerifier) verifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
return cosign.VerifyImageSignatures(ctx, ref, v.opts)
}
@ -155,7 +155,7 @@ func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Ref
// It returns a boolean indicating if the verification was successful.
// It returns an error if the verification fails, nil otherwise.
func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
signatures, _, err := v.VerifyImageSignatures(ctx, ref)
signatures, _, err := v.verifyImageSignatures(ctx, ref)
if err != nil {
return soci.VerificationResultFailed, err
}