From 3602591610bf9267e0bcd1865c1c109b48c664b8 Mon Sep 17 00:00:00 2001
From: Patrick Zheng <patrickzheng@microsoft.com>
Date: Fri, 10 Jan 2025 13:07:37 +0800
Subject: [PATCH] update

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
---
 test/e2e/suite/command/blob/verify.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/test/e2e/suite/command/blob/verify.go b/test/e2e/suite/command/blob/verify.go
index e76ee5f81..5fd02ea9f 100644
--- a/test/e2e/suite/command/blob/verify.go
+++ b/test/e2e/suite/command/blob/verify.go
@@ -15,6 +15,7 @@ package blob
 
 import (
 	"fmt"
+	"os"
 	"path/filepath"
 
 	. "github.com/notaryproject/notation/test/e2e/internal/notation"
@@ -37,6 +38,31 @@ var _ = Describe("notation blob verify", func() {
 				MatchKeyWords(VerifySuccessfully)
 		})
 	})
+
+	// Failure cases
+	It("with blob verify no permission to read blob", func() {
+		HostWithBlob(BaseBlobOptions(), func(notation *utils.ExecOpts, blobPath string, vhost *utils.VirtualHost) {
+			noPermissionBlobPath := filepath.Join(vhost.AbsolutePath(), "noPermissionBlob")
+			newBlobFile, err := os.Create(noPermissionBlobPath)
+			if err != nil {
+				Fail(err.Error())
+			}
+			defer newBlobFile.Close()
+
+			blobDir := filepath.Dir(noPermissionBlobPath)
+			notation.Exec("blob", "sign", "--force", "--signature-directory", blobDir, blobPath).
+				MatchKeyWords(SignSuccessfully).
+				MatchKeyWords("Signature file written to")
+			if err := os.Chmod(noPermissionBlobPath, 0000); err != nil {
+				Fail(err.Error())
+			}
+			defer os.Chmod(noPermissionBlobPath, 0700)
+
+			signaturePath := signatureFilepath(blobDir, blobPath, "jws")
+			notation.ExpectFailure().Exec("blob", "verify", "--signature", signaturePath, blobPath).
+				MatchErrKeyWords("permission denied")
+		})
+	})
 })
 
 func signatureFilepath(signatureDirectory, blobPath, signatureFormat string) string {