Fix verifying when a certificate is provided #2633
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -725,15 +725,20 @@ func keyBytes(sig oci.Signature, co *CheckOpts) ([]byte, error) { | |
| if err != nil { | ||
| return nil, err | ||
| } | ||
| switch { | ||
| // certificate provided from the OCI image, or via flag (--certificate or --bundle) | ||
|
There was a problem hiding this comment. is this comment accurate / misleading? If it's OCI it will always take it in from the OCI image, NOT from the
|
||
| case cert != nil: | ||
| return cryptoutils.MarshalCertificateToPEM(cert) | ||
| // no certificate provided, verifier must be a public key | ||
| case co.SigVerifier != nil: | ||
| pub, err := co.SigVerifier.PublicKey(co.PKOpts...) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return cryptoutils.MarshalPublicKeyToPEM(pub) | ||
| default: | ||
| return nil, errors.New("no verifier found, must provide either certificate or public key") | ||
| } | ||
| } | ||
|
|
||
| // VerifyBlobSignature verifies a blob signature. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not 100% sure I understand the logic here, but I'm worried that this bit might have a subtle verification bug. Let me know if this makes sense:
If the user has specified
--certificateat the command line my understanding is that it get parsed and its public key is used in initializeco.SigVerifier. This function appears to then return a certificate PEM if found on the OCI signature (which may be different than--certificate😬 ). The function calling this onecosign/pkg/cosign/verify.go
Lines 1078 to 1081 in 29360f6
My worry here is that the certificate compared to the rekor bundle might not be the one the user actually specified at the command line, unless that bit of logic is lurking in a different place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have this issue now also, although it doesn’t surface any error. If you provide a certificate that certified the same public key as a certificate on the OCI imagine, but the rest of the cert differs, we wouldn’t notice.
Note this isn’t an issue for verify-blob since we construct a static OCI struct from input. For verify on OCI, theres no way to pass the certificate passed in from input
Sigh…maybe we could add a check that a provided cert matches what’s on the image annotations? Or disallow providing a certificate when the image annotations contain a certificate already?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, see my comment below. I think
--certificateis a little misleading here. The--certificateflag for OCI image never "makes" it into the pkg verification code (just the pub key does). In the CLI layer there's some verification of it, but once we get intopkg/verify, we rely onsig.Cert().