From 6fb4f7e2dd9c2f5d4f55fa88f6796278a7bba6d6 Mon Sep 17 00:00:00 2001
From: asraa <asraa@google.com>
Date: Thu, 25 Aug 2022 11:37:20 -0500
Subject: [PATCH] fix: fix intermediate certificate validation (#234)

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>
---
 .github/workflows/release.yml | 2 +-
 pkg/provenance.go             | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6738b2b40..2afa3d359 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       id-token: write # For signing.
       contents: write # For asset uploads.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.1
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
     with:
       go-version: 1.18
       config-file: .github/config-release.yml
diff --git a/pkg/provenance.go b/pkg/provenance.go
index 3e0b923bd..a97c98331 100644
--- a/pkg/provenance.go
+++ b/pkg/provenance.go
@@ -357,8 +357,9 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		}
 
 		co := &cosign.CheckOpts{
-			RootCerts:      fulcio.GetRoots(),
-			CertOidcIssuer: certOidcIssuer,
+			RootCerts:         fulcio.GetRoots(),
+			IntermediateCerts: fulcio.GetIntermediates(),
+			CertOidcIssuer:    certOidcIssuer,
 		}
 		verifier, err := cosign.ValidateAndUnpackCert(cert, co)
 		if err != nil {
@@ -376,7 +377,6 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		fmt.Fprintf(os.Stderr, "Verified against tlog entry %d\n", *entry.LogIndex)
 		return cert, nil
 	}
-
 	return nil, ErrorNoValidRekorEntries
 }