From 795289124edd46d4e2ab588b426a8314bc13cf1f Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 12 Nov 2024 20:47:43 -0500 Subject: [PATCH] Detect if user supplied a valid protobuf bundle (#3931) Even if they leave off `--new-bundle-format` Signed-off-by: Zach Steindler --- cmd/cosign/cli/verify/verify_blob.go | 2 +- cmd/cosign/cli/verify/verify_blob_attestation.go | 2 +- cmd/cosign/cli/verify/verify_bundle.go | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 24de2dbbf52..37e2d0282bf 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -92,7 +92,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { return &options.PubKeyParseError{} } - if c.KeyOpts.NewBundleFormat { + if c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath) { if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 1 { return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") } diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index 061e46d6383..3c420930dbb 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -92,7 +92,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st return &options.KeyParseError{} } - if c.KeyOpts.NewBundleFormat { + if c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath) { if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 1 { return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") } diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go index e775ce7b45b..74f19a5f116 100644 --- a/cmd/cosign/cli/verify/verify_bundle.go +++ b/cmd/cosign/cli/verify/verify_bundle.go @@ -54,6 +54,11 @@ func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstra return v.keyTrustedMaterial.PublicKeyVerifier(hint) } +func checkNewBundle(bundlePath string) bool { + _, err := sgbundle.LoadJSONFromPath(bundlePath) + return err == nil +} + func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, slot, certOIDCIssuer, certOIDCIssuerRegex, certIdentity, certIdentityRegexp, githubWorkflowTrigger, githubWorkflowSHA, githubWorkflowName, githubWorkflowRepository, githubWorkflowRef, artifactRef string, sk, ignoreTlog, useSignedTimestamps, ignoreSCT bool) (*verify.VerificationResult, error) { bundle, err := sgbundle.LoadJSONFromPath(bundlePath) if err != nil {