From 4e1c1e678577216015be54d7a2b012bc82c76db1 Mon Sep 17 00:00:00 2001
From: Pradeep Lakshmi Narasimha <pradeep.vaishnav4@gmail.com>
Date: Tue, 4 Oct 2022 15:33:56 +0530
Subject: [PATCH] fix: subject and issuer validation when attestations are
 present (#4786)

Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>

Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 pkg/cosign/cosign.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go
index 9d787e9d02..a71ea4c3de 100644
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@@ -279,6 +279,20 @@ func fetchAttestations(opts Options) (*Response, error) {
 		return nil, err
 	}
 
+	payload, err := extractPayload(signatures)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := matchCertificate(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
+		return nil, err
+	}
+
+	err = checkAnnotations(payload, opts.Annotations)
+	if err != nil {
+		return nil, err
+	}
+
 	logger.V(3).Info("verified images", "signatures", len(signatures), "bundleVerified", bundleVerified)
 	inTotoStatements, digest, err := decodeStatements(signatures)
 	if err != nil {