diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index ff020626dc..54ffdb7b23 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -175,20 +175,24 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check } cosignOpts.IgnoreTlog = opts.IgnoreTlog - cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL) - if err != nil { - return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err) - } + if !opts.IgnoreTlog { + cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL) + if err != nil { + return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err) + } - cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey) - if err != nil { - return nil, fmt.Errorf("failed to load Rekor public keys: %w", err) + cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey) + if err != nil { + return nil, fmt.Errorf("failed to load Rekor public keys: %w", err) + } } cosignOpts.IgnoreSCT = opts.IgnoreSCT - cosignOpts.CTLogPubKeys, err = getCTLogPubs(ctx, opts.CTLogsPubKey) - if err != nil { - return nil, fmt.Errorf("failed to load Rekor public keys: %w", err) + if !opts.IgnoreSCT { + cosignOpts.CTLogPubKeys, err = getCTLogPubs(ctx, opts.CTLogsPubKey) + if err != nil { + return nil, fmt.Errorf("failed to load CTLogs public keys: %w", err) + } } if opts.Repository != "" { @@ -579,7 +583,7 @@ func getRekorPubs(ctx context.Context, rekorPubKey string) (*cosign.TrustedTrans publicKeys := cosign.NewTrustedTransparencyLogPubKeys() if err := publicKeys.AddTransparencyLogPubKey([]byte(rekorPubKey), tuf.Active); err != nil { - return nil, fmt.Errorf("AddRekorPubKey: %w", err) + return nil, fmt.Errorf("failed to get rekor public keys: %w", err) } return &publicKeys, nil } @@ -591,7 +595,7 @@ func getCTLogPubs(ctx context.Context, ctlogPubKey string) (*cosign.TrustedTrans publicKeys := cosign.NewTrustedTransparencyLogPubKeys() if err := publicKeys.AddTransparencyLogPubKey([]byte(ctlogPubKey), tuf.Active); err != nil { - return nil, fmt.Errorf("AddRekorPubKey: %w", err) + return nil, fmt.Errorf("failed to get transparency log public keys: %w", err) } return &publicKeys, nil } diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 962ef3dfbf..d0f0662609 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -145,6 +145,42 @@ func TestRekorPubkeys(t *testing.T) { assert.NilError(t, err) } +func TestIgnoreTlogsandIgnoreSCT(t *testing.T) { + err := SetMock("ghcr.io/kyverno/test-verify-image", [][]byte{[]byte(keylessPayload)}) + defer ClearMock() + assert.NilError(t, err) + + opts := images.Options{ + ImageRef: "ghcr.io/kyverno/test-verify-image", + } + + rc, err := registryclient.New() + assert.NilError(t, err) + opts.Client = rc + + verifier := &cosignVerifier{} + + opts.RekorPubKey = "--INVALID KEY--" + _, err = verifier.VerifySignature(context.TODO(), opts) + // RekorPubKey is checked when ignoreTlog is set to false + assert.ErrorContains(t, err, "failed to load Rekor public keys: failed to get rekor public keys: PEM decoding failed") + + opts.IgnoreTlog = true + _, err = verifier.VerifySignature(context.TODO(), opts) + // RekorPubKey is NOT checked when ignoreTlog is set to true + assert.NilError(t, err) + + opts.CTLogsPubKey = "--INVALID KEY--" + _, err = verifier.VerifySignature(context.TODO(), opts) + // CTLogsPubKey is checked when ignoreSCT is set to false + assert.ErrorContains(t, err, "failed to load CTLogs public keys: failed to get transparency log public keys: PEM decoding failed") + + opts.IgnoreSCT = true + _, err = verifier.VerifySignature(context.TODO(), opts) + // CTLogsPubKey is NOT checked when ignoreSCT is set to true + assert.NilError(t, err) +} + func TestCTLogsPubkeys(t *testing.T) { opts := images.Options{ ImageRef: "ghcr.io/vishal-chdhry/cosign-test:v1",