fix: only fetch pub keys when tlogs and scts are not ignored (#8521)

2025-03-31 03:45:17 +00:00 · 2023-09-25 13:46:10 +05:30 · 2023-09-25 13:46:10 +05:30 · e5c004a6b4
commit e5c004a6b4
parent 313c5df2bb
2 changed files with 52 additions and 12 deletions
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -175,20 +175,24 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
 	}

 	cosignOpts.IgnoreTlog = opts.IgnoreTlog
-	cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err)
-	}
+	if !opts.IgnoreTlog {
+		cosignOpts.RekorClient, err = rekorclient.GetRekorClient(opts.RekorURL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create Rekor client from URL %s: %w", opts.RekorURL, err)
+		}

-	cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load Rekor public keys: %w", err)
+		cosignOpts.RekorPubKeys, err = getRekorPubs(ctx, opts.RekorPubKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load Rekor public keys: %w", err)
+		}
 	}

 	cosignOpts.IgnoreSCT = opts.IgnoreSCT
-	cosignOpts.CTLogPubKeys, err = getCTLogPubs(ctx, opts.CTLogsPubKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load Rekor public keys: %w", err)
+	if !opts.IgnoreSCT {
+		cosignOpts.CTLogPubKeys, err = getCTLogPubs(ctx, opts.CTLogsPubKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load CTLogs public keys: %w", err)
+		}
 	}

 	if opts.Repository != "" {
@ -579,7 +583,7 @@ func getRekorPubs(ctx context.Context, rekorPubKey string) (*cosign.TrustedTrans

 	publicKeys := cosign.NewTrustedTransparencyLogPubKeys()
 	if err := publicKeys.AddTransparencyLogPubKey([]byte(rekorPubKey), tuf.Active); err != nil {
-		return nil, fmt.Errorf("AddRekorPubKey: %w", err)
+		return nil, fmt.Errorf("failed to get rekor public keys: %w", err)
 	}
 	return &publicKeys, nil
 }
@ -591,7 +595,7 @@ func getCTLogPubs(ctx context.Context, ctlogPubKey string) (*cosign.TrustedTrans

 	publicKeys := cosign.NewTrustedTransparencyLogPubKeys()
 	if err := publicKeys.AddTransparencyLogPubKey([]byte(ctlogPubKey), tuf.Active); err != nil {
-		return nil, fmt.Errorf("AddRekorPubKey: %w", err)
+		return nil, fmt.Errorf("failed to get transparency log public keys: %w", err)
 	}
 	return &publicKeys, nil
 }
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@ -145,6 +145,42 @@ func TestRekorPubkeys(t *testing.T) {
 	assert.NilError(t, err)
 }

+func TestIgnoreTlogsandIgnoreSCT(t *testing.T) {
+	err := SetMock("ghcr.io/kyverno/test-verify-image", [][]byte{[]byte(keylessPayload)})
+	defer ClearMock()
+	assert.NilError(t, err)
+
+	opts := images.Options{
+		ImageRef: "ghcr.io/kyverno/test-verify-image",
+	}
+
+	rc, err := registryclient.New()
+	assert.NilError(t, err)
+	opts.Client = rc
+
+	verifier := &cosignVerifier{}
+
+	opts.RekorPubKey = "--INVALID KEY--"
+	_, err = verifier.VerifySignature(context.TODO(), opts)
+	// RekorPubKey is checked when ignoreTlog is set to false
+	assert.ErrorContains(t, err, "failed to load Rekor public keys: failed to get rekor public keys: PEM decoding failed")
+
+	opts.IgnoreTlog = true
+	_, err = verifier.VerifySignature(context.TODO(), opts)
+	// RekorPubKey is NOT checked when ignoreTlog is set to true
+	assert.NilError(t, err)
+
+	opts.CTLogsPubKey = "--INVALID KEY--"
+	_, err = verifier.VerifySignature(context.TODO(), opts)
+	// CTLogsPubKey is checked when ignoreSCT is set to false
+	assert.ErrorContains(t, err, "failed to load CTLogs public keys: failed to get transparency log public keys: PEM decoding failed")
+
+	opts.IgnoreSCT = true
+	_, err = verifier.VerifySignature(context.TODO(), opts)
+	// CTLogsPubKey is NOT checked when ignoreSCT is set to true
+	assert.NilError(t, err)
+}
+
 func TestCTLogsPubkeys(t *testing.T) {
 	opts := images.Options{
 		ImageRef:     "ghcr.io/vishal-chdhry/cosign-test:v1",