-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set bundleVerified
to true after Rekor verification (Resolves #3740)
#3745
Set bundleVerified
to true after Rekor verification (Resolves #3740)
#3745
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3745 +/- ##
==========================================
- Coverage 40.10% 36.83% -3.27%
==========================================
Files 155 200 +45
Lines 10044 12233 +2189
==========================================
+ Hits 4028 4506 +478
- Misses 5530 7177 +1647
- Partials 486 550 +64 ☔ View full report in Codecov by Sentry. |
Thanks! Can you add a test for this? I think you just need to check what's returned by a code block like cosign/pkg/cosign/verify_test.go Lines 553 to 556 in 65969ae
If adding this test isn't straightforward, that's fine, this is a simple enough change. |
…e#3740) Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
65969ae
to
8372f1a
Compare
It wasn't straightforward, but I managed to add a comprehensive test covering several scenarios. I refactored the existing test, which only covered a failing validation, and combined it with other cases to ensure thorough coverage. Let me know if you need any further adjustments or additional scenarios covered. |
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, and thanks for the tests too!
I have no particular opinion on the desired semantics of the “bundleVerified” return value [my general position is that verification should be provided a policy and, apart from debugging-only output, return a single yes/no outcome, not any details to be further interpreted] — but AFAICS this value is consumed in cosign/cmd/cosign/cli/verify/verify.go Line 363 in 3d622d1
With this PR, I don’t know which part should be adjusted, but right now the codebase seems to be inconsistent. |
I agree, unfortunately we have inconsistencies in the codebase between what verification steps were taken and the debug output. Even The plan is to clean all of this up with the adoption of sigstore-go as the internal API for Cosign. |
Summary
This PR addresses an issue where the
bundleVerified
flag was not set to true after a successful online Rekor verification. The change ensures thatbundleVerified
accurately reflects the verification status when Rekor lookup is used.Resolves #3740
Release Note
Documentation