Closed maxlambrecht closed 1 day ago
Description
The bundleVerified flag is not being set to true following a successful online verification using Rekor, as seen in the code snippet below.
bundleVerified
if !co.IgnoreTlog { bundleVerified, err = VerifyBundle(sig, co) if err != nil { return false, fmt.Errorf("error verifying bundle: %w", err) } if bundleVerified { // Update with the verified bundle's integrated time. t, err := getBundleIntegratedTime(sig) if err != nil { return false, fmt.Errorf("error getting bundle integrated time: %w", err) } acceptableRekorBundleTime = &t } else { // If the --offline flag was specified, fail here. bundleVerified returns false with // no error when there was no bundle provided. if co.Offline { return false, fmt.Errorf("offline verification failed") } // no Rekor client provided for an online lookup if co.RekorClient == nil { return false, fmt.Errorf("rekor client not provided for online verification") } pemBytes, err := keyBytes(sig, co) if err != nil { return false, err } e, err := tlogValidateEntry(ctx, co.RekorClient, co.RekorPubKeys, sig, pemBytes) if err != nil { return false, err } t := time.Unix(*e.IntegratedTime, 0) acceptableRekorBundleTime = &t } }
Expected Behavior: In the else branch of the verification logic, if the Rekor verification succeeds, the bundleVerified should be set to true.
Version
2.2.4
Description
The
bundleVerified
flag is not being set to true following a successful online verification using Rekor, as seen in the code snippet below.Expected Behavior: In the else branch of the verification logic, if the Rekor verification succeeds, the
bundleVerified
should be set to true.Version
2.2.4