diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index a9761bf02fb..199b2165113 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -149,13 +149,14 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, if err != nil { return fmt.Errorf("getting Fulcio roots: %w", err) } + co.IntermediateCerts, err = fulcio.GetIntermediates() if err != nil { return fmt.Errorf("getting Fulcio intermediates: %w", err) } co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) if err != nil { - return err + return fmt.Errorf("validating certRef: %w", err) } } else { // Verify certificate with chain @@ -195,8 +196,15 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, if err != nil { return fmt.Errorf("getting Fulcio intermediates: %w", err) } + co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) + } else { + // Verify certificate with chain + chain, err := loadCertChainFromFileOrURL(certChain) + if err != nil { + return err + } + co.SigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co) } - co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co) } if err != nil { return fmt.Errorf("loading verifier from bundle: %w", err) diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go index 223330b4511..12f76ece3a6 100644 --- a/cmd/cosign/cli/verify/verify_blob_test.go +++ b/cmd/cosign/cli/verify/verify_blob_test.go @@ -994,6 +994,44 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) { t.Fatalf("expected success without specifying the intermediates, got %v", err) } }) + t.Run("Intermediate root explicit in non-experimental mode", func(t *testing.T) { + identity := "hello@foo.com" + issuer := "issuer" + leafCert, _, leafPemCert, signer := keyless.genLeafCert(t, identity, issuer) + + // Create blob + blob := "someblob" + + // Sign blob with private key + sig, err := signer.SignMessage(bytes.NewReader([]byte(blob))) + if err != nil { + t.Fatal(err) + } + + // Create bundle + entry := genRekorEntry(t, hashedrekord.KIND, hashedrekord.New().DefaultVersion(), []byte(blob), leafPemCert, sig) + b := createBundle(t, sig, leafPemCert, keyless.rekorLogID, leafCert.NotBefore.Unix()+1, entry) + b.Bundle.SignedEntryTimestamp = keyless.rekorSignPayload(t, b.Bundle.Payload) + bundlePath := writeBundleFile(t, keyless.td, b, "bundle.json") + blobPath := writeBlobFile(t, keyless.td, blob, "blob.txt") + + // Verify command + err = VerifyBlobCmd(context.Background(), + options.KeyOpts{BundlePath: bundlePath}, + "", /*certRef*/ + identity, /*certEmail*/ + issuer, /*certOidcIssuer*/ + os.Getenv("SIGSTORE_ROOT_FILE"), /*certChain*/ + "", /*sigRef*/ // Sig is fetched from bundle + blobPath, /*blobRef*/ + // GitHub identity flags start + "", "", "", "", "", + // GitHub identity flags end + false /*enforceSCT*/) + if err != nil { + t.Fatalf("expected success specifying the intermediates, got %v", err) + } + }) } func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {