From 3329d81f5f2feeebc92cb6edd46fbdd31989b93d Mon Sep 17 00:00:00 2001
From: Hayden B <hblauzvern@google.com>
Date: Tue, 5 Dec 2023 10:52:52 -0800
Subject: [PATCH] Don't require CT log keys if using a key/sk (#3415)

Fixes #3386. The logic was inverted for this check.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 cmd/cosign/cli/verify/verify.go                  | 2 +-
 cmd/cosign/cli/verify/verify_attestation.go      | 2 +-
 cmd/cosign/cli/verify/verify_blob.go             | 2 +-
 cmd/cosign/cli/verify/verify_blob_attestation.go | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
index 96e5b43ba93..905c9c4c59f 100644
--- a/cmd/cosign/cli/verify/verify.go
+++ b/cmd/cosign/cli/verify/verify.go
@@ -207,7 +207,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	certRef := c.CertRef
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || keyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
index 71eaaf0d42b..cb4ee18d85a 100644
--- a/cmd/cosign/cli/verify/verify_attestation.go
+++ b/cmd/cosign/cli/verify/verify_attestation.go
@@ -111,7 +111,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
index ccbec350652..5af87a88869 100644
--- a/cmd/cosign/cli/verify/verify_blob.go
+++ b/cmd/cosign/cli/verify/verify_blob.go
@@ -286,7 +286,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	}
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
index 079af421c49..6a9762e559f 100644
--- a/cmd/cosign/cli/verify/verify_blob_attestation.go
+++ b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -190,7 +190,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		}
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)