Functional bug: Pulling only first UUID for blob verification without certificate

[asraa]

cosign/cmd/cosign/cli/verify/verify_blob.go

Lines 140 to 164 in 18d2ce0

	uuids, err := cosign.FindTLogEntriesByPayload(ctx, rClient, blobBytes)
	if err != nil {
	return err
	}
	if len(uuids) == 0 {
	return errors.New("could not find a tlog entry for provided blob")
	}
	tlogEntry, err := cosign.GetTlogEntry(ctx, rClient, uuids[0])
	if err != nil {
	return err
	}
	certs, err := extractCerts(tlogEntry)
	if err != nil {
	return err
	}
	co := &cosign.CheckOpts{
	RootCerts: fulcio.GetRoots(),
	CertEmail: certEmail,
	CertOidcIssuer: certOidcIssuer,
	}
	cert = certs[0]

In case a cert or key ref isn't passed into verify-blob, we use the FIRST UUID uploaded in rekor for the certificate. IMO, I don't think this is correct behavior -- especially since this supports pinning an expected cert email. The first UUID may not be the expected certificate.

Anyway, I'm not sure that searching by payload without the certificate is great behavior -- at least clients should log that they're doing a best effort search for the signing certificate.

@haydentherapper

[dlorenc]

Is this the same issue #1447 ?

[haydentherapper]

These seem the same.

[dlorenc]

+1 on pulling them all, and then also displaying a message explaining the guarantees of the search API. Basically - the results returned are guaranteed to be valid, but we can make no guarantees that every valid entry is returned.

[asraa]

Basically - the results returned are guaranteed to be valid, but we can make no guarantees that every valid entry is returned.

Great, right!

I'll close this issue in favor of that one, and open up a fix PR for more discussion. I think it should display a message as soon as it reached the experimental case to strongly suggest that passing in a certificate in the CLI.