chore: update verify break condition; revert file check; improve debug comment for hashing

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/provenance/provenance_finder.py

@@ -590,5 +590,5 @@ def get_artifact_hash(
 
         return pypi_registry.get_artifact_hash(source_url)
 
-    logger.debug("Purl type '%s' not yet supported for GitHub attestation discovery.", purl.type)
+    logger.debug("Purl type '%s' not yet supported for artifact hashing.", purl.type)
     return None

src/macaron/provenance/provenance_verifier.py

@@ -249,7 +249,7 @@ def _find_subject_asset(
     for item in all_assets:
         item_path = os.path.join(download_path, item["name"])
         # Make sure to download an archive just once.
-        if not Path(item_path).exists():
+        if not Path(item_path).is_file():
             if not ci_service.api_client.download_asset(item["url"], item_path):
                 logger.info("Could not download artifact %s. Skip verifying...", os.path.basename(item_path))
                 break

src/macaron/slsa_analyzer/analyzer.py

@@ -547,7 +547,7 @@ def run_single(
                     verified = []
                     for ci_info in analyze_ctx.dynamic_data["ci_services"]:
                         verified.append(verify_ci_provenance(analyze_ctx, ci_info, temp_dir))
-                        if not verified:
+                        if not verified[-1]:
                             break
                     if verified and all(verified):
                         provenance_l3_verified = True