diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 010cef4afb4..a4e657601e4 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -295,7 +295,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { return err } default: - return errors.New("internal error in handling CertChain and RootCerts - default case should never happen") + return errors.New("no certificate chain provided to verify certificate") } if c.SCTRef != "" { diff --git a/test/e2e_test.go b/test/e2e_test.go index f6ead509f97..d7801e651db 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -151,7 +151,7 @@ func TestSignVerifyCertBundle(t *testing.T) { ctx := context.Background() // Verify should fail at first - mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", true), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, nil, "", true), t) // So should download mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) @@ -170,13 +170,13 @@ func TestSignVerifyCertBundle(t *testing.T) { // Now verify and download should work! ignoreTlog := true - must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", ignoreTlog), t) + must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, nil, "", ignoreTlog), t) // verification with certificate chain instead of root/intermediate files should work as well must(verifyCertChain(pubKeyPath, certChainFile, certFile, imgName, true, nil, "", ignoreTlog), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Look for a specific annotation - mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) so.AnnotationOptions = options.AnnotationOptions{ Annotations: []string{"foo=bar"}, @@ -185,10 +185,10 @@ func TestSignVerifyCertBundle(t *testing.T) { must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // It should match this time. - must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) + must(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", ignoreTlog), t) // But two doesn't work - mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", ignoreTlog), t) + mustErr(verifyCertBundle(pubKeyPath, caCertFile, caIntermediateCertFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", ignoreTlog), t) } func TestSignVerifyClean(t *testing.T) { diff --git a/test/helpers.go b/test/helpers.go index 7747bebdd90..ca9d4f4377b 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -108,7 +108,7 @@ var verifyCertChain = func(keyRef, certChain, certFile, imageRef string, checkCl return cmd.Exec(context.Background(), args) } -var verifyCertBundle = func(keyRef, caCertFile, caIntermediates, certFile, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment string, skipTlogVerify bool) error { +var verifyCertBundle = func(keyRef, caCertFile, caIntermediateCertFile, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment string, skipTlogVerify bool) error { cmd := cliverify.VerifyCommand{ KeyRef: keyRef, RekorURL: rekorURL, @@ -119,7 +119,7 @@ var verifyCertBundle = func(keyRef, caCertFile, caIntermediates, certFile, image MaxWorkers: 10, IgnoreTlog: skipTlogVerify, CertVerifyOptions: options.CertVerifyOptions{ - CAIntermediates: caIntermediates, + CAIntermediates: caIntermediateCertFile, CARoots: caCertFile, CertOidcIssuerRegexp: ".*", CertIdentityRegexp: ".*",