Don't require CT log keys if using a key/sk (#3415)

haydentherapper · web-flow · commit 3329d81f5f2f · 2023-12-05T18:52:52.000Z
Fixes #3386. The logic was inverted for this check. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -207,7 +207,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	certRef := c.CertRef
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || keyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -111,7 +111,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -286,7 +286,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	}
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -190,7 +190,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		}
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if !c.IgnoreSCT || c.KeyRef != "" {
+	if !c.IgnoreSCT || keylessVerification(c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e`
`111`	`111`	`co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier`
`112`	`112`	`}`
`113`	`113`	`// Ignore Signed Certificate Timestamp if the flag is set or a key is provided`
`114`		`- if !c.IgnoreSCT \|\| c.KeyRef != "" {`
	`114`	`+ if !c.IgnoreSCT \|\| keylessVerification(c.KeyRef, c.Sk) {`
`115`	`115`	`co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)`
`116`	`116`	`if err != nil {`
`117`	`117`	`return fmt.Errorf("getting ctlog public keys: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -286,7 +286,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {`
`286`	`286`	`}`
`287`	`287`
`288`	`288`	`// Ignore Signed Certificate Timestamp if the flag is set or a key is provided`
`289`		`- if !c.IgnoreSCT \|\| c.KeyRef != "" {`
	`289`	`+ if !c.IgnoreSCT \|\| keylessVerification(c.KeyRef, c.Sk) {`
`290`	`290`	`co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)`
`291`	`291`	`if err != nil {`
`292`	`292`	`return fmt.Errorf("getting ctlog public keys: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -190,7 +190,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st`
`190`	`190`	`}`
`191`	`191`	`}`
`192`	`192`	`// Ignore Signed Certificate Timestamp if the flag is set or a key is provided`
`193`		`- if !c.IgnoreSCT \|\| c.KeyRef != "" {`
	`193`	`+ if !c.IgnoreSCT \|\| keylessVerification(c.KeyRef, c.Sk) {`
`194`	`194`	`co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)`
`195`	`195`	`if err != nil {`
`196`	`196`	`return fmt.Errorf("getting ctlog public keys: %w", err)`