From b9fef6d439f58fe7953218b7244be6428a5d9665 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Sat, 21 Feb 2026 22:42:55 +0200 Subject: [PATCH 1/4] Use provenance instead of imageMetadata for verifier Signed-off-by: Radoslav Dimitrov --- container/verifier/verifier.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/container/verifier/verifier.go b/container/verifier/verifier.go index 0150391..bab147f 100644 --- a/container/verifier/verifier.go +++ b/container/verifier/verifier.go @@ -41,12 +41,12 @@ type Result struct { } // New creates a new Sigstore verifier -func New(serverInfo *registry.ImageMetadata, keychain authn.Keychain) (*Sigstore, error) { +func New(provenance *registry.Provenance, keychain authn.Keychain) (*Sigstore, error) { // Fail the verification early if the server information is not set - if serverInfo == nil || serverInfo.Provenance == nil { + if provenance == nil { return nil, ErrProvenanceServerInformationNotSet } - sigstoreTUFRepoURL := serverInfo.Provenance.SigstoreURL + sigstoreTUFRepoURL := provenance.SigstoreURL // Default the sigstoreTUFRepoURL to the sigstore public trusted root repo if not provided. // Note: Update this if we want to support more sigstore instances @@ -133,7 +133,7 @@ func getVerifiedResults( } // VerifyServer verifies the server information for the given image reference -func (s *Sigstore) VerifyServer(imageRef string, serverInfo *registry.ImageMetadata) (bool, error) { +func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance) (bool, error) { // Get the verification results for the image reference results, err := s.GetVerificationResults(imageRef) if err != nil { @@ -147,7 +147,7 @@ func (s *Sigstore) VerifyServer(imageRef string, serverInfo *registry.ImageMetad // Compare the server information with the verification results for _, res := range results { - if !isVerificationResultMatchingServerProvenance(res, serverInfo.Provenance) { + if !isVerificationResultMatchingServerProvenance(res, provenance) { // The server information does not match the verification result, fail the verification return false, nil } From a3e25e1b8db0aeaac7b24018e7d3070ccec0cf5f Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Sat, 21 Feb 2026 22:50:04 +0200 Subject: [PATCH 2/4] Iterate all bundles and fail only if none match Signed-off-by: Radoslav Dimitrov --- container/verifier/verifier.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/container/verifier/verifier.go b/container/verifier/verifier.go index bab147f..4f275f8 100644 --- a/container/verifier/verifier.go +++ b/container/verifier/verifier.go @@ -145,15 +145,13 @@ func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance return false, nil } - // Compare the server information with the verification results + // Return true if any result matches the provenance for _, res := range results { - if !isVerificationResultMatchingServerProvenance(res, provenance) { - // The server information does not match the verification result, fail the verification - return false, nil + if isVerificationResultMatchingServerProvenance(res, provenance) { + return true, nil } } - // The server information matches the verification result, pass the verification - return true, nil + return false, nil } func isVerificationResultMatchingServerProvenance(r *verify.VerificationResult, p *registry.Provenance) bool { From 99c4db3b089188e83c093637b24924395dccb358 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Sat, 21 Feb 2026 22:53:11 +0200 Subject: [PATCH 3/4] Return specific errors depending on the verification failure Signed-off-by: Radoslav Dimitrov --- container/verifier/utils.go | 6 ++++++ container/verifier/verifier.go | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/container/verifier/utils.go b/container/verifier/utils.go index 7933e09..b61a1cf 100644 --- a/container/verifier/utils.go +++ b/container/verifier/utils.go @@ -26,6 +26,12 @@ var ( // ErrProvenanceServerInformationNotSet is returned when the provenance information for a server is not set ErrProvenanceServerInformationNotSet = errors.New("provenance server information not set") + // ErrImageNotSigned is returned when no signatures or attestations are found for the image + ErrImageNotSigned = errors.New("image is not signed") + + // ErrProvenanceMismatch is returned when the image is signed but no bundle matches the expected provenance + ErrProvenanceMismatch = errors.New("image provenance does not match") + // MaxAttestationsBytesLimit is the maximum number of bytes we're willing to read from the attestation endpoint // We'll limit this to 10mb for now MaxAttestationsBytesLimit int64 = 10 * 1024 * 1024 diff --git a/container/verifier/verifier.go b/container/verifier/verifier.go index 4f275f8..ed5806e 100644 --- a/container/verifier/verifier.go +++ b/container/verifier/verifier.go @@ -140,9 +140,8 @@ func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance return false, err } - // If we didn't manage to get any verification results, it probably means that the image is not signed. if len(results) == 0 { - return false, nil + return false, ErrImageNotSigned } // Return true if any result matches the provenance @@ -151,7 +150,7 @@ func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance return true, nil } } - return false, nil + return false, ErrProvenanceMismatch } func isVerificationResultMatchingServerProvenance(r *verify.VerificationResult, p *registry.Provenance) bool { From b197055e43aec752499b4c85866c6f0867df2e5c Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Sat, 21 Feb 2026 22:58:48 +0200 Subject: [PATCH 4/4] Simplify function signature to return error Signed-off-by: Radoslav Dimitrov --- container/verifier/verifier.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/container/verifier/verifier.go b/container/verifier/verifier.go index ed5806e..79d8bb8 100644 --- a/container/verifier/verifier.go +++ b/container/verifier/verifier.go @@ -133,24 +133,24 @@ func getVerifiedResults( } // VerifyServer verifies the server information for the given image reference -func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance) (bool, error) { +func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance) error { // Get the verification results for the image reference results, err := s.GetVerificationResults(imageRef) if err != nil { - return false, err + return err } if len(results) == 0 { - return false, ErrImageNotSigned + return ErrImageNotSigned } - // Return true if any result matches the provenance + // Return nil if any result matches the provenance for _, res := range results { if isVerificationResultMatchingServerProvenance(res, provenance) { - return true, nil + return nil } } - return false, ErrProvenanceMismatch + return ErrProvenanceMismatch } func isVerificationResultMatchingServerProvenance(r *verify.VerificationResult, p *registry.Provenance) bool {