stacklok · rdimitrov · Feb 22, 2026 · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/container/verifier/utils.go b/container/verifier/utils.go
@@ -26,6 +26,12 @@ var (
 	// ErrProvenanceServerInformationNotSet is returned when the provenance information for a server is not set
 	ErrProvenanceServerInformationNotSet = errors.New("provenance server information not set")
 
+	// ErrImageNotSigned is returned when no signatures or attestations are found for the image
+	ErrImageNotSigned = errors.New("image is not signed")
+
+	// ErrProvenanceMismatch is returned when the image is signed but no bundle matches the expected provenance
+	ErrProvenanceMismatch = errors.New("image provenance does not match")
+
 	// MaxAttestationsBytesLimit is the maximum number of bytes we're willing to read from the attestation endpoint
 	// We'll limit this to 10mb for now
 	MaxAttestationsBytesLimit int64 = 10 * 1024 * 1024

diff --git a/container/verifier/verifier.go b/container/verifier/verifier.go
@@ -41,12 +41,12 @@ type Result struct {
 }
 
 // New creates a new Sigstore verifier
-func New(serverInfo *registry.ImageMetadata, keychain authn.Keychain) (*Sigstore, error) {
+func New(provenance *registry.Provenance, keychain authn.Keychain) (*Sigstore, error) {
 	// Fail the verification early if the server information is not set
-	if serverInfo == nil || serverInfo.Provenance == nil {
+	if provenance == nil {
 		return nil, ErrProvenanceServerInformationNotSet
 	}
-	sigstoreTUFRepoURL := serverInfo.Provenance.SigstoreURL
+	sigstoreTUFRepoURL := provenance.SigstoreURL
 
 	// Default the sigstoreTUFRepoURL to the sigstore public trusted root repo if not provided.
 	// Note: Update this if we want to support more sigstore instances
@@ -133,27 +133,24 @@ func getVerifiedResults(
 }
 
 // VerifyServer verifies the server information for the given image reference
-func (s *Sigstore) VerifyServer(imageRef string, serverInfo *registry.ImageMetadata) (bool, error) {
+func (s *Sigstore) VerifyServer(imageRef string, provenance *registry.Provenance) error {
 	// Get the verification results for the image reference
 	results, err := s.GetVerificationResults(imageRef)
 	if err != nil {
-		return false, err
+		return err
 	}
 
-	// If we didn't manage to get any verification results, it probably means that the image is not signed.
 	if len(results) == 0 {
-		return false, nil
+		return ErrImageNotSigned
 	}
 
-	// Compare the server information with the verification results
+	// Return nil if any result matches the provenance
 	for _, res := range results {
-		if !isVerificationResultMatchingServerProvenance(res, serverInfo.Provenance) {
-			// The server information does not match the verification result, fail the verification
-			return false, nil
+		if isVerificationResultMatchingServerProvenance(res, provenance) {
+			return nil
 		}
 	}
-	// The server information matches the verification result, pass the verification
-	return true, nil
+	return ErrProvenanceMismatch
 }
 
 func isVerificationResultMatchingServerProvenance(r *verify.VerificationResult, p *registry.Provenance) bool {