fix for issue 3426

Signed-off-by: Mukuls77 <mukul.sharma@nokia.com>
sigstore · Dec 13, 2023 · ee8800d · ee8800d
1 parent ed4a6d7
commit ee8800d
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 10 deletions.
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -38,7 +38,6 @@ import (
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/blob"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
 	"github.com/sigstore/cosign/v2/pkg/oci"
@@ -208,7 +207,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	certRef := c.CertRef
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if keylessVerificationWithSCTEnabled(c.IgnoreSCT, c.KeyRef, c.Sk, c.CertChain) {
+	if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)
@@ -502,17 +501,13 @@ func keylessVerification(keyRef string, sk bool) bool {
 	return true
 }
 
-func keylessVerificationWithSCTEnabled(ignoreSCT bool, keyRef string, sk bool, certChain string) bool {
-	rootEnv := env.Getenv(env.VariableSigstoreRootFile)
+func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool {
 	if keyRef != "" {
 		return false
 	}
 	if sk {
 		return false
 	}
-	if ignoreSCT && (certChain != "" || rootEnv != "") {
-		return false
-	}
 	if ignoreSCT {
 		return false
 	}

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -111,7 +111,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if keylessVerificationWithSCTEnabled(c.IgnoreSCT, c.KeyRef, c.Sk, c.CertChain) {
+	if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -286,7 +286,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	}
 
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if keylessVerificationWithSCTEnabled(c.IgnoreSCT, c.KeyRef, c.Sk, c.CertChain) {
+	if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)

diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -190,7 +190,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		}
 	}
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
-	if keylessVerificationWithSCTEnabled(c.IgnoreSCT, c.KeyRef, c.Sk, c.CertChain) {
+	if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
 		if err != nil {
 			return fmt.Errorf("getting ctlog public keys: %w", err)