Closed
Description
Description
The bundleVerified flag is not being set to true following a successful online verification using Rekor, as seen in the code snippet below.
if !co.IgnoreTlog {
bundleVerified, err = VerifyBundle(sig, co)
if err != nil {
return false, fmt.Errorf("error verifying bundle: %w", err)
}
if bundleVerified {
// Update with the verified bundle's integrated time.
t, err := getBundleIntegratedTime(sig)
if err != nil {
return false, fmt.Errorf("error getting bundle integrated time: %w", err)
}
acceptableRekorBundleTime = &t
} else {
// If the --offline flag was specified, fail here. bundleVerified returns false with
// no error when there was no bundle provided.
if co.Offline {
return false, fmt.Errorf("offline verification failed")
}
// no Rekor client provided for an online lookup
if co.RekorClient == nil {
return false, fmt.Errorf("rekor client not provided for online verification")
}
pemBytes, err := keyBytes(sig, co)
if err != nil {
return false, err
}
e, err := tlogValidateEntry(ctx, co.RekorClient, co.RekorPubKeys, sig, pemBytes)
if err != nil {
return false, err
}
t := time.Unix(*e.IntegratedTime, 0)
acceptableRekorBundleTime = &t
}
}Expected Behavior:
In the else branch of the verification logic, if the Rekor verification succeeds, the bundleVerified should be set to true.
Version
2.2.4