return error when rekor pub cannot be retrieved, fix file path construction (#1157)

Jake Sanders · web-flow · commit dd53292c81c6 · 2021-12-07T11:28:55.000-08:00
Signed-off-by: Jake Sanders &lt;jsand@google.com&gt;
diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go
@@ -43,14 +43,14 @@ import (
 // This is the rekor public key target name
 var rekorTargetStr = `rekor.pub`
 
-func GetRekorPub(ctx context.Context) string {
+// GetRekorPub retrieves the rekor public key from the embedded or cached TUF root. If expired, makes a
+// network call to retrieve the updated target.
+func GetRekorPub(ctx context.Context) ([]byte, error) {
 	buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
-	// Retrieves the rekor public key from the embedded or cached TUF root. If expired, makes a
-	// network call to retrieve the updated target.
 	if err := tuf.GetTarget(ctx, rekorTargetStr, &buf); err != nil {
-		panic("error retrieving rekor public key")
+		return nil, err
 	}
-	return buf.String()
+	return buf.Bytes(), nil
 }
 
 // TLogUpload will upload the signature, public key and payload to the transparency log.
diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go
@@ -41,7 +41,6 @@ import (
 const (
 	TufRootEnv        = "TUF_ROOT"
 	SigstoreNoCache   = "SIGSTORE_NO_CACHE"
-	defaultLocalStore = ".sigstore/root/"
 	DefaultRemoteRoot = "sigstore-tuf-root"
 )
 
@@ -68,7 +67,7 @@ func CosignCachedRoot() string {
 		if err != nil {
 			home = ""
 		}
-		return path.Join(home, defaultLocalStore)
+		return path.Join(home, ".sigstore", "root")
 	}
 	return rootDir
 }
@@ -102,7 +101,7 @@ func getLocalTarget(name string) (fs.File, error) {
 		// Return local cached target
 		return os.Open(path.Join(CosignCachedTargets(), name))
 	}
-	return root.Open(path.Join("repository/targets", name))
+	return root.Open(path.Join("repository", "targets", name))
 }
 
 type signedMeta struct {
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -446,7 +446,12 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) {
 		return false, nil
 	}
 
-	rekorPubKey, err := PemToECDSAKey([]byte(GetRekorPub(ctx)))
+	pub, err := GetRekorPub(ctx)
+	if err != nil {
+		return false, errors.Wrap(err, "retrieving rekor public key")
+	}
+
+	rekorPubKey, err := PemToECDSAKey(pub)
 	if err != nil {
 		return false, errors.Wrap(err, "pem to ecdsa")
 	}

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ import (`
`41`	`41`	`const (`
`42`	`42`	`TufRootEnv = "TUF_ROOT"`
`43`	`43`	`SigstoreNoCache = "SIGSTORE_NO_CACHE"`
`44`		`- defaultLocalStore = ".sigstore/root/"`
`45`	`44`	`DefaultRemoteRoot = "sigstore-tuf-root"`
`46`	`45`	`)`
`47`	`46`
`@@ -68,7 +67,7 @@ func CosignCachedRoot() string {`
`68`	`67`	`if err != nil {`
`69`	`68`	`home = ""`
`70`	`69`	`}`
`71`		`- return path.Join(home, defaultLocalStore)`
	`70`	`+ return path.Join(home, ".sigstore", "root")`
`72`	`71`	`}`
`73`	`72`	`return rootDir`
`74`	`73`	`}`
`@@ -102,7 +101,7 @@ func getLocalTarget(name string) (fs.File, error) {`
`102`	`101`	`// Return local cached target`
`103`	`102`	`return os.Open(path.Join(CosignCachedTargets(), name))`
`104`	`103`	`}`
`105`		`- return root.Open(path.Join("repository/targets", name))`
	`104`	`+ return root.Open(path.Join("repository", "targets", name))`
`106`	`105`	`}`
`107`	`106`
`108`	`107`	`type signedMeta struct {`
Original file line number	Diff line number	Diff line change
`@@ -446,7 +446,12 @@ func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error) {`
`446`	`446`	`return false, nil`
`447`	`447`	`}`
`448`	`448`
`449`		`- rekorPubKey, err := PemToECDSAKey([]byte(GetRekorPub(ctx)))`
	`449`	`+ pub, err := GetRekorPub(ctx)`
	`450`	`+ if err != nil {`
	`451`	`+ return false, errors.Wrap(err, "retrieving rekor public key")`
	`452`	`+ }`
	`453`	`+`
	`454`	`+ rekorPubKey, err := PemToECDSAKey(pub)`
`450`	`455`	`if err != nil {`
`451`	`456`	`return false, errors.Wrap(err, "pem to ecdsa")`
`452`	`457`	`}`