Skip to content

Commit

Permalink
Fix race condition with bundleVerified bool
Browse files Browse the repository at this point in the history 
Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
  • Loading branch information
@priyawadhwa
priyawadhwa committed Jun 20, 2023
1 parent cfe0dd3 commit 41db33e
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions pkg/cosign/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -600,6 +600,7 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C

validationErrs := make([]string, len(sl))
signatures := make([]oci.Signature, len(sl))
bundlesVerified := make([]bool, len(sl))

var wg sync.WaitGroup

Expand All @@ -613,7 +614,7 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
return
}
verified, err := VerifyImageSignature(ctx, sig, h, co)
bundleVerified = bundleVerified || verified
bundlesVerified[index] = verified
if err != nil {
validationErrs[index] = err.Error()
return
Expand All @@ -629,6 +630,10 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
}
}

for _, verified := range bundlesVerified {
bundleVerified = bundleVerified || verified
}

if len(checkedSignatures) == 0 {
// TODO: ErrNoMatchingSignatures.Unwrap should return []error,
// or we should replace "...%s" strings.Join with "...%w", errors.Join.
Expand Down Expand Up @@ -950,6 +955,7 @@ func verifyImageAttestations(ctx context.Context, atts oci.Signatures, h v1.Hash

validationErrs := make([]string, len(sl))
attestations := make([]oci.Signature, len(sl))
bundlesVerified := make([]bool, len(sl))

var wg sync.WaitGroup

Expand All @@ -964,7 +970,7 @@ func verifyImageAttestations(ctx context.Context, atts oci.Signatures, h v1.Hash
}
if err := func(att oci.Signature) error {
verified, err := verifyInternal(ctx, att, h, verifyOCIAttestation, co)
bundleVerified = bundleVerified || verified
bundlesVerified[index] = verified
return err
}(att); err != nil {
validationErrs[index] = err.Error()
Expand All @@ -981,6 +987,10 @@ func verifyImageAttestations(ctx context.Context, atts oci.Signatures, h v1.Hash
}
}

for _, verified := range bundlesVerified {
bundleVerified = bundleVerified || verified
}

if len(checkedAttestations) == 0 {
return nil, false, &ErrNoMatchingAttestations{
fmt.Errorf("no matching attestations: %s", strings.Join(validationErrs, "\n ")),
Expand Down

0 comments on commit 41db33e

Please sign in to comment.