Merge pull request #1417 from fluxcd/switch-to-verify-ocirepo

Use the verify defined interface in OCIRepository

Author: souleb

internal/controller/ocirepository_controller.go

@@ -644,7 +644,7 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 				return soci.VerificationResultFailed, err
 			}
 
-			signatureVerified := false
+			signatureVerified := soci.VerificationResultFailed
 			for k, data := range pubSecret.Data {
 				// search for public keys in the secret
 				if strings.HasSuffix(k, ".pub") {
@@ -653,19 +653,19 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 						return soci.VerificationResultFailed, err
 					}
 
-					signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
-					if err != nil {
+					result, err := verifier.Verify(ctxTimeout, ref)
+					if err != nil || result == soci.VerificationResultFailed {
 						continue
 					}
 
-					if signatures != nil {
-						signatureVerified = true
+					if result == soci.VerificationResultSuccess {
+						signatureVerified = result
 						break
 					}
 				}
 			}
 
-			if !signatureVerified {
+			if signatureVerified == soci.VerificationResultFailed {
 				return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 			}
 
@@ -689,16 +689,16 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			return soci.VerificationResultFailed, err
 		}
 
-		signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
+		result, err := verifier.Verify(ctxTimeout, ref)
 		if err != nil {
 			return soci.VerificationResultFailed, err
 		}
 
-		if len(signatures) > 0 {
-			return soci.VerificationResultSuccess, nil
+		if result == soci.VerificationResultFailed {
+			return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
 		}
 
-		return soci.VerificationResultFailed, fmt.Errorf("no matching signatures were found for '%s'", ref)
+		return soci.VerificationResultSuccess, nil
 
 	case "notation":
 		// get the public keys from the given secret

internal/oci/cosign/cosign.go

@@ -27,7 +27,6 @@ import (
 	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/oci"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -146,16 +145,11 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 	}, nil
 }
 
-// VerifyImageSignatures verify the authenticity of the given ref OCI image.
-func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
-	return cosign.VerifyImageSignatures(ctx, ref, v.opts)
-}
-
 // Verify verifies the authenticity of the given ref OCI image.
 // It returns a boolean indicating if the verification was successful.
 // It returns an error if the verification fails, nil otherwise.
 func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
-	signatures, _, err := v.VerifyImageSignatures(ctx, ref)
+	signatures, _, err := cosign.VerifyImageSignatures(ctx, ref, v.opts)
 	if err != nil {
 		return soci.VerificationResultFailed, err
 	}