From 2c40f6fefb5d67d44c5d3f2be823d5af40111946 Mon Sep 17 00:00:00 2001
From: Mathis Joffre <mariusjoffre@gmail.com>
Date: Mon, 24 Oct 2022 23:12:40 +0200
Subject: [PATCH 1/2] Exit with failure on empty signing key

Signed-off-by: Mathis Joffre <mariusjoffre@gmail.com>
---
 cmd/build.go     | 14 ++++++++------
 cmd/sign.go      |  5 ++++-
 cmd/sign_test.go |  5 +++++
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/cmd/build.go b/cmd/build.go
index 938411c275..3efdb9aef5 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -261,7 +261,10 @@ func dobuild(params buildParams, args []string) error {
 		return err
 	}
 
-	bsc := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	bsc, err := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	if err != nil {
+		return err
+	}
 
 	if bvc != nil || bsc != nil {
 		if !params.bundleMode {
@@ -346,10 +349,9 @@ func buildVerificationConfig(pubKey, pubKeyID, alg, scope string, excludeFiles [
 	return bundle.NewVerificationConfig(map[string]*keys.Config{pubKeyID: keyConfig}, pubKeyID, scope, excludeFiles), nil
 }
 
-func buildSigningConfig(key, alg, claimsFile, plugin string) *bundle.SigningConfig {
-	if key == "" {
-		return nil
+func buildSigningConfig(key, alg, claimsFile, plugin string) (*bundle.SigningConfig, error) {
+	if key == "" && (plugin != "" || claimsFile != "" || alg != "") {
+		return nil, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)")
 	}
-
-	return bundle.NewSigningConfig(key, alg, claimsFile).WithPlugin(plugin)
+	return bundle.NewSigningConfig(key, alg, claimsFile).WithPlugin(plugin), nil
 }
diff --git a/cmd/sign.go b/cmd/sign.go
index fd1f90ba63..f16a640666 100644
--- a/cmd/sign.go
+++ b/cmd/sign.go
@@ -170,7 +170,10 @@ func doSign(args []string, params signCmdParams) error {
 		return err
 	}
 
-	signingConfig := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	signingConfig, err := buildSigningConfig(params.key, params.algorithm, params.claimsFile, params.plugin)
+	if err != nil {
+		return err
+	}
 
 	token, err := bundle.GenerateSignedToken(files, signingConfig, "")
 	if err != nil {
diff --git a/cmd/sign_test.go b/cmd/sign_test.go
index 75b7fdc000..d3905b2df4 100644
--- a/cmd/sign_test.go
+++ b/cmd/sign_test.go
@@ -147,6 +147,11 @@ func TestValidateSignParams(t *testing.T) {
 			newSignCmdParams(),
 			true, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)"),
 		},
+		"empty_signing_key": {
+			[]string{"foo"},
+			signCmdParams{key: "", bundleMode: true},
+			true, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)"),
+		},
 		"non_bundle_mode": {
 			[]string{"foo"},
 			signCmdParams{key: "foo"},

From bf473acbada898072f5dca6dc62dc0d41feb6d02 Mon Sep 17 00:00:00 2001
From: Mathis Joffre <mariusjoffre@gmail.com>
Date: Tue, 1 Nov 2022 11:17:51 +0100
Subject: [PATCH 2/2] Exit with failure on empty signing key

Signed-off-by: Mathis Joffre <mariusjoffre@gmail.com>
---
 cmd/build.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmd/build.go b/cmd/build.go
index 3efdb9aef5..0653a572b1 100644
--- a/cmd/build.go
+++ b/cmd/build.go
@@ -353,5 +353,8 @@ func buildSigningConfig(key, alg, claimsFile, plugin string) (*bundle.SigningCon
 	if key == "" && (plugin != "" || claimsFile != "" || alg != "") {
 		return nil, fmt.Errorf("specify the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)")
 	}
+	if key == "" {
+		return nil, nil
+	}
 	return bundle.NewSigningConfig(key, alg, claimsFile).WithPlugin(plugin), nil
 }