From fb51ab00a50e2fe7ec0beb558f6bbf514319457b Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Wed, 14 Sep 2022 10:42:10 +0000
Subject: [PATCH] Fix e2e test failure, add test for local bundle without rekor
 bundle

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 cmd/cosign/cli/verify/verify_blob_test.go | 29 +++++++++++++++++++++++
 test/e2e_test_secrets.sh                  |  5 +++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
index 8622b9d3250..d419682ec58 100644
--- a/cmd/cosign/cli/verify/verify_blob_test.go
+++ b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -287,6 +287,15 @@ func TestVerifyBlob(t *testing.T) {
 				pubKeyBytes, true),
 			shouldErr: false,
 		},
+		{
+			name:         "valid signature with public key - bundle without rekor bundle fails",
+			blob:         blobBytes,
+			signature:    blobSignature,
+			sigVerifier:  signer,
+			experimental: false,
+			bundlePath:   makeLocalBundleWithoutRekorBundle(t, []byte(blobSignature), pubKeyBytes),
+			shouldErr:    true,
+		},
 		{
 			name:         "valid signature with public key - bad bundle SET",
 			blob:         blobBytes,
@@ -647,6 +656,26 @@ func makeLocalBundle(t *testing.T, rekorSigner signature.ECDSASignerVerifier,
 	return bundlePath
 }
 
+func makeLocalBundleWithoutRekorBundle(t *testing.T, sig []byte, svBytes []byte) string {
+	td := t.TempDir()
+
+	b := cosign.LocalSignedPayload{
+		Base64Signature: base64.StdEncoding.EncodeToString(sig),
+		Cert:            string(svBytes),
+	}
+
+	// Write bundle to disk
+	jsonBundle, err := json.Marshal(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bundlePath := filepath.Join(td, "bundle.sig")
+	if err := os.WriteFile(bundlePath, jsonBundle, 0644); err != nil {
+		t.Fatal(err)
+	}
+	return bundlePath
+}
+
 func TestVerifyBlobCmdWithBundle(t *testing.T) {
 	keyless := newKeylessStack(t)
 
diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh
index 6b7aad8a6ff..8a59046abd5 100755
--- a/test/e2e_test_secrets.sh
+++ b/test/e2e_test_secrets.sh
@@ -110,13 +110,16 @@ echo "myblob2" > myblob2
 ./cosign sign-blob --key ${signing_key} myblob2 > myblob2.sig
 
 ./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob
+# expected to fail because signature mismatch
 if (./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob2); then false; fi
 
+# expected to fail because signature mismatch
 if (./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob); then false; fi
 ./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob2
 
 ./cosign sign-blob --key ${signing_key} --bundle bundle.sig myblob
-./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob
+# expected to fail because the local bundle does not contain a rekor bundle
+if (./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob); then false; fi
 
 ## sign and verify multiple blobs
 ./cosign sign-blob --key ${signing_key} myblob myblob2 > sigs