Fix e2e test failure, add test for local bundle without rekor bundle

[haydentherapper]

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

This fixes the behavior of verify-blob when the local bundle does not contain a Rekor bundle (for example, signed without experimental mode). In this case, verify-blob will still run using the local bundle for the cert/sig information.

If it does not contain one and we require a timestamp for cert validity, we fail. Adds a test for a short-lived cert with a bundle missing rekor bundle and no experimental fails. But if experimental is on, we can succeed.

Release Note

• fix: Fixesverify-blob to handle local bundles that do not contain Rekor bundles.

Documentation

[codecov-commenter]

Codecov Report

Merging #2248 (fb51ab0) into main (58a96ba) will increase coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #2248      +/-   ##
==========================================
+ Coverage   28.35%   28.39%   +0.03%     
==========================================
  Files         131      131              
  Lines        7839     7839              
==========================================
+ Hits         2223     2226       +3     
+ Misses       5315     5313       -2     
+ Partials      301      300       -1     

Impacted Files	Coverage Δ
cmd/cosign/cli/verify/verify_blob.go	44.44% <0.00%> (+0.65%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

@asraa I'm not 100% this is the right behavior. This is the case where we provide a local bundle (without experimental, so no rekor lookup) with just a signature (and it could optionally contain a cert too, but in the test, we pass a key), and the local bundle has no rekor bundle.

This is probably actually a valid use-case, that you use the local bundle just to hold the verification material.

[asraa]

@asraa I'm not 100% this is the right behavior. This is the case where we provide a local bundle (without experimental, so no rekor lookup) with just a signature (and it could optionally contain a cert too, but in the test, we pass a key), and the local bundle has no rekor bundle.

Ugh. I see this case.
Unfortunately we CAN produce a bundle out of experimental mode:

cosign/cmd/cosign/cli/sign/sign_blob.go

Line 86 in fb51ab0

if ko.BundlePath != "" {

So I think this should technically pass?

[asraa]

Fortunately this is a correctness issue, not a security concern...

But this really clobbers the verify Rekor Bundle logic. That I guess, should actually refer to the rekor bundle inside the local bundle.

[haydentherapper]

Can we just add a check for experimental flag when verifying with a Rekor bundle? I think that’s the simplest fix.

[asraa]

Can we just add a check for experimental flag when verifying with a Rekor bundle? I think that’s the simplest fix.

Simplest fix would be that verifyRekorBundle only executes when there is a bundle inside the local bundle, IMO!

[haydentherapper]

That sounds good!

[asraa]

Done! Updated description and release note @cpanato @haydentherapper

[cpanato]

going to merge this to check the post submit jobs and if they are green will release it