diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index 7ab3e083172..60c347ef88d 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -223,6 +223,9 @@ func (v *LiveSigstoreVerifier) chooseVerifier(issuer string) (*verify.Verifier, } return v.PublicGood, nil case GitHubIssuerOrg: + if v.GitHub == nil { + return nil, fmt.Errorf("GitHub verifier is not available (initialization may have failed)") + } return v.GitHub, nil default: return nil, fmt.Errorf("leaf certificate issuer is not recognized") diff --git a/pkg/cmd/attestation/verification/sigstore_integration_test.go b/pkg/cmd/attestation/verification/sigstore_integration_test.go index daa948b950c..0ba343898a2 100644 --- a/pkg/cmd/attestation/verification/sigstore_integration_test.go +++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go @@ -144,6 +144,28 @@ func TestLiveSigstoreVerifier(t *testing.T) { require.Len(t, results, 2) require.NoError(t, err) }) + + t.Run("returns an error instead of panicking when the GitHub verifier failed to initialize", func(t *testing.T) { + githubArtifactPath := test.NormalizeRelativePath("../test/data/github_provenance_demo-0.0.12-py3-none-any.whl") + githubArtifact, err := artifact.NewDigestedArtifact(nil, githubArtifactPath, "sha256") + require.NoError(t, err) + + githubPolicy := buildPolicy(t, *githubArtifact) + attestations := getAttestationsFor(t, "../test/data/github_provenance_demo-0.0.12-py3-none-any-bundle.jsonl") + + verifier, err := NewLiveSigstoreVerifier(SigstoreConfig{ + ExternalHttpClient: http.DefaultClient, + Logger: io.NewTestHandler(), + TrustDomain: "missing-trust-domain", + TUFMetadataDir: o.Some(t.TempDir()), + }) + require.NoError(t, err) + results, verifyErr := verifier.Verify(attestations, githubPolicy) + require.Nil(t, results) + require.Error(t, verifyErr) + require.ErrorContains(t, verifyErr, "failed to choose verifier based on provided bundle issuer") + require.ErrorContains(t, verifyErr, "GitHub verifier is not available") + }) } func publicGoodPolicy(t *testing.T) verify.PolicyBuilder { diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go index 1f7c925ba24..ae9a502dc99 100644 --- a/pkg/cmd/attestation/verification/sigstore_test.go +++ b/pkg/cmd/attestation/verification/sigstore_test.go @@ -27,6 +27,20 @@ func TestChooseVerifierWithNilPublicGood(t *testing.T) { require.ErrorContains(t, err, "public good verifier is not available") } +func TestChooseVerifierWithNilGitHub(t *testing.T) { + verifier := &LiveSigstoreVerifier{ + Logger: io.NewTestHandler(), + NoPublicGood: false, + PublicGood: nil, + GitHub: nil, // Simulate failed GitHub verifier initialization + } + + _, err := verifier.chooseVerifier(GitHubIssuerOrg) + + require.Error(t, err) + require.ErrorContains(t, err, "GitHub verifier is not available") +} + // TestChooseVerifierUnrecognizedIssuer tests that an error is returned // for unrecognized issuers. func TestChooseVerifierUnrecognizedIssuer(t *testing.T) {