add e2e test malicious builder and cert expiry (#69)

Signed-off-by: Asra Ali <asraa@google.com>

main_test.go

@@ -292,6 +292,18 @@ func Test_runVerify(t *testing.T) {
 			source:   "github.com/asraa/slsa-on-github-test",
 			err:      pkg.ErrorRekorSearch,
 		},
+		{
+			name:     "malicious: untrusted builder",
+			artifact: "./testdata/binary-linux-amd64-untrusted-builder",
+			source:   "github.com/asraa/slsa-on-github-test",
+			err:      pkg.ErrorUntrustedReusableWorkflow,
+		},
+		{
+			name:     "malicious: invalid signature expired certificate",
+			artifact: "./testdata/binary-linux-amd64-expired-cert",
+			source:   "github.com/asraa/slsa-on-github-test",
+			err:      pkg.ErrorNoValidRekorEntries,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below

pkg/provenance.go

@@ -69,7 +69,8 @@ var (
 	errorInvalidVersion            = errors.New("invalid version")
 	errorInvalidRef                = errors.New("invalid ref")
 	errorMalformedWorkflowURI      = errors.New("malformed URI for workflow")
-	errorUntrustedReusableWorkflow = errors.New("untrusted reusable workflow")
+	ErrorUntrustedReusableWorkflow = errors.New("untrusted reusable workflow")
+	ErrorNoValidRekorEntries       = errors.New("could not find a matching valid signature entry")
 )
 
 func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error) {
@@ -343,7 +344,7 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		return cert, nil
 	}
 
-	return nil, errors.New("could not find a matching signature entry")
+	return nil, ErrorNoValidRekorEntries
 }
 
 func getExtension(cert *x509.Certificate, oid string) string {
@@ -394,7 +395,7 @@ func VerifyWorkflowIdentity(id *WorkflowIdentity, source string) error {
 	// Trusted workflow verification by name.
 	reusableWorkflowName := strings.Trim(workflowPath[0], "/")
 	if _, ok := trustedReusableWorkflows[reusableWorkflowName]; !ok {
-		return fmt.Errorf("%w: %s", errorUntrustedReusableWorkflow, reusableWorkflowName)
+		return fmt.Errorf("%w: %s", ErrorUntrustedReusableWorkflow, reusableWorkflowName)
 	}
 
 	// Verify the ref.

pkg/provenance_test.go

@@ -187,7 +187,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Issuer:            "https://token.actions.githubusercontent.com",
 			},
 			source: "asraa/slsa-on-github-test",
-			err:    errorUntrustedReusableWorkflow,
+			err:    ErrorUntrustedReusableWorkflow,
 		},
 		{
 			name: "untrusted job workflow ref for general repos",