github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 00:26:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Use Run instead of RunE to handle usage/errors (#424)

Browse Source 
* Use `Run` instead of `RunE` to handle usage/errors

We want to only display the usage message if there is an error in the
parsing of arguments. Once the arguments are parsed and we invoke the
internal implementation the usage message should not be displayed
anymore, regardless of what internal error gets returned. Fortunately,
the fix is easy.

Tested:

* passing scenario:
```
[...]$ slsa-verifier verify-artifact \
       --provenance-path multiple.intoto.jsonl \
       --source-uri github.com/example/repo fib
Verified signature against tlog entry index 9712459 at URL: ...
Verified build using builder ...
Verifying artifact fib: PASSED

PASSED: Verified SLSA provenance
```

* failing scenario with missing artifact file:
```
[...]$ slsa-verifier verify-artifact \
       --provenance-path multiple.intoto.jsonl \
       --source-uri github.com/example/repo fibs
Verifying artifact fibs: FAILED: open fibs: no such file or directory

FAILED: SLSA verification failed: open fibs: no such file or directory
```

* failing scenario with invalid artifact:
```
[...]$ slsa-verifier verify-artifact \
       --provenance-path multiple.intoto.jsonl \
       --source-uri github.com/example/repo multiple.intoto.jsonl
Verified signature against tlog entry index 9712459 at URL: ...
Verifying artifact multiple.intoto.jsonl: FAILED: expected hash ...

FAILED: SLSA verification failed: expected hash ...
```

* failing scenario due to invalid usage (missing required arguments):
```
[...]$ slsa-verifier verify-artifact \
       --provenance-path multiple.intoto.jsonl
Usage:
  slsa-verifier verify-artifact [flags] artifact [artifact..]

Flags:
      --build-workflow-input map[]    [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
      --builder-id string             [optional] the unique builder ID who created the provenance
  -h, --help                          help for verify-artifact
      --print-provenance              [optional] print the verified provenance to stdout
      --provenance-path string        path to a provenance file
      --source-branch string          [optional] expected branch the binary was compiled from
      --source-tag string             [optional] expected tag the binary was compiled from
      --source-uri string             expected source repository that should have produced the binary, e.g. github.com/some/repo
      --source-versioned-tag string   [optional] expected version the binary was compiled from. Uses semantic version to match the tag

required flag(s) "source-uri" not set
exit status 1
```

Fixes #307

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* Handle the same fix in image verification

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

* go fmt

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>

Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
This commit is contained in:
Mihai Maruseac
2023-01-03 12:08:01 -08:00
committed by GitHub
parent 17463c02b3
commit a72569a87a
1 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cli/slsa-verifier/verify.go
View File

@@ -40,7 +40,7 @@ func verifyArtifactCmd() *cobra.Command {
return nil
},
Short: "Verifies SLSA provenance on artifact blobs given as arguments (assuming same provenance)",
RunE: func(cmd *cobra.Command, args []string) error {
Run: func(cmd *cobra.Command, args []string) {
v := verify.VerifyArtifactCommand{
ProvenancePath: o.ProvenancePath,
SourceURI: o.SourceURI,
@@ -62,11 +62,9 @@ func verifyArtifactCmd() *cobra.Command {
if _, err := v.Exec(cmd.Context(), args); err != nil {
fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
return err
} else {
fmt.Fprintf(os.Stderr, "%s\n", SUCCESS)
}
fmt.Fprintf(os.Stderr, "%s\n", SUCCESS)
return nil
},
}
@@ -87,7 +85,7 @@ func verifyImageCmd() *cobra.Command {
return nil
},
Short: "Verifies SLSA provenance on a container image",
RunE: func(cmd *cobra.Command, args []string) error {
Run: func(cmd *cobra.Command, args []string) {
v := verify.VerifyImageCommand{
SourceURI: o.SourceURI,
PrintProvenance: o.PrintProvenance,
@@ -111,11 +109,9 @@ func verifyImageCmd() *cobra.Command {
if _, err := v.Exec(cmd.Context(), args); err != nil {
fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
return err
} else {
fmt.Fprintf(os.Stderr, "%s\n", SUCCESS)
}
fmt.Fprintf(os.Stderr, "%s\n", SUCCESS)
return nil
},
}