updated per code review

Signed-off-by: Patrick Zheng <[email protected]>
notaryproject · Aug 30, 2023 · 06b9ea4 · 06b9ea4
1 parent fcd8ca6
commit 06b9ea4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 39 deletions.
diff --git a/notation.go b/notation.go
@@ -193,13 +193,10 @@ type ValidationResult struct {
 	Error error
 }
 
-// VerificationOutcome encapsulates a signature manifest's descriptor,
-// its envelope blob, its content, the verification level and results for each
-// verification type that was performed.
+// VerificationOutcome encapsulates a signature envelope blob, its content,
+// the verification level and results for each verification type that was
+// performed.
 type VerificationOutcome struct {
-	// SignatureManifestDescriptor
-	SignatureManifestDescriptor *ocispec.Descriptor
-
 	// RawSignature is the signature envelope blob
 	RawSignature []byte
 
@@ -360,7 +357,7 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
 	logger.Debug("Fetching signature manifests")
 	err = repo.ListSignatures(ctx, artifactDescriptor, func(signatureManifests []ocispec.Descriptor) error {
 		// process signatures
-		for ind, sigManifestDesc := range signatureManifests {
+		for _, sigManifestDesc := range signatureManifests {
 			if numOfSignatureProcessed >= verifyOpts.MaxSignatureAttempts {
 				break
 			}
@@ -383,15 +380,14 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
 					logger.Error("Got nil outcome. Expecting non-nil outcome on verification failure")
 					return err
 				}
-				outcome.SignatureManifestDescriptor = &signatureManifests[ind]
+				outcome.Error = fmt.Errorf("failed to verify signature with digest %v, %w", sigManifestDesc.Digest, outcome.Error)
 				verificationOutcomes = append(verificationOutcomes, outcome)
 				continue
 			}
 			// at this point, the signature is verified successfully
 			verificationSucceeded = true
 			// on success, verificationOutcomes only contains the
 			// succeeded outcome
-			outcome.SignatureManifestDescriptor = &signatureManifests[ind]
 			verificationOutcomes = []*VerificationOutcome{outcome}
 			logger.Debugf("Signature verification succeeded for artifact %v with signature digest %v", artifactDescriptor.Digest, sigManifestDesc.Digest)
 

diff --git a/verifier/helpers.go b/verifier/helpers.go
@@ -58,7 +58,7 @@ func loadX509TrustStores(ctx context.Context, scheme signature.SigningScheme, po
 	case signature.SigningSchemeX509SigningAuthority:
 		typeToLoad = truststore.TypeSigningAuthority
 	default:
-		return nil, truststore.ErrorTrustStore{WrappedError: fmt.Errorf("error while loading the trust store, unrecognized signing scheme %q", scheme)}
+		return nil, truststore.ErrorTrustStore{Msg: fmt.Sprintf("error while loading the trust store, unrecognized signing scheme %q", scheme)}
 	}
 
 	processedStoreSet := set.New[string]()
@@ -71,7 +71,7 @@ func loadX509TrustStores(ctx context.Context, scheme signature.SigningScheme, po
 
 		storeType, name, found := strings.Cut(trustStore, ":")
 		if !found {
-			return nil, truststore.ErrorTrustStore{WrappedError: fmt.Errorf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
+			return nil, truststore.ErrorTrustStore{Msg: fmt.Sprintf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
 		}
 		if typeToLoad != truststore.Type(storeType) {
 			continue

diff --git a/verifier/truststore/errors.go b/verifier/truststore/errors.go
@@ -15,37 +15,40 @@ package truststore
 
 // ErrorTrustStore is used when accessing specified trust store failed
 type ErrorTrustStore struct {
-	WrappedError error
+	Msg        string
+	InnerError error
 }
 
 func (e ErrorTrustStore) Error() string {
-	if e.WrappedError != nil {
-		return e.WrappedError.Error()
+	if e.Msg != "" {
+		return e.Msg
+	}
+	if e.InnerError != nil {
+		return e.InnerError.Error()
 	}
 	return "unable to access the trust store"
 }
 
+func (e ErrorTrustStore) Unwrap() error {
+	return e.InnerError
+}
+
 // ErrorCertificate is used when reading a certificate failed
 type ErrorCertificate struct {
-	WrappedError error
+	Msg        string
+	InnerError error
 }
 
 func (e ErrorCertificate) Error() string {
-	if e.WrappedError != nil {
-		return e.WrappedError.Error()
+	if e.Msg != "" {
+		return e.Msg
+	}
+	if e.InnerError != nil {
+		return e.InnerError.Error()
 	}
 	return "unable to read the certificate"
 }
 
-// ErrorNonExistence is used when specified trust store or
-// certificate path does not exist.
-type ErrorNonExistence struct {
-	WrappedError error
-}
-
-func (e ErrorNonExistence) Error() string {
-	if e.WrappedError != nil {
-		return e.WrappedError.Error()
-	}
-	return "unable to find specified trust store or certificate"
+func (e ErrorCertificate) Unwrap() error {
+	return e.InnerError
 }
diff --git a/verifier/truststore/truststore.go b/verifier/truststore/truststore.go
@@ -64,49 +64,49 @@ type x509TrustStore struct {
 // GetCertificates returns certificates under storeType/namedStore
 func (trustStore *x509TrustStore) GetCertificates(ctx context.Context, storeType Type, namedStore string) ([]*x509.Certificate, error) {
 	if !isValidStoreType(storeType) {
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("unsupported trust store type: %s", storeType)}
+		return nil, ErrorTrustStore{Msg: fmt.Sprintf("unsupported trust store type: %s", storeType)}
 	}
 	if !file.IsValidFileName(namedStore) {
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("named store name needs to follow [a-zA-Z0-9_.-]+ format: %s is invalid", namedStore)}
+		return nil, ErrorTrustStore{Msg: fmt.Sprintf("named store name needs to follow [a-zA-Z0-9_.-]+ format: %s is invalid", namedStore)}
 	}
 	path, err := trustStore.trustStorefs.SysPath(dir.X509TrustStoreDir(string(storeType), namedStore))
 	if err != nil {
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("failed to get path of trust store %s with type %s: %w", namedStore, storeType, err)}
+		return nil, ErrorTrustStore{InnerError: fmt.Errorf("failed to get path of trust store %s with type %s: %w", namedStore, storeType, err)}
 	}
 	// throw error if path is not a directory or is a symlink or does not exist.
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
 		if os.IsNotExist(err) {
-			return nil, ErrorNonExistence{WrappedError: fmt.Errorf("the trust store %q of type %q doesn't exist", namedStore, storeType)}
+			return nil, ErrorTrustStore{InnerError: fs.ErrNotExist, Msg: fmt.Sprintf("the trust store %q of type %q doesn't exist", namedStore, storeType)}
 		}
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("failed to access the trust store %q: %w", path, err)}
+		return nil, ErrorTrustStore{InnerError: fmt.Errorf("failed to access the trust store %q: %w", path, err)}
 	}
 	mode := fileInfo.Mode()
 	if !mode.IsDir() || mode&fs.ModeSymlink != 0 {
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("trust store %q is not a regular directory (symlinks are not supported)", path)}
+		return nil, ErrorTrustStore{Msg: fmt.Sprintf("trust store %q is not a regular directory (symlinks are not supported)", path)}
 	}
 	files, err := os.ReadDir(path)
 	if err != nil {
-		return nil, ErrorTrustStore{WrappedError: fmt.Errorf("failed to access the trust store %q: %w", path, err)}
+		return nil, ErrorTrustStore{InnerError: fmt.Errorf("failed to access the trust store %q: %w", path, err)}
 	}
 
 	var certificates []*x509.Certificate
 	for _, file := range files {
 		joinedPath := filepath.Join(path, file.Name())
 		if file.IsDir() || file.Type()&fs.ModeSymlink != 0 {
-			return nil, ErrorCertificate{WrappedError: fmt.Errorf("trusted certificate %q is not a regular file (directories or symlinks are not supported)", joinedPath)}
+			return nil, ErrorCertificate{Msg: fmt.Sprintf("trusted certificate %q is not a regular file (directories or symlinks are not supported)", joinedPath)}
 		}
 		certs, err := corex509.ReadCertificateFile(joinedPath)
 		if err != nil {
-			return nil, ErrorCertificate{WrappedError: fmt.Errorf("failed to read the trusted certificate %q: %w", joinedPath, err)}
+			return nil, ErrorCertificate{InnerError: fmt.Errorf("failed to read the trusted certificate %q: %w", joinedPath, err)}
 		}
 		if err := ValidateCertificates(certs); err != nil {
-			return nil, ErrorCertificate{WrappedError: fmt.Errorf("failed to validate the trusted certificate %q: %w", joinedPath, err)}
+			return nil, ErrorCertificate{InnerError: fmt.Errorf("failed to validate the trusted certificate %q: %w", joinedPath, err)}
 		}
 		certificates = append(certificates, certs...)
 	}
 	if len(certificates) < 1 {
-		return nil, ErrorNonExistence{WrappedError: fmt.Errorf("no x509 certificates were found in trust store %q of type %q", namedStore, storeType)}
+		return nil, ErrorCertificate{InnerError: fs.ErrNotExist, Msg: fmt.Sprintf("no x509 certificates were found in trust store %q of type %q", namedStore, storeType)}
 	}
 	return certificates, nil
 }