ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)

* ErrNoSignaturesFound should be used when there is no signature attached to an image.

Signed-off-by: zhaoyonghe <[email protected]>

* Change error message.

Signed-off-by: zhaoyonghe <[email protected]>

* Add error type tests.

Signed-off-by: zhaoyonghe <[email protected]>

---------

Signed-off-by: zhaoyonghe <[email protected]>

Author: zhaoyonghe

pkg/cosign/verify.go

@@ -592,8 +592,8 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C
 	}
 
 	if len(sl) == 0 {
-		return nil, false, &ErrNoMatchingSignatures{
-			errors.New("no matching signatures"),
+		return nil, false, &ErrNoSignaturesFound{
+			errors.New("no signatures found"),
 		}
 	}
 

pkg/cosign/verify_test.go

@@ -46,6 +46,7 @@ import (
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa"
 	tsaMock "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock"
 	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/v2/pkg/oci"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
 	"github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/sigstore/cosign/v2/test"
@@ -237,6 +238,44 @@ func CreateTestBundle(ctx context.Context, t *testing.T, rekor signature.Signer,
 	return b
 }
 
+func Test_verifySignaturesErrNoSignaturesFound(t *testing.T) {
+	_, _, err := verifySignatures(context.Background(), &fakeOCISignatures{}, v1.Hash{}, nil)
+	var e *ErrNoSignaturesFound
+	if !errors.As(err, &e) {
+		t.Fatalf("%T{%q} is not a %T", err, err, &ErrNoSignaturesFound{})
+	}
+}
+
+func Test_verifySignaturesErrNoMatchingSignatures(t *testing.T) {
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey)
+	leafCert, privKey, _ := test.GenerateLeafCert("[email protected]", "oidc-issuer", subCert, subKey)
+	pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw})
+	pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw})
+	pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw})
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	payload := []byte{1, 2, 3, 4}
+	h := sha256.Sum256(payload)
+	signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256)
+
+	ociSig, _ := static.NewSignature(payload,
+		base64.StdEncoding.EncodeToString(signature),
+		static.WithCertChain(pemLeaf, appendSlices([][]byte{pemSub, pemRoot})))
+	_, _, err := verifySignatures(context.Background(), &fakeOCISignatures{signatures: []oci.Signature{ociSig}}, v1.Hash{}, &CheckOpts{
+		RootCerts:  rootPool,
+		IgnoreSCT:  true,
+		IgnoreTlog: true,
+		Identities: []Identity{{Subject: "[email protected]", Issuer: "oidc-issuer"}}})
+
+	var e *ErrNoMatchingSignatures
+	if !errors.As(err, &e) {
+		t.Fatalf("%T{%q} is not a %T", err, err, &ErrNoMatchingSignatures{})
+	}
+}
+
 func TestVerifyImageSignatureWithNoChain(t *testing.T) {
 	ctx := context.Background()
 	rootCert, rootKey, _ := test.GenerateRootCa()