Add verification errors to output of VerifyTimestampAuthority

codysoyland · codysoyland · commit d83461696e8a · 2025-05-08T09:47:00.000-04:00
Signed-off-by: Cody Soyland &lt;codysoyland@github.com&gt;
diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go
@@ -814,16 +814,16 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log
 	}
 
 	if v.config.requireObserverTimestamps {
-		verifiedSignedTimestamps, err := VerifyTimestampAuthority(entity, v.trustedMaterial)
+		verifiedSignedTimestamps, verificationErrors, err := VerifyTimestampAuthority(entity, v.trustedMaterial)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to verify signed timestamps: %w", err)
 		}
 
 		// check threshold for both RFC3161 and log timestamps
 		tsCount := len(verifiedSignedTimestamps) + len(logTimestamps)
 		if tsCount < v.config.observerTimestampThreshold {
-			return nil, fmt.Errorf("threshold not met for verified signed & log entry integrated timestamps: %d < %d",
-				tsCount, v.config.observerTimestampThreshold)
+			return nil, fmt.Errorf("threshold not met for verified signed & log entry integrated timestamps: %d < %d; error: %w",
+				tsCount, v.config.observerTimestampThreshold, errors.Join(verificationErrors...))
 		}
 
 		// append all timestamps
diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go
@@ -25,39 +25,40 @@ const maxAllowedTimestamps = 32
 
 // VerifyTimestampAuthority verifies that the given entity has been timestamped
 // by a trusted timestamp authority and that the timestamp is valid.
-func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedMaterial) ([]*root.Timestamp, error) { //nolint:revive
+func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedMaterial) ([]*root.Timestamp, []error, error) { //nolint:revive
 	signedTimestamps, err := entity.Timestamps()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// limit the number of timestamps to prevent DoS
 	if len(signedTimestamps) > maxAllowedTimestamps {
-		return nil, fmt.Errorf("too many signed timestamps: %d > %d", len(signedTimestamps), maxAllowedTimestamps)
+		return nil, nil, fmt.Errorf("too many signed timestamps: %d > %d", len(signedTimestamps), maxAllowedTimestamps)
 	}
 	sigContent, err := entity.SignatureContent()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	signatureBytes := sigContent.Signature()
 
 	verifiedTimestamps := []*root.Timestamp{}
+	var verificationErrors []error
 	for _, timestamp := range signedTimestamps {
 		verifiedSignedTimestamp, err := verifySignedTimestamp(timestamp, signatureBytes, trustedMaterial)
 		if err != nil {
+			verificationErrors = append(verificationErrors, err)
 			continue
 		}
 		if isDuplicateTSA(verifiedTimestamps, verifiedSignedTimestamp) {
-			// TODO: add below error to `errs` when #325 is merged, and continue
-			// (https://github.com/sigstore/sigstore-go/issues/325)
-			return verifiedTimestamps, fmt.Errorf("duplicate timestamps from the same authority, ignoring %s", verifiedSignedTimestamp.URI)
+			verificationErrors = append(verificationErrors, fmt.Errorf("duplicate timestamps from the same authority, ignoring %s", verifiedSignedTimestamp.URI))
+			continue
 		}
 
 		verifiedTimestamps = append(verifiedTimestamps, verifiedSignedTimestamp)
 	}
 
-	return verifiedTimestamps, nil
+	return verifiedTimestamps, verificationErrors, err
 }
 
 // isDuplicateTSA checks if the given verified signed timestamp is a duplicate
@@ -79,26 +80,29 @@ func isDuplicateTSA(verifiedTimestamps []*root.Timestamp, verifiedSignedTimestam
 // The threshold parameter is the number of unique timestamps that must be
 // verified.
 func VerifyTimestampAuthorityWithThreshold(entity SignedEntity, trustedMaterial root.TrustedMaterial, threshold int) ([]*root.Timestamp, error) { //nolint:revive
-	verifiedTimestamps, err := VerifyTimestampAuthority(entity, trustedMaterial)
+	verifiedTimestamps, verificationErrors, err := VerifyTimestampAuthority(entity, trustedMaterial)
 	if err != nil {
 		return nil, err
 	}
 	if len(verifiedTimestamps) < threshold {
-		return nil, fmt.Errorf("threshold not met for verified signed timestamps: %d < %d", len(verifiedTimestamps), threshold)
+		return nil, fmt.Errorf("threshold not met for verified signed timestamps: %d < %d; error: %w", len(verifiedTimestamps), threshold, errors.Join(verificationErrors...))
 	}
 	return verifiedTimestamps, nil
 }
 
 func verifySignedTimestamp(signedTimestamp []byte, signatureBytes []byte, trustedMaterial root.TrustedMaterial) (*root.Timestamp, error) {
 	timestampAuthorities := trustedMaterial.TimestampingAuthorities()
 
+	var errs []error
+
 	// Iterate through TSA certificate authorities to find one that verifies
 	for _, tsa := range timestampAuthorities {
 		ts, err := tsa.Verify(signedTimestamp, signatureBytes)
 		if err == nil {
 			return ts, nil
 		}
+		errs = append(errs, err)
 	}
 
-	return nil, errors.New("unable to verify signed timestamps")
+	return nil, fmt.Errorf("unable to verify signed timestamps: %w", errors.Join(errs...))
 }
diff --git a/pkg/verify/tsa_test.go b/pkg/verify/tsa_test.go
@@ -63,14 +63,17 @@ func TestTimestampAuthorityVerifierWithoutThreshold(t *testing.T) {
 	var ts []*root.Timestamp
 
 	// expect one verified timestamp
-	ts, err = verify.VerifyTimestampAuthority(entity, virtualSigstore)
+	ts, verificationErrors, err := verify.VerifyTimestampAuthority(entity, virtualSigstore)
 	assert.NoError(t, err)
+	assert.Empty(t, verificationErrors)
 	assert.Len(t, ts, 1)
 
-	// no failure, but also no verified timestamps
-	ts, err = verify.VerifyTimestampAuthority(entity, virtualSigstore2)
+	// wrong instance; expect no verified timestamps
+	ts, verificationErrors, err = verify.VerifyTimestampAuthority(entity, virtualSigstore2)
 	assert.NoError(t, err)
 	assert.Empty(t, ts)
+	assert.Len(t, verificationErrors, 1)
+	assert.ErrorContains(t, verificationErrors[0], "ECDSA verification failure")
 }
 
 type oneTrustedOneUntrustedTimestampEntity struct {
@@ -112,8 +115,10 @@ func TestDuplicateTimestamps(t *testing.T) {
 	entity, err := virtualSigstore.Attest("foo@example.com", "issuer", []byte("statement"))
 	assert.NoError(t, err)
 
-	_, err = verify.VerifyTimestampAuthority(&dupTimestampEntity{entity}, virtualSigstore)
-	assert.ErrorContains(t, err, "duplicate timestamps from the same authority, ignoring https://virtual.tsa.sigstore.dev")
+	timestamps, verificationErrors, err := verify.VerifyTimestampAuthority(&dupTimestampEntity{entity}, virtualSigstore)
+	assert.ErrorContains(t, verificationErrors[0], "duplicate timestamps from the same authority, ignoring https://virtual.tsa.sigstore.dev")
+	assert.NoError(t, err)
+	assert.Len(t, timestamps, 1)
 }
 
 type badTSASignatureEntity struct {

Original file line number	Diff line number	Diff line change
`@@ -814,16 +814,16 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log`
`814`	`814`	`}`
`815`	`815`
`816`	`816`	`if v.config.requireObserverTimestamps {`
`817`		`- verifiedSignedTimestamps, err := VerifyTimestampAuthority(entity, v.trustedMaterial)`
	`817`	`+ verifiedSignedTimestamps, verificationErrors, err := VerifyTimestampAuthority(entity, v.trustedMaterial)`
`818`	`818`	`if err != nil {`
`819`		`- return nil, err`
	`819`	`+ return nil, fmt.Errorf("failed to verify signed timestamps: %w", err)`
`820`	`820`	`}`
`821`	`821`
`822`	`822`	`// check threshold for both RFC3161 and log timestamps`
`823`	`823`	`tsCount := len(verifiedSignedTimestamps) + len(logTimestamps)`
`824`	`824`	`if tsCount < v.config.observerTimestampThreshold {`
`825`		`- return nil, fmt.Errorf("threshold not met for verified signed & log entry integrated timestamps: %d < %d",`
`826`		`- tsCount, v.config.observerTimestampThreshold)`
	`825`	`+ return nil, fmt.Errorf("threshold not met for verified signed & log entry integrated timestamps: %d < %d; error: %w",`
	`826`	`+ tsCount, v.config.observerTimestampThreshold, errors.Join(verificationErrors...))`
`827`	`827`	`}`
`828`	`828`
`829`	`829`	`// append all timestamps`