From 08277261bfdbfe8085c1a580cb3d6f59a6fea97a Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Wed, 16 Nov 2022 15:27:55 -0600
Subject: [PATCH] fix bundle requirement on keys and certs

Signed-off-by: Asra Ali <asraa@google.com>

fix

Signed-off-by: Asra Ali <asraa@google.com>
---
 cmd/cosign/cli/verify/verify_blob.go | 40 ++++++++++++++++------------
 1 file changed, 23 insertions(+), 17 deletions(-)

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
index 0af118786f9..357e8ead005 100644
--- a/cmd/cosign/cli/verify/verify_blob.go
+++ b/cmd/cosign/cli/verify/verify_blob.go
@@ -170,27 +170,33 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		if err != nil {
 			return err
 		}
-		if b.Cert == "" {
+		// A certificate is required in the bundle unless we specified with
+		//  --key, --sk, or --certificate.
+		if b.Cert == "" && co.SigVerifier == nil && cert == nil {
 			return fmt.Errorf("bundle does not contain cert for verification, please provide public key")
 		}
-		// b.Cert can either be a certificate or public key
-		certBytes := []byte(b.Cert)
-		if isb64(certBytes) {
-			certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
-		}
-		cert, err = loadCertFromPEM(certBytes)
-		if err != nil {
-			// check if cert is actually a public key
-			co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
-			if err != nil {
-				return fmt.Errorf("loading verifier from bundle: %w", err)
+		// We have to condition on this because sign-blob may not output the signing
+		// key to the bundle when there is no tlog upload.
+		if b.Cert != "" {
+			// b.Cert can either be a certificate or public key
+			certBytes := []byte(b.Cert)
+			if isb64(certBytes) {
+				certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
 			}
-		} else {
-			if c.CertChain != "" {
-				// Load certificate chain
-				chain, err = loadCertChainFromFileOrURL(c.CertChain)
+			cert, err = loadCertFromPEM(certBytes)
+			if err != nil {
+				// check if cert is actually a public key
+				co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
 				if err != nil {
-					return err
+					return fmt.Errorf("loading verifier from bundle: %w", err)
+				}
+			} else {
+				if c.CertChain != "" {
+					// Load certificate chain
+					chain, err = loadCertChainFromFileOrURL(c.CertChain)
+					if err != nil {
+						return err
+					}
 				}
 			}
 		}