From 746ea56db681f4481144eeef910cb0db11abc939 Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Wed, 16 Nov 2022 15:27:55 -0600
Subject: [PATCH] fix bundle requirement on keys and certs

Signed-off-by: Asra Ali <asraa@google.com>
---
 cmd/cosign/cli/verify/verify_blob.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
index 0af118786f98..4cd9affc0276 100644
--- a/cmd/cosign/cli/verify/verify_blob.go
+++ b/cmd/cosign/cli/verify/verify_blob.go
@@ -170,7 +170,9 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		if err != nil {
 			return err
 		}
-		if b.Cert == "" {
+		// A certificate is required in the bundle unless we specified with
+		//  --key, --sk, or --certificate.
+		if b.Cert == "" && co.SigVerifier == nil && cert == nil {
 			return fmt.Errorf("bundle does not contain cert for verification, please provide public key")
 		}
 		// b.Cert can either be a certificate or public key