helpful error message for hashedrekord types (sigstore#605)

bobcallaway · web-flow · commit c39c0beb3402 · 2022-01-18T10:33:01.000-05:00
* helpful error message for hashedrekord types

Signed-off-by: Bob Callaway &lt;bob.callaway@gmail.com&gt;
diff --git a/cmd/rekor-cli/app/upload.go b/cmd/rekor-cli/app/upload.go
@@ -113,7 +113,7 @@ var uploadCmd = &cobra.Command{
 
 			entry, err = types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error: %w", err)
 			}
 		}
 		params.SetProposedEntry(entry)
diff --git a/cmd/rekor-cli/app/verify.go b/cmd/rekor-cli/app/verify.go
@@ -117,7 +117,7 @@ var verifyCmd = &cobra.Command{
 
 			entry, err := types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error: %w", err)
 			}
 
 			entries := []models.ProposedEntry{entry}
diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go
@@ -196,6 +196,10 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
 
 	var err error
 
+	if props.PKIFormat != string(pki.X509) {
+		return nil, errors.New("hashedrekord entries can only be created for artifacts signed with x509-based PKI")
+	}
+
 	re.HashedRekordObj.Signature = &models.HashedrekordV001SchemaSignature{}
 	sigBytes := props.SignatureBytes
 	if sigBytes == nil {
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
@@ -155,14 +155,14 @@ func TestUploadVerifyHashedRekord(t *testing.T) {
 	}
 
 	// Verify should fail initially
-	runCliErr(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	runCliErr(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 
 	// It should upload successfully.
-	out := runCli(t, "upload", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	out := runCli(t, "upload", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 	outputContains(t, out, "Created entry at")
 
 	// Now we should be able to verify it.
-	out = runCli(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	out = runCli(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 	outputContains(t, out, "Inclusion Proof:")
 }
 

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ var uploadCmd = &cobra.Command{`
`113`	`113`
`114`	`114`	`entry, err = types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)`
`115`	`115`	`if err != nil {`
`116`		`- return nil, err`
	`116`	`+ return nil, fmt.Errorf("error: %w", err)`
`117`	`117`	`}`
`118`	`118`	`}`
`119`	`119`	`params.SetProposedEntry(entry)`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ var verifyCmd = &cobra.Command{`
`117`	`117`
`118`	`118`	`entry, err := types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)`
`119`	`119`	`if err != nil {`
`120`		`- return nil, err`
	`120`	`+ return nil, fmt.Errorf("error: %w", err)`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`entries := []models.ProposedEntry{entry}`
Original file line number	Diff line number	Diff line change
`@@ -155,14 +155,14 @@ func TestUploadVerifyHashedRekord(t *testing.T) {`
`155`	`155`	`}`
`156`	`156`
`157`	`157`	`// Verify should fail initially`
`158`		`- runCliErr(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
	`158`	`+ runCliErr(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
`159`	`159`
`160`	`160`	`// It should upload successfully.`
`161`		`- out := runCli(t, "upload", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
	`161`	`+ out := runCli(t, "upload", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
`162`	`162`	`outputContains(t, out, "Created entry at")`
`163`	`163`
`164`	`164`	`// Now we should be able to verify it.`
`165`		`- out = runCli(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
	`165`	`+ out = runCli(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)`
`166`	`166`	`outputContains(t, out, "Inclusion Proof:")`
`167`	`167`	`}`
`168`	`168`