debug: add error messages for debugging with rekor (slsa-framework#159)

* add error messages for debugging with rekor Signed-off-by: Asra Ali <asraa@google.com>
laurentsimon · Jul 21, 2022 · a887da5 · a887da5
1 parent b326c4d
commit a887da5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/pkg/provenance.go b/pkg/provenance.go
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"os"
 	"strings"
 
 	"golang.org/x/mod/semver"
@@ -59,23 +60,25 @@ func verifySha256Digest(prov *intoto.ProvenanceStatement, expectedHash string) e
 // and the signing certificate given the provenance and artifact hash.
 func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) (*dsselib.Envelope, *x509.Certificate, error) {
 	// Get Rekor entries corresponding to provenance
-	if env, cert, err := GetRekorEntriesWithCert(rClient, provenance); err == nil {
+	env, cert, err := GetRekorEntriesWithCert(rClient, provenance)
+	if err == nil {
 		return env, cert, nil
 	}
 
 	// Fallback on using the redis search index to get matching UUIDs.
+	fmt.Fprintf(os.Stderr, "Getting rekor entry error %s, trying Redis search index to find entries by subject digest\n", err)
 	uuids, err := GetRekorEntries(rClient, artifactHash)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	env, err := EnvelopeFromBytes(provenance)
+	env, err = EnvelopeFromBytes(provenance)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	// Verify the provenance and return the signing certificate.
-	cert, err := FindSigningCertificate(ctx, uuids, *env, rClient)
+	cert, err = FindSigningCertificate(ctx, uuids, *env, rClient)
 	if err != nil {
 		return nil, nil, err
 	}

diff --git a/pkg/rekor.go b/pkg/rekor.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	cjson "github.com/docker/go/canonical/json"
@@ -168,7 +169,7 @@ func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string
 		}
 	}
 	if entryVerError != nil {
-		return nil, fmt.Errorf("%w: %s", err, "error verifying root hash")
+		return nil, fmt.Errorf("%w: %s", entryVerError, "error verifying root hash")
 	}
 
 	// Verify the entry's inclusion
@@ -341,18 +342,25 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 	//   * Verify dsse envelope signature against signing certificate.
 	//   * Check signature expiration against IntegratedTime in entry.
 	//   * If all succeed, return the signing certificate.
+	var errs []string
 	for _, uuid := range uuids {
 		entry, err := verifyTlogEntryByUUID(ctx, rClient, uuid)
 		if err != nil {
+			// this is unexpected, hold on to this error.
+			errs = append(errs, fmt.Sprintf("%s: verifying tlog entry %s", err, uuid))
 			continue
 		}
 		cert, err := extractCert(entry)
 		if err != nil {
+			// this is unexpected, hold on to this error.
+			errs = append(errs, fmt.Sprintf("%s: extracting certificate from %s", err, uuid))
 			continue
 		}
 
 		roots, err := fulcio.GetRoots()
 		if err != nil {
+			// this is unexpected, hold on to this error.
+			errs = append(errs, fmt.Sprintf("%s: retrieving fulcio root", err))
 			continue
 		}
 		co := &cosign.CheckOpts{
@@ -383,5 +391,5 @@ func FindSigningCertificate(ctx context.Context, uuids []string, dssePayload dss
 		return cert, nil
 	}
 
-	return nil, ErrorNoValidRekorEntries
+	return nil, fmt.Errorf("%w: got unexpected errors %s", ErrorNoValidRekorEntries, strings.Join(errs, ", "))
 }