Enable signature verification for attestation version list object

Signed-off-by: Daniel Weiße <[email protected]>
edgelesssys · Jun 13, 2024 · 918bf9c · 918bf9c
1 parent 0e18497
commit 918bf9c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 9 deletions.
diff --git a/internal/api/attestationconfigapi/fetcher.go b/internal/api/attestationconfigapi/fetcher.go
@@ -72,8 +72,7 @@ func (f *fetcher) FetchLatestVersion(ctx context.Context, variant variant.Varian
 
 // fetchVersionList fetches the version list information from the config API.
 func (f *fetcher) fetchVersionList(ctx context.Context, variant variant.Variant) (VersionList, error) {
-	// TODO(derpsteb): Replace with FetchAndVerify once we move to v2 of the config API and the list is saved as (.json) file.
-	fetchedList, err := apifetcher.Fetch(ctx, f.HTTPClient, f.cdnURL, VersionList{Variant: variant})
+	fetchedList, err := apifetcher.FetchAndVerify(ctx, f.HTTPClient, f.cdnURL, VersionList{Variant: variant}, f.verifier)
 	if err != nil {
 		return VersionList{}, fmt.Errorf("fetching version list: %w", err)
 	}

diff --git a/internal/api/fetcher/fetcher.go b/internal/api/fetcher/fetcher.go
@@ -20,12 +20,10 @@ package fetcher
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 )
@@ -155,12 +153,8 @@ func (s signature) JSONPath() string {
 	return s.Signed + ".sig"
 }
 
-// ValidateRequest validates the request.
+// ValidateRequest is a no-op.
 func (s signature) ValidateRequest() error {
-	if !strings.HasSuffix(s.Signed, ".json") {
-		return errors.New("signed object missing .json suffix")
-	}
-
 	return nil
 }