Fix incorrect error check when verifying SCT (sigstore#1422)

Introduced in sigstore#1396, this incorrectly checked err instead of verifySctErr. This resulted in no error being printed when SCT validation failed. Verified this is working correctly now with local testing. Signed-off-by: Hayden Blauzvern <[email protected]>
hatmarch · Apr 19, 2022 · 6cc9222 · 6cc9222
1 parent aeb872a
commit 6cc9222
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go
@@ -53,7 +53,6 @@ const altCTLogPublicKeyLocation = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
 // some defined time period
 func verifySCT(certPEM, rawSCT []byte) error {
 	var pubKeys []crypto.PublicKey
-	var err error
 	rootEnv := os.Getenv(altCTLogPublicKeyLocation)
 	if rootEnv == "" {
 		ctx := context.TODO()
@@ -96,7 +95,7 @@ func verifySCT(certPEM, rawSCT []byte) error {
 	for _, pubKey := range pubKeys {
 		verifySctErr = ctutil.VerifySCT(pubKey, []*ctx509.Certificate{cert}, &sct, false)
 		// Exit after successful verification of the SCT
-		if err == nil {
+		if verifySctErr == nil {
 			return nil
 		}
 	}