From 789969fe945c3c528014302a65e05961d6148989 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Mon, 8 Dec 2025 12:11:06 +0100 Subject: [PATCH 1/2] fix(api): handle old attestation formats during validation push Signed-off-by: Miguel Martinez --- app/controlplane/pkg/biz/workflowrun.go | 14 ++++++++++---- pkg/attestation/verifier/verifier.go | 3 ++- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go index 36b7c699b..4f21fe799 100644 --- a/app/controlplane/pkg/biz/workflowrun.go +++ b/app/controlplane/pkg/biz/workflowrun.go @@ -323,14 +323,16 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en } // verify attestation (only if chainloop is the signer) - result, err := uc.verifyBundle(ctx, rawContent) - if err != nil { + validation, err := uc.verifyBundle(ctx, rawContent) + // if it's not an invalid bundle, return the error + // invalid bundle is expected for old attestations so we skip validation + if err != nil && !errors.Is(err, verifier.ErrInvalidBundle) { return nil, err } // if it's verifiable, make sure it passed - if result != nil && !result.Result { - return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", result.FailureReason)) + if validation != nil && !validation.Result { + return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", validation.FailureReason)) } // Run some validations on the predicate @@ -475,6 +477,10 @@ func (uc *WorkflowRunUseCase) verifyBundle(ctx context.Context, bundle []byte) ( return nil, nil } + if errors.Is(err, verifier.ErrInvalidBundle) { + return nil, err + } + return &VerificationResult{Result: false, FailureReason: err.Error()}, nil } return &VerificationResult{Result: true}, nil diff --git a/pkg/attestation/verifier/verifier.go b/pkg/attestation/verifier/verifier.go index 903d3372e..4db79b0c6 100644 --- a/pkg/attestation/verifier/verifier.go +++ b/pkg/attestation/verifier/verifier.go @@ -38,6 +38,7 @@ type TrustedRoot struct { } var ErrMissingVerificationMaterial = errors.New("missing material") +var ErrInvalidBundle = errors.New("invalid bundle") func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) error { if bundleBytes == nil { @@ -47,7 +48,7 @@ func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) erro bundle := new(protobundle.Bundle) // unmarshal and validate if err := protojson.Unmarshal(bundleBytes, bundle); err != nil { - return fmt.Errorf("invalid bundle: %w", err) + return fmt.Errorf("%w: %w", err, ErrInvalidBundle) } // fix for old attestations From 93c7783d503e9102281a1686275df99cb6cd1b99 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Mon, 8 Dec 2025 12:16:47 +0100 Subject: [PATCH 2/2] fix(api): handle old attestation formats during validation push Signed-off-by: Miguel Martinez --- app/controlplane/pkg/biz/workflowrun.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go index 4f21fe799..02e6e29ac 100644 --- a/app/controlplane/pkg/biz/workflowrun.go +++ b/app/controlplane/pkg/biz/workflowrun.go @@ -324,10 +324,12 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en // verify attestation (only if chainloop is the signer) validation, err := uc.verifyBundle(ctx, rawContent) - // if it's not an invalid bundle, return the error - // invalid bundle is expected for old attestations so we skip validation - if err != nil && !errors.Is(err, verifier.ErrInvalidBundle) { - return nil, err + if err != nil { + if !errors.Is(err, verifier.ErrInvalidBundle) { + return nil, err + } + // invalid bundle is expected for old attestations so we skip validation + uc.logger.Warn("received an old attestation format, not a bundle: attestation verification skipped", "error", err) } // if it's verifiable, make sure it passed