chore(signing): verify signature on att push (#2606)

jiparis · web-flow · commit ed92f11f914b · 2025-12-05T17:02:36.000+01:00
Signed-off-by: Jose I. Paris &lt;jiparis@chainloop.dev&gt;
diff --git a/app/controlplane/internal/service/workflowrun.go b/app/controlplane/internal/service/workflowrun.go
@@ -164,7 +164,7 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic
 	var verificationResult *pb.WorkflowRunServiceViewResponse_VerificationResult
 	if req.Verify {
 		// it might be nil if it doesn't apply
-		vr, err := s.wrUseCase.Verify(ctx, run)
+		vr, err := s.wrUseCase.VerifyRun(ctx, run)
 		if err != nil {
 			return nil, handleUseCaseErr(err, s.log)
 		}
diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go
@@ -322,8 +322,19 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en
 		return nil, fmt.Errorf("extracting predicate: %w", err)
 	}
 
+	// verify attestation (only if chainloop is the signer)
+	result, err := uc.verifyBundle(ctx, rawContent)
+	if err != nil {
+		return nil, err
+	}
+
+	// if it's verifiable, make sure it passed
+	if result != nil && !result.Result {
+		return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", result.FailureReason))
+	}
+
 	// Run some validations on the predicate
-	// Attestations can include dependent attestations and we want to make sure they exist in the system
+	// Attestations can include dependent attestations, and we want to make sure they exist in the system
 	// Find any material of kind attestation and make sure they exist already
 	for _, m := range predicate.GetMaterials() {
 		if m.Type == schemaapi.CraftingSchema_Material_ATTESTATION.String() {
@@ -440,7 +451,11 @@ type VerificationResult struct {
 	FailureReason string
 }
 
-func (uc *WorkflowRunUseCase) Verify(ctx context.Context, run *WorkflowRun) (*VerificationResult, error) {
+func (uc *WorkflowRunUseCase) VerifyRun(ctx context.Context, run *WorkflowRun) (*VerificationResult, error) {
+	return uc.verifyBundle(ctx, run.Attestation.Bundle)
+}
+
+func (uc *WorkflowRunUseCase) verifyBundle(ctx context.Context, bundle []byte) (*VerificationResult, error) {
 	tr, err := uc.signingUseCase.GetTrustedRoot(ctx)
 	if err != nil {
 		if IsErrNotImplemented(err) {
@@ -453,7 +468,7 @@ func (uc *WorkflowRunUseCase) Verify(ctx context.Context, run *WorkflowRun) (*Ve
 	if err != nil {
 		return nil, fmt.Errorf("parsing roots: %w", err)
 	}
-	err = verifier.VerifyBundle(ctx, run.Attestation.Bundle, verifierRoots)
+	err = verifier.VerifyBundle(ctx, bundle, verifierRoots)
 	if err != nil {
 		// if no verification material found, it's not verifiable
 		if errors.Is(err, verifier.ErrMissingVerificationMaterial) {

Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ func (s WorkflowRunService) View(ctx context.Context, req pb.WorkflowRunServic`
`164`	`164`	`var verificationResult *pb.WorkflowRunServiceViewResponse_VerificationResult`
`165`	`165`	`if req.Verify {`
`166`	`166`	`// it might be nil if it doesn't apply`
`167`		`- vr, err := s.wrUseCase.Verify(ctx, run)`
	`167`	`+ vr, err := s.wrUseCase.VerifyRun(ctx, run)`
`168`	`168`	`if err != nil {`
`169`	`169`	`return nil, handleUseCaseErr(err, s.log)`
`170`	`170`	`}`