From 3f6115bf9039d3b86702b0014b331fe63c503617 Mon Sep 17 00:00:00 2001
From: Hector Fernandez <hector@chainguard.dev>
Date: Tue, 22 Nov 2022 16:15:11 +0100
Subject: [PATCH] ensure b64 signature is time-stamped

Signed-off-by: Hector Fernandez <hector@chainguard.dev>
---
 internal/pkg/cosign/tsa/signer.go |  7 +------
 pkg/cosign/verify.go              | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/internal/pkg/cosign/tsa/signer.go b/internal/pkg/cosign/tsa/signer.go
index a858fcd6d09..c4afc6a7194 100644
--- a/internal/pkg/cosign/tsa/signer.go
+++ b/internal/pkg/cosign/tsa/signer.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
@@ -84,13 +83,9 @@ func (rs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 	if err != nil {
 		return nil, nil, err
 	}
-	sigBytes, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		return nil, nil, err
-	}
 
 	// Here we get the response from the timestamped authority server
-	responseBytes, err := GetTimestampedSignature(sigBytes, rs.tsaClient)
+	responseBytes, err := GetTimestampedSignature([]byte(b64Sig), rs.tsaClient)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
index bb237bc4de7..68d1c5e4648 100644
--- a/pkg/cosign/verify.go
+++ b/pkg/cosign/verify.go
@@ -672,7 +672,7 @@ func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash,
 		}
 	}
 	if co.SkipTlogVerify {
-		return bundleVerified, nil
+		return bundleVerified, err
 	}
 
 	// 2. Check the validity time of the signature.
@@ -1004,12 +1004,17 @@ func VerifyRFC3161Timestamp(ctx context.Context, sig oci.Signature, tsaCerts *x5
 		return false, err
 	}
 
-	sigBytes, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		return false, fmt.Errorf("reading DecodeString: %w", err)
+	verifiedBytes := []byte(b64Sig)
+	if len(b64Sig) == 0 {
+		// For attestations, the Base64Signature is not set, therefore we rely on the signed payload
+		signedPayload, err := sig.Payload()
+		if err != nil {
+			return false, fmt.Errorf("reading the payload: %w", err)
+		}
+		verifiedBytes = signedPayload
 	}
 
-	err = tsaverification.VerifyTimestampResponse(bundle.SignedRFC3161Timestamp, bytes.NewReader(sigBytes), tsaCerts)
+	err = tsaverification.VerifyTimestampResponse(bundle.SignedRFC3161Timestamp, bytes.NewReader(verifiedBytes), tsaCerts)
 	if err != nil {
 		return false, fmt.Errorf("unable to verify TimestampResponse: %w", err)
 	}