func verifySignature()

in server/signedcontainer/verify.go [108:158]

• 40 lines of code
• 10 McCabe index (conditional complexity)

func verifySignature(imageDigest string, sig *ImageSignature) (*VerifiedSignature, error) {
	if sig == nil {
		return nil, errors.New("container image signature is nil")
	}

	payload, err := unmarshalAndValidate(sig.Payload)
	if err != nil {
		return nil, fmt.Errorf("failed to unmarshal payload: %v", err)
	}

	publicKey, err := payload.publicKey()
	if err != nil {
		return nil, err
	}

	sigAlg, err := payload.sigAlg()
	if err != nil {
		return nil, err
	}

	if payload.Critical.Image.DockerManifestDigest != imageDigest {
		return nil, errors.New("payload docker manifest digest does not match the running workload image digest")
	}

	// Create a public keyset handle from the given PEM-encoded public key and signing algorithm.
	publicKeysetHandle, err := createPublicKeysetHandle(publicKey, sigAlg)
	if err != nil {
		return nil, fmt.Errorf("failed to read public keyset: %v", err)
	}

	// Retrieve the Verifier primitive from publicKeysetHandle.
	verifier, err := tinksig.NewVerifier(publicKeysetHandle)
	if err != nil {
		return nil, fmt.Errorf("failed to create Tink signature verifier: %v", err)
	}

	if err = verifier.Verify(sig.Signature, sig.Payload); err != nil {
		return nil, fmt.Errorf("failed to verify signature: %v", err)
	}

	keyID, err := computeKeyID(publicKey)
	if err != nil {
		return nil, fmt.Errorf("failed to compute keyID: %v", err)
	}

	return &VerifiedSignature{
		KeyID:     keyID,
		Signature: encoding.EncodeToString(sig.Signature),
		Alg:       sigAlg.string(),
	}, nil
}