From 63bfb8cba2c1ce105d4d77bada8b90a7123f3233 Mon Sep 17 00:00:00 2001
From: Alex Cameron <asc@tetsuo.sh>
Date: Fri, 3 Jun 2022 23:48:25 +1000
Subject: [PATCH] _cli, _verify: Wrap OpenSSL error with user-friendly text
 (#113)

* _verify: Wrap OpenSSL error message with some help text

* _cli: Print verification failure reason
---
 sigstore/_cli.py    | 11 +++++++----
 sigstore/_verify.py | 15 +++++++++++++--
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/sigstore/_cli.py b/sigstore/_cli.py
index 38cf155d..6ae4160d 100644
--- a/sigstore/_cli.py
+++ b/sigstore/_cli.py
@@ -16,7 +16,7 @@
 import os
 import sys
 from importlib import resources
-from typing import BinaryIO, List, Optional, TextIO
+from typing import BinaryIO, List, Optional, TextIO, cast
 
 import click
 
@@ -37,7 +37,7 @@
     STAGING_REKOR_URL,
 )
 from sigstore._sign import sign
-from sigstore._verify import verify
+from sigstore._verify import VerificationFailure, verify
 
 logger = logging.getLogger(__name__)
 logging.basicConfig(level=os.environ.get("SIGSTORE_LOGLEVEL", "INFO").upper())
@@ -294,15 +294,18 @@ def _verify(
 
     verified = True
     for file in files:
-        if verify(
+        result = verify(
             rekor_url=rekor_url,
             file=file,
             certificate=certificate,
             signature=signature,
             cert_email=cert_email,
-        ):
+        )
+        if result:
             click.echo(f"OK: {file.name}")
         else:
+            failure = cast(VerificationFailure, result)
+            click.echo(failure.reason)
             click.echo(f"FAIL: {file.name}")
             verified = False
 
diff --git a/sigstore/_verify.py b/sigstore/_verify.py
index 302594bd..bf9e92f4 100644
--- a/sigstore/_verify.py
+++ b/sigstore/_verify.py
@@ -33,7 +33,12 @@
     load_pem_x509_certificate,
 )
 from cryptography.x509.oid import ExtendedKeyUsageOID
-from OpenSSL.crypto import X509, X509Store, X509StoreContext
+from OpenSSL.crypto import (
+    X509,
+    X509Store,
+    X509StoreContext,
+    X509StoreContextError,
+)
 from pydantic import BaseModel
 
 from sigstore._internal.merkle import (
@@ -130,7 +135,13 @@ def verify(
     store.add_cert(openssl_intermediate)
     store.set_time(sign_date)
     store_ctx = X509StoreContext(store, openssl_cert)
-    store_ctx.verify_certificate()
+    try:
+        store_ctx.verify_certificate()
+    except X509StoreContextError as store_ctx_error:
+        return VerificationFailure(
+            reason="Failed to verify signing certificate, consider upgrading `sigstore` if a newer "
+            f"version is available: {store_ctx_error}"
+        )
 
     # 2) Check that the signing certificate contains the proof claim as the subject
     # Check usage is "digital signature"