bug: fix verification fail when policy contains multiple pubkeys

The DSSE code failed early if a verifier failed to successfully verify
an envelope. This caused the policy verification code to incorrectly
report that the policy failed verification.

Signed-off-by: Mikhail Swift <mikhail@testifysec.com>

Author: Mikhail Swift

.github/workflows/golangci-lint.yml

@@ -20,3 +20,4 @@ jobs:
         uses: golangci/golangci-lint-action@v2
         with:
           version: latest
+          args: --timeout=3m

.github/workflows/release.yml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [ 1.17.x ]
+        go-version: [ 1.18.x ]
         os: [ ubuntu-latest ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: 1.18
       - uses: actions/cache@v2
         with:
           path: |

.github/workflows/verify-docgen.yml

@@ -13,5 +13,5 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.x'
+          go-version: '1.18.x'
       - run: ./docgen/verify.sh

.github/workflows/verify-licence.yml

@@ -12,7 +12,7 @@ jobs:
         - uses: actions/checkout@v2
         - uses: actions/setup-go@v2
           with:
-            go-version: '1.17.x'
+            go-version: '1.18.x'
         - name: Install addlicense
           run: go install github.com/google/addlicense@latest
         - name: Check license headers

go.mod

@@ -0,0 +1,4 @@
+*.attestation.json
+policy-signed.json
+testapp
+testapp.tar.tgz

go.sum

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEBmgB/Xwk5lvG9MZxMvKDrFlyMhjlzpfd27y0Hp7WgzoAoGCCqGSM49
+AwEHoUQDQgAEnE5sMbtWZ7uxSSwVu231xRfaDkLyGRBqCdVRnF+U92EaN3Eu08f4
+jTNk8G5nZm/0bEvjswy4MvlYeS9Gzmg26A==
+-----END EC PRIVATE KEY-----

test/.gitignore

@@ -28,12 +28,44 @@
           "publickeyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647"
         }
       ]
+    },
+    "package": {
+      "name": "package",
+      "attestations": [
+        {
+          "type": "https://witness.dev/attestations/material/v0.1",
+          "regopolicies": []
+        },
+        {
+          "type": "https://witness.dev/attestations/command-run/v0.1",
+          "regopolicies": [
+            {
+              "name": "expected command",
+              "module": "cGFja2FnZSBjb21tYW5kcnVuLmNtZAoKZGVueVttc2ddIHsKCWlucHV0LmNtZCAhPSBbInRhciIsICJjemYiLCAiLi90ZXN0YXBwLnRhci50Z3oiLCAiLi90ZXN0YXBwIl0KCW1zZyA6PSAidW5leHBlY3RlZCBjbWQiCn0K"
+            }
+          ]
+        },
+        {
+          "type": "https://witness.dev/attestations/product/v0.1",
+          "regopolicies": []
+        }
+      ],
+      "functionaries": [
+        {
+          "type": "publickey",
+          "publickeyid": "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3"
+        }
+      ]
     }
   },
   "publickeys": {
     "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647": {
       "keyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647",
       "key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QXlFQWYyOW9QUDhVZ2hCeUc4NTJ1QmRPeHJKS0tuN01NNWhUYlA5ZXNnT1ovazA9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
+    },
+    "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3": {
+      "keyid": "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3",
+      "key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFvRTZ6TDdvMG5jY3ZLbjBJVFNEUApSWUFhTnR6ZlYzOVJaUVh1aTVpTXljTWFzU3JWR2Y3bEhKTFR2YWZrQWNMU3huY3RTdWdad3prMlo4a2FjK0FkCksxV2cwemtBd2VocjJzVVZ1cWY5d0ZQTUdueWVJUXJQTnhtY1hGbnp5WjZ3ZTRxQnBVQmhrdGZacWI5bm05cUUKVDA4SmJvUkdVdlpHamx3ckloZmJYR2RTYnA2cG1XQUVqNUdWOUd0bGswTWg4YmFrNUxid3hyZUYzVXZhUE1sSwpWVWdsNDVFYVYxWVpRWjI3NmFVSStpWitnMnh1QjlyTGd5a04vUlZMSUh5VDAyS0xBYXo5K0xONkVhaEQzWHFICkptUlVJZmsyQ0VlZTBiUHJIL0c2Z21HRVoxQ1dLL3dMQ2hsMkVpOU5MYnUvMjIzZSt0TVpmc1MvU0RrR1hlQ3UKR3BTUzgrK3VyYkpFZnkyZEpsUitiOGlCMzV0bldSOVhNUTRzV0MwanBIQW53Rm1ZOXNQTTMweEl2QnJ6TElRdwpHK1FDTXBhRFlDMGhXakJzb09WT0xpbnJCSDFXSGVmTEdWdWRmQ2Y4d1pXNzUrRnpPRHRhMG5lWERYWVRCU2FFCmVDb2NGUStLTTJsaDhlTjFIb1pjTkZ2TzhhTCttWkNQSTFXOTUwMTlzeVFmTWgrekhLeDNZV3VnZjNvbjAycHQKSGV6TlZjQTYrVkQ2WnJpNGVpZEkranBjamdOek16bnRzSWQ4RFpUdWVPRXVHdUZFY1MrTlFnNnhtRzQzVHRtNgpwVmwzakFidEVBbEwzeUpPaTF4b1M1Zm12bFNPTlVEbmhYckxLNkpXTnh6YU04RlBFVndzbXRLcXdoaS84Tk4rCmpCTXpqREtaQmdqOXFuekJXSHdONWxjQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
     }
   }
 }

test/failkey.pem

@@ -18,14 +18,25 @@ set -e
 DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 . "$DIR/common.sh"
 
-if ! checkprograms make ; then
+if ! checkprograms make tar ; then
   exit 1
 fi
 
-
-
 make -C ../ build
-rm -f ./test-attestation.demo ./testapp ./policy-signed.json
-../bin/witness -c test.yaml run -- go build -o=testapp .
-../bin/witness -c test.yaml sign -f policy.json
+rm -f ./policy-signed.json ./build.attestation.json ./package.attestation.json ./fail.attestation.json ./testapp ./testapp.tar.tgz
+../bin/witness -c test.yaml -l debug sign -f policy.json
+
+# successful test
+../bin/witness -c test.yaml run -o build.attestation.json -- go build -o=testapp .
+../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
 ../bin/witness -c test.yaml verify
+
+# make sure we fail if we run with a key not in the policy
+../bin/witness -c test.yaml run -k failkey.pem -o ./fail.attestation.json  -- go build -o=testapp .
+../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
+set +e
+../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json
+if [ $? -eq 0 ]; then
+  echo "expected verify to fail"
+  exit 1
+fi