From 33690bc0a7b56225b79ef637de7751e08dd670bc Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Tue, 29 Oct 2024 12:22:51 -0400
Subject: [PATCH 1/2] Return errors from TSA verification if there are no valid
 timestamps

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/verify/tsa.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go
index 92f8289..50e698b 100644
--- a/pkg/verify/tsa.go
+++ b/pkg/verify/tsa.go
@@ -54,17 +54,22 @@ func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedM
 	signatureBytes := sigContent.Signature()
 
 	verifiedTimestamps := []*root.Timestamp{}
+	var errs []error
 	for _, timestamp := range signedTimestamps {
 		verifiedSignedTimestamp, err := verifySignedTimestamp(timestamp, signatureBytes, trustedMaterial)
 
 		// Timestamps from unknown source are okay, but don't count as verified
 		if err != nil {
+			errs = append(errs, err)
 			continue
 		}
 
 		verifiedTimestamps = append(verifiedTimestamps, verifiedSignedTimestamp)
 	}
 
+	if len(verifiedTimestamps) == 0 {
+		return nil, fmt.Errorf("no verified signed timestamps: %w", errors.Join(errs...))
+	}
 	return verifiedTimestamps, nil
 }
 
@@ -87,13 +92,16 @@ func VerifyTimestampAuthorityWithThreshold(entity SignedEntity, trustedMaterial
 func verifySignedTimestamp(signedTimestamp []byte, signatureBytes []byte, trustedMaterial root.TrustedMaterial) (*root.Timestamp, error) {
 	timestampAuthorities := trustedMaterial.TimestampingAuthorities()
 
+	var errs []error
+
 	// Iterate through TSA certificate authorities to find one that verifies
 	for _, tsa := range timestampAuthorities {
 		ts, err := tsa.Verify(signedTimestamp, signatureBytes)
 		if err == nil {
 			return ts, nil
 		}
+		errs = append(errs, err)
 	}
 
-	return nil, errors.New("unable to verify signed timestamps")
+	return nil, fmt.Errorf("unable to verify signed timestamps: %w", errors.Join(errs...))
 }

From 0e08ce586e33176e7107bcd78895544432e30eb2 Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Tue, 29 Oct 2024 12:27:57 -0400
Subject: [PATCH 2/2] Check if len(errs) > 0

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/verify/tsa.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go
index 50e698b..7a25d5b 100644
--- a/pkg/verify/tsa.go
+++ b/pkg/verify/tsa.go
@@ -67,7 +67,7 @@ func VerifyTimestampAuthority(entity SignedEntity, trustedMaterial root.TrustedM
 		verifiedTimestamps = append(verifiedTimestamps, verifiedSignedTimestamp)
 	}
 
-	if len(verifiedTimestamps) == 0 {
+	if len(verifiedTimestamps) == 0 && len(errs) > 0 {
 		return nil, fmt.Errorf("no verified signed timestamps: %w", errors.Join(errs...))
 	}
 	return verifiedTimestamps, nil