fix(api): handle old attestation formats during validation push (#2612)

migmartri · web-flow · commit 8dc39928e0c7 · 2025-12-12T10:23:53.000+01:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/biz/workflowrun.go b/app/controlplane/pkg/biz/workflowrun.go
@@ -323,14 +323,18 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en
 	}
 
 	// verify attestation (only if chainloop is the signer)
-	result, err := uc.verifyBundle(ctx, rawContent)
+	validation, err := uc.verifyBundle(ctx, rawContent)
 	if err != nil {
-		return nil, err
+		if !errors.Is(err, verifier.ErrInvalidBundle) {
+			return nil, err
+		}
+		// invalid bundle is expected for old attestations so we skip validation
+		uc.logger.Warn("received an old attestation format, not a bundle: attestation verification skipped", "error", err)
 	}
 
 	// if it's verifiable, make sure it passed
-	if result != nil && !result.Result {
-		return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", result.FailureReason))
+	if validation != nil && !validation.Result {
+		return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", validation.FailureReason))
 	}
 
 	// Run some validations on the predicate
@@ -475,6 +479,10 @@ func (uc *WorkflowRunUseCase) verifyBundle(ctx context.Context, bundle []byte) (
 			return nil, nil
 		}
 
+		if errors.Is(err, verifier.ErrInvalidBundle) {
+			return nil, err
+		}
+
 		return &VerificationResult{Result: false, FailureReason: err.Error()}, nil
 	}
 	return &VerificationResult{Result: true}, nil
diff --git a/pkg/attestation/verifier/verifier.go b/pkg/attestation/verifier/verifier.go
@@ -38,6 +38,7 @@ type TrustedRoot struct {
 }
 
 var ErrMissingVerificationMaterial = errors.New("missing material")
+var ErrInvalidBundle = errors.New("invalid bundle")
 
 func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) error {
 	if bundleBytes == nil {
@@ -47,7 +48,7 @@ func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) erro
 	bundle := new(protobundle.Bundle)
 	// unmarshal and validate
 	if err := protojson.Unmarshal(bundleBytes, bundle); err != nil {
-		return fmt.Errorf("invalid bundle: %w", err)
+		return fmt.Errorf("%w: %w", err, ErrInvalidBundle)
 	}
 
 	// fix for old attestations

Original file line number	Diff line number	Diff line change
`@@ -323,14 +323,18 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en`
`323`	`323`	`}`
`324`	`324`
`325`	`325`	`// verify attestation (only if chainloop is the signer)`
`326`		`- result, err := uc.verifyBundle(ctx, rawContent)`
	`326`	`+ validation, err := uc.verifyBundle(ctx, rawContent)`
`327`	`327`	`if err != nil {`
`328`		`- return nil, err`
	`328`	`+ if !errors.Is(err, verifier.ErrInvalidBundle) {`
	`329`	`+ return nil, err`
	`330`	`+ }`
	`331`	`+ // invalid bundle is expected for old attestations so we skip validation`
	`332`	`+ uc.logger.Warn("received an old attestation format, not a bundle: attestation verification skipped", "error", err)`
`329`	`333`	`}`
`330`	`334`
`331`	`335`	`// if it's verifiable, make sure it passed`
`332`		`- if result != nil && !result.Result {`
`333`		`- return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", result.FailureReason))`
	`336`	`+ if validation != nil && !validation.Result {`
	`337`	`+ return nil, NewErrValidation(fmt.Errorf("attestation verification failed: %s", validation.FailureReason))`
`334`	`338`	`}`
`335`	`339`
`336`	`340`	`// Run some validations on the predicate`
`@@ -475,6 +479,10 @@ func (uc *WorkflowRunUseCase) verifyBundle(ctx context.Context, bundle []byte) (`
`475`	`479`	`return nil, nil`
`476`	`480`	`}`
`477`	`481`
	`482`	`+ if errors.Is(err, verifier.ErrInvalidBundle) {`
	`483`	`+ return nil, err`
	`484`	`+ }`
	`485`	`+`
`478`	`486`	`return &VerificationResult{Result: false, FailureReason: err.Error()}, nil`
`479`	`487`	`}`
`480`	`488`	`return &VerificationResult{Result: true}, nil`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ type TrustedRoot struct {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`var ErrMissingVerificationMaterial = errors.New("missing material")`
	`41`	`+var ErrInvalidBundle = errors.New("invalid bundle")`
`41`	`42`
`42`	`43`	`func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) error {`
`43`	`44`	`if bundleBytes == nil {`
`@@ -47,7 +48,7 @@ func VerifyBundle(ctx context.Context, bundleBytes []byte, tr *TrustedRoot) erro`
`47`	`48`	`bundle := new(protobundle.Bundle)`
`48`	`49`	`// unmarshal and validate`
`49`	`50`	`if err := protojson.Unmarshal(bundleBytes, bundle); err != nil {`
`50`		`- return fmt.Errorf("invalid bundle: %w", err)`
	`51`	`+ return fmt.Errorf("%w: %w", err, ErrInvalidBundle)`
`51`	`52`	`}`
`52`	`53`
`53`	`54`	`// fix for old attestations`