Summary
aicr verify degrades to the positive attested trust level when the binary attestation verification fails, not only when it is missing. An actively-invalid or tampered binary attestation is therefore treated the same as a clean bundle without one.
Evidence
In pkg/bundler/verifier/verifier.go (binary-attestation step):
- missing binary attestation ->
setTrust(TrustAttested, "...binary attestation not found (incomplete chain)")
extractBinaryDigest error -> setTrust(TrustAttested, "could not extract binary digest...")
VerifyBinaryAttestation(...) returns an error -> setTrust(TrustAttested, "binary attestation verification failed") and return result, nil
So a verification failure yields attested (level 3), the same as a legitimate missing-attestation case, rather than unknown/unverified.
Surfaced reviewing PR #1547.
Question / proposed fix
Decide whether a failed (as opposed to absent) binary attestation should:
- drop to
unknown (treat an invalid attestation as a hard failure), or
- remain
attested by design (the verifying binary may differ from the build binary, so a mismatch is tolerated).
If the latter, document the rationale; if the former, distinguish "missing" from "verification failed" and add a regression test. The PR #1547 docs were updated to say attested can mean "binary attestation missing/unverified" so the docs already match current behavior.
Summary
aicr verifydegrades to the positiveattestedtrust level when the binary attestation verification fails, not only when it is missing. An actively-invalid or tampered binary attestation is therefore treated the same as a clean bundle without one.Evidence
In
pkg/bundler/verifier/verifier.go(binary-attestation step):setTrust(TrustAttested, "...binary attestation not found (incomplete chain)")extractBinaryDigesterror ->setTrust(TrustAttested, "could not extract binary digest...")VerifyBinaryAttestation(...)returns an error ->setTrust(TrustAttested, "binary attestation verification failed")andreturn result, nilSo a verification failure yields
attested(level 3), the same as a legitimate missing-attestation case, rather thanunknown/unverified.Surfaced reviewing PR #1547.
Question / proposed fix
Decide whether a failed (as opposed to absent) binary attestation should:
unknown(treat an invalid attestation as a hard failure), orattestedby design (the verifying binary may differ from the build binary, so a mismatch is tolerated).If the latter, document the rationale; if the former, distinguish "missing" from "verification failed" and add a regression test. The PR #1547 docs were updated to say
attestedcan mean "binary attestation missing/unverified" so the docs already match current behavior.