fix(provenance): check error return in Digest

Return the actual error from io.Copy in Digest() instead of nil. The previous code swallowed the error and returned an empty string as a valid SHA-256 digest, which could silently break chart provenance verification. Also fix encodeRelease() in pkg/storage/driver/util.go: - Close the gzip writer on the w.Write() error path to avoid leaking resources. - Check the error return from gzip.Writer.Close(), which flushes remaining compressed data and can fail. Assisted-by: Grok/xAI Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
4 weeks ago · e095e690a8
parent fcdf3854b0
commit e095e690a8
2 changed files with 5 additions and 2 deletions
--- a/pkg/provenance/sign.go
+++ b/pkg/provenance/sign.go
@ -388,7 +388,7 @@ func DigestFile(filename string) (string, error) {
 func Digest(in io.Reader) (string, error) {
 	hash := crypto.SHA256.New()
 	if _, err := io.Copy(hash, in); err != nil {
-		return "", nil
+		return "", err
 	}
 	return hex.EncodeToString(hash.Sum(nil)), nil
 }
--- a/pkg/storage/driver/util.go
+++ b/pkg/storage/driver/util.go
@ -46,9 +46,12 @@ func encodeRelease(rls *rspb.Release) (string, error) {
 		return "", err
 	}
 	if _, err = w.Write(b); err != nil {
+		w.Close()
+		return "", err
+	}
+	if err = w.Close(); err != nil {
 		return "", err
 	}
-	w.Close()

 	return b64.EncodeToString(buf.Bytes()), nil
 }