From e095e690a8b3c31b6dbcb9af02f870cc41fbf18b Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Thu, 21 May 2026 07:28:33 -0700
Subject: [PATCH] fix(provenance): check error return in Digest

Return the actual error from io.Copy in Digest() instead of nil.
The previous code swallowed the error and returned an empty string
as a valid SHA-256 digest, which could silently break chart
provenance verification.

Also fix encodeRelease() in pkg/storage/driver/util.go:
- Close the gzip writer on the w.Write() error path to avoid
  leaking resources.
- Check the error return from gzip.Writer.Close(), which flushes
  remaining compressed data and can fail.

Assisted-by: Grok/xAI
Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
---
 pkg/provenance/sign.go     | 2 +-
 pkg/storage/driver/util.go | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/provenance/sign.go b/pkg/provenance/sign.go
index 45d4fe1a5..9b3e774cb 100644
--- a/pkg/provenance/sign.go
+++ b/pkg/provenance/sign.go
@@ -388,7 +388,7 @@ func DigestFile(filename string) (string, error) {
 func Digest(in io.Reader) (string, error) {
 	hash := crypto.SHA256.New()
 	if _, err := io.Copy(hash, in); err != nil {
-		return "", nil
+		return "", err
 	}
 	return hex.EncodeToString(hash.Sum(nil)), nil
 }
diff --git a/pkg/storage/driver/util.go b/pkg/storage/driver/util.go
index ca8e23cc2..756731ef6 100644
--- a/pkg/storage/driver/util.go
+++ b/pkg/storage/driver/util.go
@@ -46,9 +46,12 @@ func encodeRelease(rls *rspb.Release) (string, error) {
 		return "", err
 	}
 	if _, err = w.Write(b); err != nil {
+		w.Close()
+		return "", err
+	}
+	if err = w.Close(); err != nil {
 		return "", err
 	}
-	w.Close()
 
 	return b64.EncodeToString(buf.Bytes()), nil
 }