Merge pull request #2926 from buildkite/make_verification_failures_de…

…bugging_clearer Add a bit more context to the debugging for failing signature verify
buildkite · Aug 8, 2024 · 5f6491b · 5f6491b
2 parents 0915af0 + 117aafd
commit 5f6491b
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/agent/verify_job.go b/agent/verify_job.go
@@ -59,14 +59,14 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 		signature.WithDebugSigning(r.conf.AgentConfiguration.DebugSigning),
 	)
 	if err != nil {
-		r.agentLogger.Debug("verifyJob: step.Signature.Verify(Job.Env, stepWithInvariants, JWKS) = %v", err)
+		r.agentLogger.Debug("failed to verifyJob: step.Signature.Verify(Job.Env, stepWithInvariants, JWKS) = %v", err)
 		return newInvalidSignatureError(ErrVerificationFailed)
 	}
 
 	// Interpolate the matrix permutation (validating the permutation in the
 	// process).
 	if err := step.InterpolateMatrixPermutation(r.conf.Job.MatrixPermutation); err != nil {
-		r.agentLogger.Debug("verifyJob: step.InterpolateMatrixPermutation(% #v) = %v", r.conf.Job.MatrixPermutation, err)
+		r.agentLogger.Debug("failed to verifyJob: step.InterpolateMatrixPermutation(% #v) = %v", r.conf.Job.MatrixPermutation, err)
 		return newInvalidSignatureError(ErrInvalidJob)
 	}
 
@@ -118,7 +118,7 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 		case "command": // compare directly
 			jobCommand := r.conf.Job.Env["BUILDKITE_COMMAND"]
 			if step.Command != jobCommand {
-				r.agentLogger.Debug("verifyJob: BUILDKITE_COMMAND = %q != %q = step.Command", jobCommand, step.Command)
+				r.agentLogger.Debug("failed to verifyJob: BUILDKITE_COMMAND = %q != %q = step.Command", jobCommand, step.Command)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 
@@ -128,11 +128,11 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 			for name, stepEnvValue := range step.Env {
 				jobEnvValue, has := r.conf.Job.Env[name]
 				if !has {
-					r.agentLogger.Debug("verifyJob: %q missing from Job.Env; step.Env[%q] = %q", name, name, stepEnvValue)
+					r.agentLogger.Debug("failed to verifyJob: %q missing from Job.Env; step.Env[%q] = %q", name, name, stepEnvValue)
 					return newInvalidSignatureError(ErrInvalidJob)
 				}
 				if jobEnvValue != stepEnvValue {
-					r.agentLogger.Debug("verifyJob: Job.Env[%q] = %q != %q = step.Env[%q]", name, jobEnvValue, stepEnvValue, name)
+					r.agentLogger.Debug("failed to verifyJob: Job.Env[%q] = %q != %q = step.Env[%q]", name, jobEnvValue, stepEnvValue, name)
 					return newInvalidSignatureError(ErrInvalidJob)
 				}
 			}
@@ -151,28 +151,28 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 			}
 			if emptyStepPlugins != emptyJobPlugins {
 				// one is empty but the other is not
-				r.agentLogger.Debug("verifyJob: emptyJobPlugins = %t != %t = emptyStepPlugins", emptyJobPlugins, emptyStepPlugins)
+				r.agentLogger.Debug("failed to verifyJob: emptyJobPlugins = %t != %t = emptyStepPlugins", emptyJobPlugins, emptyStepPlugins)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 
 			stepPluginsJSON, err := json.Marshal(step.Plugins)
 			if err != nil {
-				r.agentLogger.Debug("verifyJob: json.Marshal(step.Plugins) = %v", err)
+				r.agentLogger.Debug("failed to verifyJob: json.Marshal(step.Plugins) = %v", err)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 			stepPluginsNorm, err := jcs.Transform(stepPluginsJSON)
 			if err != nil {
-				r.agentLogger.Debug("verifyJob: jcs.Transform(stepPluginsJSON) = %v", err)
+				r.agentLogger.Debug("failed to verifyJob: jcs.Transform(stepPluginsJSON) = %v", err)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 			jobPluginsNorm, err := jcs.Transform([]byte(jobPluginsJSON))
 			if err != nil {
-				r.agentLogger.Debug("verifyJob: jcs.Transform(jobPluginsJSON) = %v", err)
+				r.agentLogger.Debug("failed to verifyJob: jcs.Transform(jobPluginsJSON) = %v", err)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 
 			if !bytes.Equal(jobPluginsNorm, stepPluginsNorm) {
-				r.agentLogger.Debug("verifyJob: jobPluginsNorm = %q != %q = stepPluginsNorm", jobPluginsNorm, stepPluginsNorm)
+				r.agentLogger.Debug("failed to verifyJob: jobPluginsNorm = %q != %q = stepPluginsNorm", jobPluginsNorm, stepPluginsNorm)
 				return newInvalidSignatureError(ErrInvalidJob)
 			}
 
@@ -189,7 +189,7 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 			if name, isEnv := strings.CutPrefix(field, signature.EnvNamespacePrefix); isEnv {
 				if _, has := r.conf.Job.Env[name]; !has {
 					// A pipeline env var that is now missing.
-					r.agentLogger.Debug("verifyJob: %q missing from Job.Env", name)
+					r.agentLogger.Debug("failed to verifyJob: %q missing from Job.Env", name)
 					return newInvalidSignatureError(ErrInvalidJob)
 				}
 				// The env var is present. Signature.Verify used the value from
@@ -199,7 +199,7 @@ func (r *JobRunner) verifyJob(ctx context.Context, keySet jwk.Set) error {
 
 			// We don't know this field, so we cannot ensure it is consistent
 			// with the job.
-			r.agentLogger.Debug("verifyJob: mystery signed field %q", field)
+			r.agentLogger.Debug("failed to verifyJob: mystery signed field %q", field)
 			return newInvalidSignatureError(ErrInvalidJob)
 		}
 	}