feat: support disabling cosign and SLSA (#2634)

* feat: support disabling cosign

* feat: support disabling slsa verification

* fix: support disabling the checksum file verification with cosign

* fix: suppress a lint error

pkg/cli/runner.go

@@ -52,6 +52,8 @@ func (r *Runner) setParam(c *cli.Context, commandName string, param *config.Para
 	param.All = c.Bool("all")
 	param.Detail = c.Bool("detail")
 	param.Prune = c.Bool("prune")
+	param.CosignDisabled = c.Bool("disable-cosign")
+	param.SLSADisabled = c.Bool("disable-slsa")
 	param.Limit = c.Int("limit")
 	param.SelectVersion = c.Bool("select-version")
 	param.ShowVersion = c.Bool("version")
@@ -128,7 +130,7 @@ func parseTags(tags []string) map[string]struct{} {
 	return tagsM
 }
 
-func (r *Runner) Run(ctx context.Context, args ...string) error {
+func (r *Runner) Run(ctx context.Context, args ...string) error { //nolint:funlen
 	compiledDate, err := time.Parse(time.RFC3339, r.LDFlags.Date)
 	if err != nil {
 		compiledDate = time.Now()
@@ -151,6 +153,16 @@ func (r *Runner) Run(ctx context.Context, args ...string) error {
 				Usage:   "configuration file path",
 				EnvVars: []string{"AQUA_CONFIG"},
 			},
+			&cli.BoolFlag{
+				Name:    "disable-cosign",
+				Usage:   "Disable Cosign verification",
+				EnvVars: []string{"AQUA_DISABLE_COSIGN"},
+			},
+			&cli.BoolFlag{
+				Name:    "disable-slsa",
+				Usage:   "Disable SLSA verification",
+				EnvVars: []string{"AQUA_DISABLE_SLSA"},
+			},
 			&cli.StringFlag{
 				Name:  "trace",
 				Usage: "trace output file path",

pkg/config/package.go

@@ -274,6 +274,8 @@ type Param struct {
 	Detail                bool
 	OnlyPackage           bool
 	OnlyRegistry          bool
+	CosignDisabled        bool
+	SLSADisabled          bool
 	PolicyConfigFilePaths []string
 	Commands              []string
 }

pkg/installpackage/checksum.go

@@ -28,7 +28,7 @@ func (is *Installer) dlAndExtractChecksum(ctx context.Context, logE *logrus.Entr
 		return "", fmt.Errorf("read a checksum file: %w", err)
 	}
 
-	if cos := pkg.PackageInfo.Checksum.GetCosign(); cos.GetEnabled() {
+	if cos := pkg.PackageInfo.Checksum.GetCosign(); cos.GetEnabled() && !is.cosignDisabled {
 		f, err := afero.TempFile(is.fs, "", "")
 		if err != nil {
 			return "", fmt.Errorf("create a temporal file: %w", err)

pkg/installpackage/installer.go

@@ -46,6 +46,8 @@ type Installer struct {
 	maxParallelism        int
 	progressBar           bool
 	onlyLink              bool
+	cosignDisabled        bool
+	slsaDisabled          bool
 }
 
 func New(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker Linker, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, cosignVerifier CosignVerifier, slsaVerifier SLSAVerifier, goInstallInstaller GoInstallInstaller, goBuildInstaller GoBuildInstaller, cargoPackageInstaller CargoPackageInstaller) *Installer {
@@ -73,6 +75,8 @@ func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtim
 		linker:                linker,
 		progressBar:           param.ProgressBar,
 		onlyLink:              param.OnlyLink,
+		cosignDisabled:        param.CosignDisabled,
+		slsaDisabled:          param.SLSADisabled,
 		copyDir:               param.Dest,
 		unarchiver:            unarchiver,
 		cosign:                cosignVerifier,

pkg/installpackage/verify_cosign.go

@@ -10,6 +10,11 @@ import (
 )
 
 func (is *Installer) verifyWithCosign(ctx context.Context, logE *logrus.Entry, bodyFile *download.DownloadedFile, param *DownloadParam) error {
+	if is.cosignDisabled {
+		logE.Debug("cosign is disabled")
+		return nil
+	}
+
 	ppkg := param.Package
 
 	cos := ppkg.PackageInfo.Cosign

pkg/installpackage/verify_slsa.go

@@ -10,6 +10,10 @@ import (
 )
 
 func (is *Installer) verifyWithSLSA(ctx context.Context, logE *logrus.Entry, bodyFile *download.DownloadedFile, param *DownloadParam) error {
+	if is.slsaDisabled {
+		logE.Debug("slsa verification is disabled")
+		return nil
+	}
 	ppkg := param.Package
 	pkgInfo := param.Package.PackageInfo
 	sp := ppkg.PackageInfo.SLSAProvenance