gardener · vpnachev · May 11, 2023 · May 9, 2023 · May 9, 2023 · May 9, 2023
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 COSIGN         := $(TOOLS_BIN_DIR)/cosign
-COSIGN_VERSION ?= v1.12.1
+COSIGN_VERSION ?= v2.0.2
 
 export TOOLS_BIN_DIR := $(TOOLS_BIN_DIR)
 export PATH := $(abspath $(TOOLS_BIN_DIR)):$(PATH)
@@ -21,4 +21,4 @@ tool_version_file = $(TOOLS_BIN_DIR)/.version_$(subst $(TOOLS_BIN_DIR)/,,$(1))_$
 #########################################
 
 $(COSIGN): $(call tool_version_file,$(COSIGN),$(COSIGN_VERSION))
-	GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install github.com/sigstore/cosign/cmd/cosign@$(COSIGN_VERSION)
+	GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install github.com/sigstore/cosign/v2/cmd/cosign@$(COSIGN_VERSION)
@@ -7,7 +7,6 @@ package verifysignature
 import (
 	"context"
 	"crypto"
-	"errors"
 	"fmt"
 
 	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/constants"
@@ -16,8 +15,8 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/sigstore/cosign/pkg/cosign"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"golang.org/x/sync/singleflight"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -77,12 +76,20 @@ func verify(ctx context.Context, imageRef name.Reference, keys []crypto.PublicKe
 			RegistryClientOpts: opts,
 			SigVerifier:        verifier,
 			ClaimVerifier:      cosign.SimpleClaimVerifier,
+			IgnoreSCT:          true,
+			IgnoreTlog:         true,
 		})
 		if err != nil {
+			if IsNoSignaturesFound(err) {
+				log.Info("no signatures found for the image", "error", err.Error())
+				return false, nil
+			}
+
 			if IsNoMatchingSignature(err) {
 				log.Info("no matching signatures found for current public key", "error", err.Error())
 				continue
 			}
+
 			return false, err
 		}
 
@@ -145,8 +152,20 @@ func (r *cacheVerifier) Verify(ctx context.Context, image string, kcr utils.KeyC
 	return verified, nil
 }
 
-// IsNoMatchingSignature checks if error is of time github.com/sigstore/cosign/pkg/cosign.ErrNoMatchingSignatures.
+// IsNoMatchingSignature checks if error is of time github.com/sigstore/cosign/pkg/cosign.ErrNoMatchingSignaturesType.
 func IsNoMatchingSignature(err error) bool {
-	target := cosign.ErrNoMatchingSignatures
-	return errors.As(err, &target)
+	noMatchingSignatureErr, ok := err.(*cosign.VerificationError)
+	if !ok {
+		return false
+	}
+	return noMatchingSignatureErr.ErrorType() == cosign.ErrNoMatchingSignaturesType
+}
+
+// IsNoSignaturesFound checks if error is of time github.com/sigstore/cosign/pkg/cosign.ErrNoSignaturesFoundType.
+func IsNoSignaturesFound(err error) bool {
+	noMatchingSignatureErr, ok := err.(*cosign.VerificationError)
+	if !ok {
+		return false
+	}
+	return noMatchingSignatureErr.ErrorType() == cosign.ErrNoSignaturesFoundType
 }
@@ -7,7 +7,6 @@ package verifysignature_test
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/lakom/utils"
@@ -16,7 +15,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/authn"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	logzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 type anonymousKeyChain struct{}
@@ -37,7 +38,8 @@ var _ = Describe("Verifier", func() {
 		refresh = time.Millisecond * 100
 		ttl     = time.Second
 		kcr     = &anonymousKeyChainReader{}
-		ctx     = context.TODO()
+		ctx     context.Context
+		logger  = logzap.New(logzap.WriteTo(GinkgoWriter), logzap.UseDevMode(true))
 
 		// source: https://github.com/sigstore/cosign/releases/download/v1.11.1/release-cosign.pub
 		cosignPublicKey = `-----BEGIN PUBLIC KEY-----
@@ -47,6 +49,10 @@ IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
 `
 	)
 
+	BeforeEach(func() {
+		ctx = logf.IntoContext(context.TODO(), logger)
+	})
+
 	Describe("Direct Verifier", func() {
 		var (
 			directVerifier verifysignature.Verifier
@@ -168,10 +174,19 @@ IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
 	})
 
 	It("Should detect NoMatchingSignature error", func() {
-		noMathcingSignatureErr := fmt.Errorf("%w:\n%s", cosign.ErrNoMatchingSignatures, strings.Join([]string{"some error message"}, "\n "))
+		noMathcingSignatureErr := &cosign.VerificationError{}
+		noMathcingSignatureErr.SetErrorType(cosign.ErrNoMatchingSignaturesType)
 
 		Expect(verifysignature.IsNoMatchingSignature(noMathcingSignatureErr)).To(BeTrue())
 		Expect(verifysignature.IsNoMatchingSignature(fmt.Errorf("some other error"))).To(BeFalse())
 	})
 
+	It("Should detect NoSignaturesFoundType error", func() {
+		noSignatureFound := &cosign.VerificationError{}
+		noSignatureFound.SetErrorType(cosign.ErrNoSignaturesFoundType)
+
+		Expect(verifysignature.IsNoSignaturesFound(noSignatureFound)).To(BeTrue())
+		Expect(verifysignature.IsNoSignaturesFound(fmt.Errorf("some other error"))).To(BeFalse())
+	})
+
 })