Skip to content

Commit

Permalink
Merge in upstream changes
Browse files Browse the repository at this point in the history
Signed-off-by: Hayden Blauzvern <[email protected]>
  • Loading branch information
haydentherapper committed Dec 7, 2022
2 parents 325ef6c + 7813599 commit 22e5a0e
Show file tree
Hide file tree
Showing 24 changed files with 500 additions and 408 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
statuses: none

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.3-0@sha256:1072190e76d68f455f1bedb7430a633916b6629a722c42246037ac518fdb0ff2
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.4-0@sha256:53ee894818ac14377996a6fe7c8fe6156d018a20f82aaf69f2519fc45d897bec
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057

steps:
Expand Down
6 changes: 3 additions & 3 deletions cmd/cosign/cli/options/signblob.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
"url to the Timestamp RFC3161 server, default none")

cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
"write everything required to verify the blob to a FILE")
_ = cmd.Flags().SetAnnotation("rfc3161-timestamp-bundle", cobra.BashCompFilenameExt, []string{})
cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
"write the RFC3161 timestamp to a file")
_ = cmd.Flags().SetAnnotation("rfc3161-timestamp", cobra.BashCompFilenameExt, []string{})
}
4 changes: 2 additions & 2 deletions cmd/cosign/cli/options/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,8 +164,8 @@ func (o *VerifyBlobOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
"path to bundle FILE")

cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
"path to timestamp bundle FILE")
cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
"path to RFC3161 timestamp FILE")
}

// VerifyDockerfileOptions is the top level wrapper for the `dockerfile verify` command.
Expand Down
3 changes: 1 addition & 2 deletions cmd/cosign/cli/policy_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -273,8 +273,7 @@ func signPolicy() *cobra.Command {
return fmt.Errorf("failed to create TSA client: %w", err)
}
// Here we get the response from the timestamped authority server
_, err = tsa.GetTimestampedSignature(signed.Signed, clientTSA)
if err != nil {
if _, err := tsa.GetTimestampedSignature(signed.Signed, clientTSA); err != nil {
return err
}
}
Expand Down
37 changes: 20 additions & 17 deletions cmd/cosign/cli/sign/sign_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,19 +72,36 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string

signedPayload := cosign.LocalSignedPayload{}

var rfc3161Timestamp *cbundle.RFC3161Timestamp
if ko.TSAServerURL != "" {
if ko.RFC3161TimestampPath == "" {
return nil, fmt.Errorf("timestamp output path must be set")
}

clientTSA, err := tsaclient.GetTimestampClient(ko.TSAServerURL)
if err != nil {
return nil, fmt.Errorf("failed to create TSA client: %w", err)
}
b64Sig := []byte(base64.StdEncoding.EncodeToString(sig))

respBytes, err := tsa.GetTimestampedSignature(b64Sig, clientTSA)
respBytes, err := tsa.GetTimestampedSignature(sig, clientTSA)
if err != nil {
return nil, err
}

signedPayload.RFC3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
// TODO: Consider uploading RFC3161 TS to Rekor

if rfc3161Timestamp == nil {
return nil, fmt.Errorf("rfc3161 timestamp is nil")
}
ts, err := json.Marshal(rfc3161Timestamp)
if err != nil {
return nil, err
}
if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil {
return nil, fmt.Errorf("create RFC3161 timestamp file: %w", err)
}
fmt.Fprintf(os.Stderr, "RFC3161 timestamp written to file %s\n", ko.RFC3161TimestampPath)
}
if ShouldUploadToTlog(ctx, ko, nil, tlogUpload) {
rekorBytes, err = sv.Bytes(ctx)
Expand All @@ -103,20 +120,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
signedPayload.Bundle = cbundle.EntryToBundle(entry)
}

// if bundle is specified, just do that and ignore the rest
if ko.RFC3161TimestampPath != "" {
signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)

contents, err := json.Marshal(signedPayload)
if err != nil {
return nil, err
}
if err := os.WriteFile(ko.RFC3161TimestampPath, contents, 0600); err != nil {
return nil, fmt.Errorf("create rfc3161 timestamp file: %w", err)
}
fmt.Printf("RF3161 timestamp bundle wrote in the file %s\n", ko.RFC3161TimestampPath)
}

// if bundle is specified, just do that and ignore the rest
if ko.BundlePath != "" {
signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,7 @@ The blob may be specified as a path to a file or - for stdin.`,
IgnoreSCT: o.CertVerify.IgnoreSCT,
SCTRef: o.CertVerify.SCT,
Offline: o.CommonVerifyOptions.Offline,
SkipTlogVerify: o.CommonVerifyOptions.SkipTlogVerify,
}
if err := verifyBlobCmd.Exec(cmd.Context(), args[0]); err != nil {
return fmt.Errorf("verifying blob %s: %w", args, err)
Expand Down
8 changes: 8 additions & 0 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,8 +150,16 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
}
co.RekorClient = rekorClient
}
// This performs an online fetch of the Rekor public keys, but this is needed
// for verifying tlog entries (both online and offline).
co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
if err != nil {
return fmt.Errorf("getting Rekor public keys: %w", err)
}
}
if keylessVerification(c.KeyRef, c.Sk) {
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
Expand Down
8 changes: 8 additions & 0 deletions cmd/cosign/cli/verify/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,16 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
}
co.RekorClient = rekorClient
}
// This performs an online fetch of the Rekor public keys, but this is needed
// for verifying tlog entries (both online and offline).
co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
if err != nil {
return fmt.Errorf("getting Rekor public keys: %w", err)
}
}
if keylessVerification(c.KeyRef, c.Sk) {
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
Expand Down
47 changes: 18 additions & 29 deletions cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/pkg/blob"
"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/cosign/bundle"
"github.com/sigstore/cosign/pkg/cosign/pivkey"
"github.com/sigstore/cosign/pkg/cosign/pkcs11key"
"github.com/sigstore/cosign/pkg/oci/static"
Expand Down Expand Up @@ -73,16 +74,16 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
opts := make([]static.Option, 0)

// Require a certificate/key OR a local bundle file that has the cert.
if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath, c.RFC3161TimestampPath) == 0 {
return fmt.Errorf("please provide a cert to verify against via --certificate or a bundle via --bundle or --rfc3161-timestamp-bundle")
if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath) == 0 {
return fmt.Errorf("provide a key with --key or --sk, a certificate to verify against with --certificate, or a bundle with --bundle")
}

// Key, sk, and cert are mutually exclusive.
if options.NOf(c.KeyRef, c.Sk, c.CertRef) > 1 {
return &options.KeyParseError{}
}

sig, err := base64signature(c.SigRef, c.BundlePath, c.RFC3161TimestampPath)
sig, err := base64signature(c.SigRef, c.BundlePath)
if err != nil {
return err
}
Expand Down Expand Up @@ -136,9 +137,17 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
}
co.RekorClient = rekorClient
}
// This performs an online fetch of the Rekor public keys, but this is needed
// for verifying tlog entries (both online and offline).
co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
if err != nil {
return fmt.Errorf("getting Rekor public keys: %w", err)
}
}
if keylessVerification(c.KeyRef, c.Sk) {
// Use default TUF roots if a cert chain is not provided.
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
if c.CertChain == "" {
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
Expand Down Expand Up @@ -208,29 +217,15 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
opts = append(opts, static.WithBundle(b.Bundle))
}
if c.RFC3161TimestampPath != "" {
b, err := cosign.FetchLocalSignedPayloadFromPath(c.RFC3161TimestampPath)
var rfc3161Timestamp bundle.RFC3161Timestamp
ts, err := blob.LoadFileOrURL(c.RFC3161TimestampPath)
if err != nil {
return err
}
// Note: RFC3161 timestamp does not set the certificate.
// We have to condition on this because sign-blob may not output the signing
// key to the bundle when there is no tlog upload.
if b.Cert != "" {
// b.Cert can either be a certificate or public key
certBytes := []byte(b.Cert)
if isb64(certBytes) {
certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
}
cert, err = loadCertFromPEM(certBytes)
if err != nil {
// check if cert is actually a public key
co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
if err != nil {
return fmt.Errorf("loading verifier from rfc3161 timestamp bundle: %w", err)
}
}
if err := json.Unmarshal(ts, &rfc3161Timestamp); err != nil {
return err
}
opts = append(opts, static.WithRFC3161Timestamp(b.RFC3161Timestamp))
opts = append(opts, static.WithRFC3161Timestamp(&rfc3161Timestamp))
}
// Set an SCT if provided via the CLI.
if c.SCTRef != "" {
Expand Down Expand Up @@ -306,7 +301,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
}

// base64signature returns the base64 encoded signature
func base64signature(sigRef string, bundlePath, rfc3161TimestampPath string) (string, error) {
func base64signature(sigRef, bundlePath string) (string, error) {
var targetSig []byte
var err error
switch {
Expand All @@ -325,12 +320,6 @@ func base64signature(sigRef string, bundlePath, rfc3161TimestampPath string) (st
return "", err
}
targetSig = []byte(b.Base64Signature)
case rfc3161TimestampPath != "":
b, err := cosign.FetchLocalSignedPayloadFromPath(rfc3161TimestampPath)
if err != nil {
return "", err
}
targetSig = []byte(b.Base64Signature)
default:
return "", fmt.Errorf("missing flag '--signature'")
}
Expand Down
Loading

0 comments on commit 22e5a0e

Please sign in to comment.