feat: support attach attestation

Signed-off-by: Batuhan Apaydın <[email protected]>
sigstore · Dec 26, 2021 · 8a8682f · 8a8682f
1 parent 894a3bc
commit 8a8682f
Show file tree

Hide file tree

Showing 5 changed files with 225 additions and 2 deletions.
diff --git a/cmd/cosign/cli/attach.go b/cmd/cosign/cli/attach.go
@@ -16,10 +16,9 @@
 package cli
 
 import (
-	"github.com/spf13/cobra"
-
 	"github.com/sigstore/cosign/cmd/cosign/cli/attach"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/spf13/cobra"
 )
 
 func Attach() *cobra.Command {
@@ -31,6 +30,7 @@ func Attach() *cobra.Command {
 	cmd.AddCommand(
 		attachSignature(),
 		attachSBOM(),
+		attachAttestation(),
 	)
 
 	return cmd
@@ -75,3 +75,21 @@ func attachSBOM() *cobra.Command {
 
 	return cmd
 }
+
+func attachAttestation() *cobra.Command {
+	o := &options.AttachAttestationOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "attestation",
+		Short:   "Attach attestation to the supplied container image",
+		Example: "  cosign attach attestation <image uri>",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return attach.AttestationCmd(cmd.Context(), o.Registry, o.Key, o.SecurityKey, o.Attestation, o.Rekor.URL, args[0])
+		},
+	}
+
+	o.AddFlags(cmd)
+
+	return cmd
+}
diff --git a/cmd/cosign/cli/attach/attestation.go b/cmd/cosign/cli/attach/attestation.go
@@ -0,0 +1,135 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attach
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/pkg/errors"
+	ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/cosign/pivkey"
+	"github.com/sigstore/cosign/pkg/cosign/pkcs11key"
+	"github.com/sigstore/cosign/pkg/oci/mutate"
+	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/pkg/oci/static"
+	sigs "github.com/sigstore/cosign/pkg/signature"
+	"github.com/sigstore/cosign/pkg/types"
+	"github.com/sigstore/sigstore/pkg/signature/dsse"
+)
+
+func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, keyRef string, sk options.SecurityKeyOptions, signedPayload, rekorURL, imageRef string) error {
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "constructing client options")
+	}
+	co := &cosign.CheckOpts{
+		RegistryClientOpts: ociremoteOpts,
+	}
+
+	if options.EnableExperimental() {
+		if rekorURL != "" {
+			rekorClient, err := rekor.NewClient(rekorURL)
+			if err != nil {
+				return errors.Wrap(err, "creating Rekor client")
+			}
+			co.RekorClient = rekorClient
+		}
+		co.RootCerts = fulcio.GetRoots()
+	}
+
+	// Keys are optional!
+	if keyRef != "" {
+		co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, keyRef)
+		if err != nil {
+			return errors.Wrap(err, "loading public key")
+		}
+		pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key)
+		if ok {
+			defer pkcs11Key.Close()
+		}
+	} else if sk.Use {
+		sk, err := pivkey.GetKeyWithSlot(sk.Slot)
+		if err != nil {
+			return errors.Wrap(err, "opening piv token")
+		}
+		defer sk.Close()
+		co.SigVerifier, err = sk.Verifier()
+		if err != nil {
+			return errors.Wrap(err, "initializing piv token verifier")
+		}
+	}
+
+	fmt.Fprintln(os.Stderr, "Using payload from:", signedPayload)
+	payload, err := os.ReadFile(signedPayload)
+	if err != nil {
+		return err
+	}
+
+	env := ssldsse.Envelope{}
+	if err := json.Unmarshal(payload, &env); err != nil {
+		return err
+	}
+
+	if env.PayloadType != types.IntotoPayloadType {
+		return fmt.Errorf("invalid payloadType %s on envelope. Expected %s", env.PayloadType, types.IntotoPayloadType)
+	}
+	dssev, err := ssldsse.NewEnvelopeVerifier(&dsse.VerifierAdapter{SignatureVerifier: co.SigVerifier})
+	if err != nil {
+		return err
+	}
+	_, err = dssev.Verify(&env)
+	if err != nil {
+		return err
+	}
+
+	ref, err := name.ParseReference(imageRef)
+	if err != nil {
+		return err
+	}
+	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
+	if err != nil {
+		return err
+	}
+	// Overwrite "ref" with a digest to avoid a race where we use a tag
+	// multiple times, and it potentially points to different things at
+	// each access.
+	ref = digest // nolint
+
+	att, err := static.NewAttestation(payload)
+	if err != nil {
+		return err
+	}
+
+	se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
+	if err != nil {
+		return err
+	}
+
+	newSE, err := mutate.AttachAttestationToEntity(se, att)
+	if err != nil {
+		return err
+	}
+
+	// Publish the signatures associated with this entity
+	return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...)
+}
diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go
@@ -76,3 +76,31 @@ func (o *AttachSBOMOptions) MediaType() (types.MediaType, error) {
 		return "unknown", fmt.Errorf("unknown SBOM type: %q, expected (spdx|cyclonedx|syft)", o.SBOMType)
 	}
 }
+
+// AttachAttestationOptions is the top level wrapper for the attach attestation command.
+type AttachAttestationOptions struct {
+	Key         string
+	Attestation string
+	Cert        string
+	Signature   string
+
+	SecurityKey SecurityKeyOptions
+	Rekor       RekorOptions
+	Registry    RegistryOptions
+}
+
+// AddFlags implements Interface
+func (o *AttachAttestationOptions) AddFlags(cmd *cobra.Command) {
+	o.Registry.AddFlags(cmd)
+	o.Rekor.AddFlags(cmd)
+	o.SecurityKey.AddFlags(cmd)
+
+	cmd.Flags().StringVar(&o.Key, "key", "",
+		"path to the public key file, KMS URI or Kubernetes Secret")
+
+	cmd.Flags().StringVar(&o.Cert, "cert", "",
+		"path to the public certificate")
+
+	cmd.Flags().StringVar(&o.Attestation, "attestation", "",
+		"path to the predicate")
+}
diff --git a/doc/cosign_attach.md b/doc/cosign_attach.md
diff --git a/doc/cosign_attach_attestation.md b/doc/cosign_attach_attestation.md