From 8f243cc60ac9e95438d0a96f9d5ebfd6629b1241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Mon, 13 Mar 2023 20:36:14 +0100 Subject: [PATCH] Add pkg/cosign.ObsoletePayload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Miloslav Trmač --- pkg/cosign/obsolete.go | 37 +++++++++++++++++++++++++++++++++ pkg/cosign/obsolete_test.go | 41 +++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 pkg/cosign/obsolete.go create mode 100644 pkg/cosign/obsolete_test.go diff --git a/pkg/cosign/obsolete.go b/pkg/cosign/obsolete.go new file mode 100644 index 00000000000..817f05bead0 --- /dev/null +++ b/pkg/cosign/obsolete.go @@ -0,0 +1,37 @@ +// +// Copyright 2021 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cosign + +import ( + "context" + + "github.com/google/go-containerregistry/pkg/name" + "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/sigstore/pkg/signature/payload" +) + +// ObsoletePayload returns the implied payload that some commands expect to match +// the signature if no payload is provided by the user. +// DO NOT ADD ANY NEW CALLERS OF THIS. +func ObsoletePayload(ctx context.Context, digestedImage name.Digest) ([]byte, error) { + blob, err := (&payload.Cosign{Image: digestedImage}).MarshalJSON() + if err != nil { + return nil, err + } + ui.Warnf(ctx, "using obsolete implied signature payload data (with digested reference %s); specify it explicitly with --payload instead", + digestedImage.Name()) + return blob, nil +} diff --git a/pkg/cosign/obsolete_test.go b/pkg/cosign/obsolete_test.go new file mode 100644 index 00000000000..25d3cffa1ad --- /dev/null +++ b/pkg/cosign/obsolete_test.go @@ -0,0 +1,41 @@ +// +// Copyright 2021 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cosign + +import ( + "context" + "testing" + + "github.com/google/go-containerregistry/pkg/name" + "github.com/sigstore/cosign/v2/internal/ui" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestObsoletePayload(t *testing.T) { + // This looks like a smoke test, but the property of generating _exactly_ the same string as previous versions is + // essential. + digestedImg, err := name.NewDigest("docker.io/namespace/image@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec") + require.NoError(t, err) + var res []byte + stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) { + r, err := ObsoletePayload(ctx, digestedImg) + require.NoError(t, err) + res = r + }) + assert.Contains(t, stderr, "obsolete implied signature payload") + assert.Equal(t, []byte(`{"critical":{"identity":{"docker-reference":"index.docker.io/namespace/image"},"image":{"docker-manifest-digest":"sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec"},"type":"cosign container image signature"},"optional":null}`), res) +}