Skip to content

Commit

Permalink
Use sigstore-go v0.5.1 for cert issuer regex support
Browse files Browse the repository at this point in the history
Signed-off-by: Zach Steindler <[email protected]>
  • Loading branch information
steiza committed Jul 25, 2024
1 parent cd8d985 commit cad0dde
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 12 deletions.
12 changes: 6 additions & 6 deletions cmd/cosign/cli/verify/verify_bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,6 @@ func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstra
}

func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, slot, certOIDCIssuer, certOIDCIssuerRegex, certIdentity, certIdentityRegexp, githubWorkflowTrigger, githubWorkflowSHA, githubWorkflowName, githubWorkflowRepository, githubWorkflowRef, artifactRef string, sk, ignoreTlog, useSignedTimestamps, ignoreSCT bool) error {
if certOIDCIssuerRegex != "" {
return fmt.Errorf("--new-bundle-format does not support --certificate-oidc-issuer-regexp")
}

bundle, err := sgbundle.LoadJSONFromPath(bundlePath)
if err != nil {
return err
Expand Down Expand Up @@ -110,16 +106,20 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s
return err
}

issuerMatcher, err := verify.NewIssuerMatcher(certOIDCIssuer, certOIDCIssuerRegex)
if err != nil {
return err
}

extensions := certificate.Extensions{
Issuer: certOIDCIssuer,
GithubWorkflowTrigger: githubWorkflowTrigger,
GithubWorkflowSHA: githubWorkflowSHA,
GithubWorkflowName: githubWorkflowName,
GithubWorkflowRepository: githubWorkflowRepository,
GithubWorkflowRef: githubWorkflowRef,
}

certIdentity, err := verify.NewCertificateIdentity(sanMatcher, extensions)
certIdentity, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
if err != nil {
return err
}
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ require (
github.com/sigstore/protobuf-specs v0.3.2
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.7
github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac
github.com/sigstore/sigstore-go v0.5.1
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7
Expand Down Expand Up @@ -241,7 +241,7 @@ require (
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tjfoc/gmsm v1.4.1 // indirect
github.com/urfave/negroni v1.0.0 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -616,8 +616,8 @@ github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg=
github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA=
github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac h1:mmxLGVL45EZKNfB6p0wCPTxv4/ne4U4UbquDwMrQhXk=
github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac/go.mod h1:ZPJJCwEBIl3ofcA/p/EawAA/I0WMU93DWZhHf98wbak=
github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7 h1:SoahswHQm2JhO8h3KTAeX8IZeE7mSR2Lc53ay5choes=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7/go.mod h1:TOVOPOqldrrz4dP7x4/0DFQTs9QSXZUoHu21+JHmixA=
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7 h1:jcdKxc5bvwfL7+ZbeCszaN/qsBd6180fGAHxeX5Ckm0=
Expand Down Expand Up @@ -678,8 +678,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 h1:AH/4455EGJqYHx6KcrWJ9Bv/h9xae+SP5EGgmmbQBSA=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
Expand Down

0 comments on commit cad0dde

Please sign in to comment.