Skip to content

Commit

Permalink
Warn if the payload is not provided for (cosign signature attach)
Browse files Browse the repository at this point in the history
The signature signs the payload; it makes no sense for the user
to provide the signature but not the payload - it would effectively
force cosign to generate a byte-for-byte identical (and, currently,
undesirable) payload forever.

Still, for compatibility, continue to accept such invocations,
but trigger a warning.

Signed-off-by: Miloslav Trmač <[email protected]>
  • Loading branch information
mtrmac committed Mar 30, 2023
1 parent 8f243cc commit cc5c8e2
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 9 deletions.
4 changes: 2 additions & 2 deletions EXAMPLES.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
$ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
$ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
# We have to base64 encode the signature
$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
```

Now (on another machine) download the public key, payload, signatures and verify it!
Expand Down Expand Up @@ -71,7 +71,7 @@ $ aws kms sign --key-id $AWS_CMK_ID \
--output text \
--query Signature > payload.sig

$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig)
$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json
```

Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`!
Expand Down
6 changes: 3 additions & 3 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl...

## Upload a generated signature

The signature is passed via the `--signature` flag.
The signature is passed via the `--signature` and `--payload` flags.
It can be a file:

```shell
$ cosign attach signature --signature file.sig $IMAGE_DIGEST
$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST
Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
```

or, `-` for stdin for chaining from other commands:

```shell
$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST
$ | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST
Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig
```

Expand Down
4 changes: 2 additions & 2 deletions cmd/cosign/cli/attach/sig.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,10 @@ import (
"github.com/google/go-containerregistry/pkg/name"

"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
"github.com/sigstore/cosign/v2/pkg/cosign"
"github.com/sigstore/cosign/v2/pkg/oci/mutate"
ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
"github.com/sigstore/cosign/v2/pkg/oci/static"
sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
)

func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error {
Expand Down Expand Up @@ -58,7 +58,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,

var payload []byte
if payloadRef == "" {
payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON()
payload, err = cosign.ObsoletePayload(ctx, digest)
} else {
payload, err = os.ReadFile(filepath.Clean(payloadRef))
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/options/attach.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
"path to the signature, or {-} for stdin")

cmd.Flags().StringVar(&o.Payload, "payload", "",
"path to the payload covered by the signature (if using another format)")
"path to the payload covered by the signature")

cmd.Flags().StringVar(&o.Cert, "certificate", "",
"path to the X.509 certificate in PEM format to include in the OCI Signature")
Expand Down
2 changes: 1 addition & 1 deletion doc/cosign_attach_signature.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit cc5c8e2

Please sign in to comment.