Skip to content

Commit

Permalink
Fix signature for attest-blob
Browse files Browse the repository at this point in the history 
Signed-off-by: Zach Steindler <[email protected]>
  • Loading branch information
@steiza
steiza committed Jul 22, 2024
1 parent 31ce56b commit f78e262
Showing 1 changed file with 22 additions and 6 deletions.
28 changes: 22 additions & 6 deletions cmd/cosign/cli/attest/attest_blob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (
"time"

"github.com/pkg/errors"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"google.golang.org/protobuf/encoding/protojson"

"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
Expand All @@ -48,7 +49,7 @@ import (
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/dsse"
sigstoredsse "github.com/sigstore/sigstore/pkg/signature/dsse"
signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
)

Expand Down Expand Up @@ -135,7 +136,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
return fmt.Errorf("getting signer: %w", err)
}
defer sv.Close()
wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType)

base := path.Base(artifactPath)

Expand Down Expand Up @@ -217,7 +218,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
if c.BundlePath != "" {
var contents []byte
if c.NewBundleFormat {
contents, err = makeNewBundle(sv, rekorEntry, payload, sig, signer, timestampBytes, c.PredicateType)
contents, err = makeNewBundle(sv, rekorEntry, payload, sig, signer, timestampBytes)
if err != nil {
return err
}
Expand Down Expand Up @@ -279,7 +280,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
return nil
}

func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte, payloadType string) ([]byte, error) {
func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) {
// Determine if signature is certificate or not
var hint string
var rawCert []byte
Expand All @@ -305,13 +306,28 @@ func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, pay
return nil, err
}

var envelope dsse.Envelope
err = json.Unmarshal(sig, &envelope)
if err != nil {
return nil, err
}

if len(envelope.Signatures) == 0 {
return nil, fmt.Errorf("no signature in DSSE envelope")
}

sigBytes, err := base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig)
if err != nil {
return nil, err
}

bundle.Content = &protobundle.Bundle_DsseEnvelope{
DsseEnvelope: &protodsse.Envelope{
Payload: payload,
PayloadType: payloadType,
PayloadType: envelope.PayloadType,
Signatures: []*protodsse.Signature{
{
Sig: sig,
Sig: sigBytes,
},
},
},
Expand Down

0 comments on commit f78e262

Please sign in to comment.