Skip to content

Commit

Permalink
Require the payload to be provided for (cosign signature attach)
Browse files Browse the repository at this point in the history
The signature signs the payload; it makes no sense for the user
to provide the signature but not the payload - it would effectively
force cosign to generate a byte-for-byte identical (and, currently,
undesirable) payload forever.

Signed-off-by: Miloslav Trmač <[email protected]>
  • Loading branch information
mtrmac committed Mar 11, 2023
1 parent 1711e09 commit fd1701c
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 12 deletions.
4 changes: 2 additions & 2 deletions EXAMPLES.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
$ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
$ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
# We have to base64 encode the signature
$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
```

Now (on another machine) download the public key, payload, signatures and verify it!
Expand Down Expand Up @@ -71,7 +71,7 @@ $ aws kms sign --key-id $AWS_CMK_ID \
--output text \
--query Signature > payload.sig

$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig)
$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json
```

Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`!
Expand Down
6 changes: 3 additions & 3 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl...

## Upload a generated signature

The signature is passed via the `--signature` flag.
The signature is passed via the `--signature` and `--payload` flags.
It can be a file:

```shell
$ cosign attach signature --signature file.sig $IMAGE_DIGEST
$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST
Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
```

or, `-` for stdin for chaining from other commands:

```shell
$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST
$ | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST
Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig
```

Expand Down
7 changes: 2 additions & 5 deletions cmd/cosign/cli/attach/sig.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (
"github.com/sigstore/cosign/v2/pkg/oci/mutate"
ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
"github.com/sigstore/cosign/v2/pkg/oci/static"
sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
)

func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error {
Expand Down Expand Up @@ -56,12 +55,10 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
// each access.
ref = digest // nolint

var payload []byte
if payloadRef == "" {
payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON()
} else {
payload, err = os.ReadFile(filepath.Clean(payloadRef))
return errors.New("payload not provided")
}
payload, err := os.ReadFile(filepath.Clean(payloadRef))
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/options/attach.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
"path to the signature, or {-} for stdin")

cmd.Flags().StringVar(&o.Payload, "payload", "",
"path to the payload covered by the signature (if using another format)")
"path to the payload covered by the signature")

cmd.Flags().StringVar(&o.Cert, "certificate", "",
"path to the X.509 certificate in PEM format to include in the OCI Signature")
Expand Down
2 changes: 1 addition & 1 deletion doc/cosign_attach_signature.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit fd1701c

Please sign in to comment.