From fd1701c42a079e94b84f72bc1ce3dfb0b05bf929 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Tue, 28 Feb 2023 18:39:58 +0100 Subject: [PATCH] Require the payload to be provided for (cosign signature attach) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The signature signs the payload; it makes no sense for the user to provide the signature but not the payload - it would effectively force cosign to generate a byte-for-byte identical (and, currently, undesirable) payload forever. Signed-off-by: Miloslav Trmač --- EXAMPLES.md | 4 ++-- USAGE.md | 6 +++--- cmd/cosign/cli/attach/sig.go | 7 ++----- cmd/cosign/cli/options/attach.go | 2 +- doc/cosign_attach_signature.md | 2 +- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 1c5ad9b5daa9..ea2a1c1f349a 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central # We have to base64 encode the signature -$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun +$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun ``` Now (on another machine) download the public key, payload, signatures and verify it! @@ -71,7 +71,7 @@ $ aws kms sign --key-id $AWS_CMK_ID \ --output text \ --query Signature > payload.sig -$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) +$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json ``` Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`! diff --git a/USAGE.md b/USAGE.md index e58d12951614..7a593849ceff 100644 --- a/USAGE.md +++ b/USAGE.md @@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl... ## Upload a generated signature -The signature is passed via the `--signature` flag. +The signature is passed via the `--signature` and `--payload` flags. It can be a file: ```shell -$ cosign attach signature --signature file.sig $IMAGE_DIGEST +$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig ``` or, `-` for stdin for chaining from other commands: ```shell -$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST +$ … | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig ``` diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index aa0d2f5acbfe..31c375440f7c 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -28,7 +28,6 @@ import ( "github.com/sigstore/cosign/v2/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" "github.com/sigstore/cosign/v2/pkg/oci/static" - sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" ) func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error { @@ -56,12 +55,10 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, // each access. ref = digest // nolint - var payload []byte if payloadRef == "" { - payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON() - } else { - payload, err = os.ReadFile(filepath.Clean(payloadRef)) + return errors.New("payload not provided") } + payload, err := os.ReadFile(filepath.Clean(payloadRef)) if err != nil { return err } diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go index 8eaa4cf281ff..5c02663516cf 100644 --- a/cmd/cosign/cli/options/attach.go +++ b/cmd/cosign/cli/options/attach.go @@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) { "path to the signature, or {-} for stdin") cmd.Flags().StringVar(&o.Payload, "payload", "", - "path to the payload covered by the signature (if using another format)") + "path to the payload covered by the signature") cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md index bbe863666727..861a142e578f 100644 --- a/doc/cosign_attach_signature.md +++ b/doc/cosign_attach_signature.md @@ -22,7 +22,7 @@ cosign attach signature [flags] --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). - --payload string path to the payload covered by the signature (if using another format) + --payload string path to the payload covered by the signature --signature string path to the signature, or {-} for stdin ```