Use sigstore-go v0.5.1 for cert issuer regex support

Signed-off-by: Zach Steindler <steiza@github.com>
sigstore · Jul 25, 2024 · cad0dde · cad0dde
1 parent cd8d985
commit cad0dde
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 12 deletions.
diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go
@@ -40,10 +40,6 @@ func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstra
 }
 
 func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, slot, certOIDCIssuer, certOIDCIssuerRegex, certIdentity, certIdentityRegexp, githubWorkflowTrigger, githubWorkflowSHA, githubWorkflowName, githubWorkflowRepository, githubWorkflowRef, artifactRef string, sk, ignoreTlog, useSignedTimestamps, ignoreSCT bool) error {
-	if certOIDCIssuerRegex != "" {
-		return fmt.Errorf("--new-bundle-format does not support --certificate-oidc-issuer-regexp")
-	}
-
 	bundle, err := sgbundle.LoadJSONFromPath(bundlePath)
 	if err != nil {
 		return err
@@ -110,16 +106,20 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s
 			return err
 		}
 
+		issuerMatcher, err := verify.NewIssuerMatcher(certOIDCIssuer, certOIDCIssuerRegex)
+		if err != nil {
+			return err
+		}
+
 		extensions := certificate.Extensions{
-			Issuer:                   certOIDCIssuer,
 			GithubWorkflowTrigger:    githubWorkflowTrigger,
 			GithubWorkflowSHA:        githubWorkflowSHA,
 			GithubWorkflowName:       githubWorkflowName,
 			GithubWorkflowRepository: githubWorkflowRepository,
 			GithubWorkflowRef:        githubWorkflowRef,
 		}
 
-		certIdentity, err := verify.NewCertificateIdentity(sanMatcher, extensions)
+		certIdentity, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
 		if err != nil {
 			return err
 		}

diff --git a/go.mod b/go.mod
@@ -35,7 +35,7 @@ require (
 	github.com/sigstore/protobuf-specs v0.3.2
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.7
-	github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac
+	github.com/sigstore/sigstore-go v0.5.1
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.7
@@ -241,7 +241,7 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/urfave/negroni v1.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -616,8 +616,8 @@ github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
 github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg=
 github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA=
-github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac h1:mmxLGVL45EZKNfB6p0wCPTxv4/ne4U4UbquDwMrQhXk=
-github.com/sigstore/sigstore-go v0.4.1-0.20240717174219-8554eb6de5ac/go.mod h1:ZPJJCwEBIl3ofcA/p/EawAA/I0WMU93DWZhHf98wbak=
+github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
+github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7 h1:SoahswHQm2JhO8h3KTAeX8IZeE7mSR2Lc53ay5choes=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.7/go.mod h1:TOVOPOqldrrz4dP7x4/0DFQTs9QSXZUoHu21+JHmixA=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.7 h1:jcdKxc5bvwfL7+ZbeCszaN/qsBd6180fGAHxeX5Ckm0=
@@ -678,8 +678,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 h1:AH/4455EGJqYHx6KcrWJ9Bv/h9xae+SP5EGgmmbQBSA=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
+github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
+github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=