Do a few more cleanups to reuse sigstore/sigstore and refactor verifi…

…cation. (#463)

This will help with attestation verification.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

cmd/cosign/cli/verify.go

@@ -118,6 +118,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 			remote.WithAuthFromKeychain(authn.DefaultKeychain),
 			remote.WithContext(ctx),
 		},
+		Suffix: cosign.SuffixSignature,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier

cmd/cosign/cli/verify_blob.go

@@ -36,6 +36,7 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/fulcio"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	rekorClient "github.com/sigstore/rekor/pkg/client"
+
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/options"
@@ -137,7 +138,7 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str
 			return err
 		}
 
-		certs, err := cosign.LoadCerts(string(pems))
+		certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pems))
 		if err != nil {
 			return err
 		}

pkg/cosign/fetch.go

@@ -60,20 +60,16 @@ func AttachedImageTag(repo name.Repository, imgDesc *remote.Descriptor, suffix s
 	return repo.Tag(tagStr)
 }
 
-func GetAttachedManifestForImage(imgDesc *remote.Descriptor, repo name.Repository, suffix string, opts ...remote.Option) (*remote.Descriptor, error) {
-	return remote.Get(AttachedImageTag(repo, imgDesc, suffix), opts...)
-}
-
 func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error) {
 	signedImgDesc, err := remote.Get(signedImgRef, opts...)
 	if err != nil {
 		return nil, err
 	}
-	return FetchSignaturesForDescriptor(ctx, signedImgDesc, sigRepo, opts...)
+	return FetchSignaturesForDescriptor(ctx, signedImgDesc, sigRepo, SuffixSignature, opts...)
 }
 
-func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, sigRepo name.Repository, opts ...remote.Option) ([]SignedPayload, error) {
-	sigImgDesc, err := GetAttachedManifestForImage(signedDescriptor, sigRepo, SuffixSignature, opts...)
+func FetchSignaturesForDescriptor(ctx context.Context, signedDescriptor *remote.Descriptor, sigRepo name.Repository, suffix string, opts ...remote.Option) ([]SignedPayload, error) {
+	sigImgDesc, err := remote.Get(AttachedImageTag(sigRepo, signedDescriptor, suffix), opts...)
 	if err != nil {
 		return nil, errors.Wrap(err, "getting signature manifest")
 	}

pkg/cosign/verify.go

@@ -179,6 +179,7 @@ type CheckOpts struct {
 	PKOpts      []signature.PublicKeyOption
 
 	RootCerts *x509.CertPool
+	Suffix    string
 }
 
 // Verify does all the main cosign checks in a loop, returning validated payloads.
@@ -198,7 +199,7 @@ func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]
 	if (sigRepo == name.Repository{}) {
 		sigRepo = signedImgRef.Context()
 	}
-	allSignatures, err := FetchSignaturesForDescriptor(ctx, signedImgDesc, sigRepo, co.RegistryClientOpts...)
+	allSignatures, err := FetchSignaturesForDescriptor(ctx, signedImgDesc, sigRepo, co.Suffix, co.RegistryClientOpts...)
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching signatures")
 	}
@@ -226,12 +227,12 @@ func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) ([]
 				validationErrs = append(validationErrs, "invalid certificate found on signature")
 				continue
 			}
-			// Now verify the signature, then the cert.
-			if err := sp.VerifySignature(pub); err != nil {
+			// Now verify the cert, then the signature.
+			if err := sp.TrustedCert(co.RootCerts); err != nil {
 				validationErrs = append(validationErrs, err.Error())
 				continue
 			}
-			if err := sp.TrustedCert(co.RootCerts); err != nil {
+			if err := sp.VerifySignature(pub); err != nil {
 				validationErrs = append(validationErrs, err.Error())
 				continue
 			}