Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support attaching a Rekor bundle to a container #3246

Merged
merged 14 commits into from
Oct 17, 2023
Merged

feat: add support attaching a Rekor bundle to a container #3246

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
894f96f
feat: add support attaching a Rekor bundle to a container
vishal-chdhry Sep 17, 2023
922292f
fix: ci issues
vishal-chdhry Sep 17, 2023
010b57c
Merge branch 'main' into sig-rekor-attach
vishal-chdhry Sep 19, 2023
57a60ed
feat: unmarshal to LocalSignedPayload
vishal-chdhry Sep 19, 2023
b416628
feat: rekor bundle test
vishal-chdhry Sep 19, 2023
e9425b0
fix: test
vishal-chdhry Sep 20, 2023
b7c8838
fix: tests
vishal-chdhry Sep 20, 2023
58f2c6c
fix: pubBytes undefined
vishal-chdhry Sep 20, 2023
0190371
fix: sign blob
vishal-chdhry Sep 20, 2023
2e117d9
fix: test
vishal-chdhry Sep 20, 2023
4544b8f
fix: add static payload
vishal-chdhry Sep 20, 2023
5bdd957
feat: typo
vishal-chdhry Sep 20, 2023
e155e42
feat: undefined errors
vishal-chdhry Sep 20, 2023
4d776f6
feat: rename rekor flag
vishal-chdhry Oct 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/cosign/cli/attach.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ func attachSignature() *cobra.Command {
PersistentPreRun: options.BindViper,
Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
return attach.SignatureCmd(cmd.Context(), o.Registry, o.Signature, o.Payload, o.Cert, o.CertChain, o.TimeStampedSig, args[0])
return attach.SignatureCmd(cmd.Context(), o.Registry, o.Signature, o.Payload, o.Cert, o.CertChain, o.TimeStampedSig, o.RekorBundle, args[0])
},
}

Expand Down
19 changes: 16 additions & 3 deletions cmd/cosign/cli/attach/sig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ import (
"github.com/sigstore/cosign/v2/pkg/oci/static"
)

func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, timeStampedSigRef, imageRef string) error {
func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, timeStampedSigRef, rekorBundleRef, imageRef string) error {
b64SigBytes, err := signatureBytes(sigRef)
if err != nil {
return err
Expand Down Expand Up @@ -74,6 +74,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
var cert []byte
var certChain []byte
var timeStampedSig []byte
var rekorBundle *bundle.RekorBundle

if certRef != "" {
cert, err = os.ReadFile(filepath.Clean(certRef))
Expand All @@ -95,9 +96,21 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
return err
}
}
bundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig)
TSBundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lowercase variable, so tsBundle


newSig, err := mutate.Signature(sig, mutate.WithCertChain(cert, certChain), mutate.WithRFC3161Timestamp(bundle))
if rekorBundleRef != "" {
rekorBundleByte, err := os.ReadFile(filepath.Clean(rekorBundleRef))
if err != nil {
return err
}

rekorBundle, err = bundle.BytesToRekorBundle(rekorBundleByte)
vishal-chdhry marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return err
}
}

newSig, err := mutate.Signature(sig, mutate.WithCertChain(cert, certChain), mutate.WithRFC3161Timestamp(TSBundle), mutate.WithBundle(rekorBundle))
if err != nil {
return err
}
Expand Down
3 changes: 3 additions & 0 deletions cmd/cosign/cli/options/attach.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ type AttachSignatureOptions struct {
Cert string
CertChain string
TimeStampedSig string
RekorBundle string
Registry RegistryOptions
}

Expand All @@ -57,6 +58,8 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
"signing certificate and end with the root certificate. Included in the OCI Signature")
cmd.Flags().StringVar(&o.TimeStampedSig, "tsr", "",
"path to the Time Stamped Signature Response from RFC3161 compliant TSA")
cmd.Flags().StringVar(&o.RekorBundle, "rekor", "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we name the flag rekor-response? This helps us to distinguish from the upcoming "sigstore bundle" format we plan to integrate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, what is the sigstore bundle 👀

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto - sigstore-go and other newer clients use this rather than have separate outputs for cert, sig, rekor, etc

"path to the rekor bundle")
}

// AttachSBOMOptions is the top level wrapper for the attach sbom command.
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_attach_signature.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 16 additions & 1 deletion pkg/cosign/bundle/rekor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,12 @@

package bundle

import "github.com/sigstore/rekor/pkg/generated/models"
import (
"encoding/json"
"fmt"

"github.com/sigstore/rekor/pkg/generated/models"
)

// RekorBundle holds metadata about recording a Signature's ephemeral key to
// a Rekor transparency log.
Expand Down Expand Up @@ -44,3 +49,13 @@ func EntryToBundle(entry *models.LogEntryAnon) *RekorBundle {
},
}
}

func BytesToRekorBundle(data []byte) (*RekorBundle, error) {
var rekorBundle RekorBundle
err := json.Unmarshal(data, &rekorBundle)
if err != nil {
return nil, fmt.Errorf("invalid rekor bundle provided: %w", err)
}

return &rekorBundle, nil
}
4 changes: 2 additions & 2 deletions test/e2e_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -908,7 +908,7 @@ func TestAttachWithRFC3161Timestamp(t *testing.T) {
rfc3161TSRef := mkfile(string(tsBytes), td, t)

// Upload it!
err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, rfc3161TSRef, imgName)
err = attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadref, pemleafRef, certchainRef, rfc3161TSRef, "", imgName)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -1598,7 +1598,7 @@ func TestUploadDownload(t *testing.T) {
sigRef = signature
}
// Upload it!
err := attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadPath, "", "", "", imgName)
err := attach.SignatureCmd(ctx, options.RegistryOptions{}, sigRef, payloadPath, "", "", "", "", imgName)
if testCase.expectedErr {
mustErr(err, t)
} else {
haydentherapper marked this conversation as resolved.
Show resolved Hide resolved
Expand Down
Loading