feat: cosign sign

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
containerd · Nov 23, 2021 · 50c15a1 · 50c15a1
1 parent 87a1a5d
commit 50c15a1
Show file tree

Hide file tree

Showing 3 changed files with 1,256 additions and 0 deletions.
diff --git a/cmd/nerdctl/push.go b/cmd/nerdctl/push.go
@@ -20,6 +20,9 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	cosignOptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	fulcioclient "github.com/sigstore/fulcio/pkg/client"
 	"io"
 
 	"github.com/containerd/containerd/content"
@@ -61,6 +64,11 @@ func newPushCommand() *cobra.Command {
 	pushCommand.Flags().Bool("estargz", false, "Convert the image into eStargz")
 	pushCommand.Flags().Bool("ipfs-ensure-image", true, "Ensure the entire contents of the image is locally available before push")
 
+	pushCommand.Flags().Bool("sign", false, "Allow signing images right after built them")
+
+	pushCommand.Flags().String("cosign-key", "",
+		"path to the private key file, KMS URI or Kubernetes Secret")
+
 	return pushCommand
 }
 
@@ -187,6 +195,32 @@ func pushAction(cmd *cobra.Command, args []string) error {
 			return err
 		}
 	}
+
+	if isSign, err := cmd.Flags().GetBool("sign"); err == nil && isSign {
+		keyRef, err := cmd.Flags().GetString("cosign-key")
+		if err != nil {
+			return err
+		}
+
+		ko := sign.KeyOpts{
+			KeyRef:       keyRef,
+			FulcioURL:    fulcioclient.SigstorePublicServerURL,
+			RekorURL:     "https://rekor.sigstore.dev",
+			OIDCIssuer:   "https://oauth2.sigstore.dev/auth",
+			OIDCClientID: "sigstore",
+		}
+
+		ro := cosignOptions.RegistryOptions{}
+
+		fmt.Println("rawRef", rawRef)
+
+		err = sign.SignCmd(cmd.Context(), ko, ro, nil, []string{rawRef}, "", true, "", false, false, "")
+
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 

diff --git a/go.mod b/go.mod
@@ -38,10 +38,16 @@ require (
 	github.com/opencontainers/image-spec v1.0.2-0.20211102003311-9a7a9876500e
 	github.com/opencontainers/runtime-spec v1.0.3-0.20211101234015-a3c33d663ebc
 	github.com/rootless-containers/rootlesskit v0.14.6
+	github.com/sigstore/cosign v1.3.1
+	github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/tidwall/gjson v1.11.0
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.24.0 // indirect
+	go.opentelemetry.io/otel v1.2.0 // indirect
+	go.opentelemetry.io/otel/internal/metric v0.25.0 // indirect
 	golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20211117180635-dee7805ff2e1