fix(attestation): change default to NOT download cosign outside of se…

…tup flow (#49) * fix(attestation): change default to NOT download cosign outside of setup flow * fix(attestation): ensure setup command forces download * fix(attestation): add additional user messaging * refactor(attestation): cleanup code based on feedback * fix(attestation): fix var redefinition
crashappsec · Oct 11, 2023 · 79ed303 · 79ed303
1 parent f671841
commit 79ed303
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/src/attestation.nim b/src/attestation.nim
@@ -11,7 +11,7 @@ import api, base64, chalkjson, config, httpclient, net, os, selfextract,
 const
   attestationObfuscator = staticExec(
     "dd status=none if=/dev/random bs=1 count=16 | base64").decode()
-  cosignLoader = "load_attestation_binary() -> string"
+  cosignLoader = "load_attestation_binary(bool) -> string"
   #c4mAttest    = "push_attestation(string, string, string) -> bool"
 
 var
@@ -245,9 +245,10 @@ proc loadFromSecretManager*(prkey: string, apikey: string): bool =
 
   return true
 
-proc getCosignLocation*(): string =
+proc getCosignLocation*(downloadCosign = false): string =
   once:
-    cosignLoc = unpack[string](runCallback(cosignLoader, @[]).get())
+    let args = @[pack(downloadCosign)]
+    cosignLoc = unpack[string](runCallback(cosignLoader, args).get())
 
     if cosignLoc == "":
       warn("Could not find or install cosign; cannot sign or verify.")

diff --git a/src/commands/cmd_setup.nim b/src/commands/cmd_setup.nim
@@ -23,7 +23,7 @@ proc runCmdSetup*(gen, load: bool) =
   selfChalk.addToAllChalks()
   info("Ensuring cosign is present to setup attestation.")
 
-  if getCosignLocation() == "":
+  if getCosignLocation(downloadCosign = true) == "":
     quitChalk(1)
   if load:
     # If we fall back to 'gen' we don't want attemptToLoadKeys

diff --git a/src/configs/attestation.c4m b/src/configs/attestation.c4m
@@ -19,6 +19,7 @@ func install_cosign() {
   go_path := find_exe("go", [])
 
   if go_path != "" {
+    info("Go-install'ing cosign.....")
     install_out, ok := system("go install github.com/sigstore/cosign/v2/cmd/cosign@latest")
     if ok != 0 {
       warn("unable to install attestation into $GOPATH/bin/cosign; " +
@@ -37,6 +38,7 @@ func install_cosign() {
 
   install_name := "cosign-" + host_os + "-" + host_arch
   install_url  := "https://github.com/sigstore/cosign/releases/latest/download/" + install_name
+  info("Downloading cosign.....")
   contents     := url_get(install_url)
 
   trace("Downloaded cosign.")
@@ -54,12 +56,12 @@ func install_cosign() {
   return false
 }
 
-func load_attestation_binary() {
+func load_attestation_binary(download_if_not_present: bool) {
   result             := ""
   supplemental_path  := [env("GOPATH") + "/bin", "~/go/bin", "/tmp"]
   attestation_binary := find_exe("cosign", supplemental_path)
 
-  if attestation_binary == "" {
+  if attestation_binary == "" and download_if_not_present == true {
     if install_cosign() {
       attestation_binary := find_exe("cosign", supplemental_path)
       if attestation_binary == "" {