Skip to content

Commit

Permalink
reorg and removed code for attest-blob
Browse files Browse the repository at this point in the history
Signed-off-by: pxp928 <parth.psu@gmail.com>
  • Loading branch information
pxp928 committed May 12, 2022
1 parent 8f47d1e commit 71b5264
Show file tree
Hide file tree
Showing 5 changed files with 179 additions and 194 deletions.
140 changes: 14 additions & 126 deletions cmd/cosign/cli/attest/attest.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,27 +22,17 @@ import (
"encoding/json"
"fmt"
"os"
"time"

"github.com/google/go-containerregistry/pkg/name"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/pkg/errors"

"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/cosign/attestation"
"github.com/sigstore/cosign/pkg/cosign/bundle"
cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
cremote "github.com/sigstore/cosign/pkg/cosign/remote"
"github.com/sigstore/cosign/pkg/oci/mutate"
ociremote "github.com/sigstore/cosign/pkg/oci/remote"
"github.com/sigstore/cosign/pkg/oci/static"
sigs "github.com/sigstore/cosign/pkg/signature"
"github.com/sigstore/cosign/pkg/types"
"github.com/sigstore/rekor/pkg/generated/client"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/sigstore/pkg/signature/dsse"
"github.com/sigstore/sigstore/pkg/signature"
signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
)

Expand Down Expand Up @@ -73,130 +63,28 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string,
return cbundle.EntryToBundle(entry), nil
}

//nolint
func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string,
noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
// A key file or token is required unless we're in experimental mode!
if options.EnableExperimental() {
if options.NOf(ko.KeyRef, ko.Sk) > 1 {
return &options.KeyParseError{}
}
} else {
if !options.OneOf(ko.KeyRef, ko.Sk) {
return &options.KeyParseError{}
}
}

predicateURI, err := options.ParsePredicateType(predicateType)
if err != nil {
return err
}

ref, err := name.ParseReference(imageRef)
if err != nil {
return errors.Wrap(err, "parsing reference")
}

if timeout != 0 {
var cancelFn context.CancelFunc
ctx, cancelFn = context.WithTimeout(ctx, timeout)
defer cancelFn()
}

ociremoteOpts, err := regOpts.ClientOpts(ctx)
if err != nil {
return err
}
digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
if err != nil {
return err
}
h, _ := v1.NewHash(digest.Identifier())
// Overwrite "ref" with a digest to avoid a race where we use a tag
// multiple times, and it potentially points to different things at
// each access.
ref = digest // nolint

sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko)
if err != nil {
return errors.Wrap(err, "getting signer")
}
defer sv.Close()
wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
dd := cremote.NewDupeDetector(sv)

fmt.Fprintln(os.Stderr, "Using payload from:", predicatePath)
predicate, err := os.Open(predicatePath)
if err != nil {
return err
}
defer predicate.Close()
func getSignedPayload(ctx context.Context, wrapped signature.Signer, predicate *os.File, predicatePath string,
predicateType string, hexDigest string, repo string) ([]byte, error) {

sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
Predicate: predicate,
Type: predicateType,
Digest: h.Hex,
Repo: digest.Repository.String(),
Digest: hexDigest,
Repo: repo,
})
if err != nil {
return err
return nil, err
}

payload, err := json.Marshal(sh)
if err != nil {
return err
}
signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
if err != nil {
return errors.Wrap(err, "signing")
}

if noUpload {
fmt.Println(string(signedPayload))
return nil
}

opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)}
if sv.Cert != nil {
opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
}

// Check whether we should be uploading to the transparency log
if sign.ShouldUploadToTlog(ctx, digest, force, ko.RekorURL) {
bundle, err := uploadToTlog(ctx, sv, ko.RekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) {
return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b)
})
if err != nil {
return err
}
opts = append(opts, static.WithBundle(bundle))
}

sig, err := static.NewAttestation(signedPayload, opts...)
if err != nil {
return err
}

se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
if err != nil {
return err
}

signOpts := []mutate.SignOption{
mutate.WithDupeDetector(dd),
}

if replace {
ro := cremote.NewReplaceOp(predicateURI)
signOpts = append(signOpts, mutate.WithReplaceOp(ro))
}

// Attach the attestation to the entity.
newSE, err := mutate.AttachAttestationToEntity(se, sig, signOpts...)
if err != nil {
return err
return nil, err
}
return wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
}

// Publish the attestations associated with this entity
return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...)
func attest(ctx context.Context, sv *sign.SignerVerifier, signedPayload []byte, rekorURL string) (*bundle.RekorBundle, error) {
return uploadToTlog(ctx, sv, rekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) {
return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b)
})
}
74 changes: 15 additions & 59 deletions cmd/cosign/cli/attest/attest_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
"context"
"crypto"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"os"
Expand All @@ -17,18 +16,14 @@ import (
"github.com/pkg/errors"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/cosign/attestation"
"github.com/sigstore/cosign/pkg/oci/static"
"github.com/sigstore/cosign/pkg/types"
"github.com/sigstore/rekor/pkg/generated/client"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/dsse"
signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
)

func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string, certChainPath string, noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string,
certChainPath string, noUpload bool, predicatePath string, predicateType string, timeout time.Duration) error {

// A key file or token is required unless we're in experimental mode!
if options.EnableExperimental() {
if options.NOf(ko.KeyRef, ko.Sk) > 1 {
Expand Down Expand Up @@ -60,6 +55,16 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
}
}

if artifactHash == "" {
digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
if err != nil {
return err
}
hexDigest = strings.ToLower(hex.EncodeToString(digest))
} else {
hexDigest = artifactHash
}

sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko)
if err != nil {
return errors.Wrap(err, "getting signer")
Expand All @@ -69,31 +74,13 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
if err != nil {
return err
}
/*pem, err := cryptoutils.MarshalPublicKeyToPEM(pub)
if err != nil {
return errors.Wrap(err, "key to pem")
}*/

predicateURI, err := options.ParsePredicateType(predicateType)
if err != nil {
return err
}

if timeout != 0 {
var cancelFn context.CancelFunc
ctx, cancelFn = context.WithTimeout(ctx, timeout)
defer cancelFn()
}

if artifactHash == "" {
digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
if err != nil {
return err
}
hexDigest = strings.ToLower(hex.EncodeToString(digest))
} else {
hexDigest = artifactHash
}
wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)

fmt.Fprintln(os.Stderr, "Using payload from:", predicatePath)
Expand All @@ -105,21 +92,7 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,

base := path.Base(artifactPath)

sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
Predicate: predicate,
Type: predicateType,
Digest: hexDigest,
Repo: base,
})
if err != nil {
return err
}

payload, err := json.Marshal(sh)
if err != nil {
return err
}
signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
signedPayload, err := getSignedPayload(ctx, wrapped, predicate, predicatePath, predicateType, hexDigest, base)
if err != nil {
return errors.Wrap(err, "signing")
}
Expand All @@ -129,30 +102,13 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
return nil
}

opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)}
if sv.Cert != nil {
opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
}

// Check whether we should be uploading to the transparency log
if options.EnableExperimental() {
fmt.Println("Uploading to Rekor")
/*r, err := rc.GetRekorClient(ko.RekorURL)
if err != nil {
return err
}*/
_, err := uploadToTlog(ctx, sv, ko.RekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) {
return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b)
})
_, err := attest(ctx, sv, signedPayload, ko.RekorURL)
if err != nil {
return err
}
/*l, err := cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, pem)
if err != nil {
return err
}*/

//fmt.Fprintln(os.Stderr, "Log id:", *bundle.LogIndex)
}
return err
}
Loading

0 comments on commit 71b5264

Please sign in to comment.