reorg and removed code for attest-blob

cmd/cosign/cli/attest/attest.go

@@ -22,27 +22,17 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"time"
 
-	"github.com/google/go-containerregistry/pkg/name"
-	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/pkg/errors"
-
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
+	"github.com/sigstore/cosign/pkg/cosign/bundle"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
-	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
-	"github.com/sigstore/cosign/pkg/oci/mutate"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
-	"github.com/sigstore/cosign/pkg/oci/static"
 	sigs "github.com/sigstore/cosign/pkg/signature"
-	"github.com/sigstore/cosign/pkg/types"
 	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
-	"github.com/sigstore/sigstore/pkg/signature/dsse"
+	"github.com/sigstore/sigstore/pkg/signature"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -73,130 +63,28 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string,
 	return cbundle.EntryToBundle(entry), nil
 }
 
-//nolint
-func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string,
-	noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
-	// A key file or token is required unless we're in experimental mode!
-	if options.EnableExperimental() {
-		if options.NOf(ko.KeyRef, ko.Sk) > 1 {
-			return &options.KeyParseError{}
-		}
-	} else {
-		if !options.OneOf(ko.KeyRef, ko.Sk) {
-			return &options.KeyParseError{}
-		}
-	}
-
-	predicateURI, err := options.ParsePredicateType(predicateType)
-	if err != nil {
-		return err
-	}
-
-	ref, err := name.ParseReference(imageRef)
-	if err != nil {
-		return errors.Wrap(err, "parsing reference")
-	}
-
-	if timeout != 0 {
-		var cancelFn context.CancelFunc
-		ctx, cancelFn = context.WithTimeout(ctx, timeout)
-		defer cancelFn()
-	}
-
-	ociremoteOpts, err := regOpts.ClientOpts(ctx)
-	if err != nil {
-		return err
-	}
-	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
-	if err != nil {
-		return err
-	}
-	h, _ := v1.NewHash(digest.Identifier())
-	// Overwrite "ref" with a digest to avoid a race where we use a tag
-	// multiple times, and it potentially points to different things at
-	// each access.
-	ref = digest // nolint
-
-	sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko)
-	if err != nil {
-		return errors.Wrap(err, "getting signer")
-	}
-	defer sv.Close()
-	wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
-	dd := cremote.NewDupeDetector(sv)
-
-	fmt.Fprintln(os.Stderr, "Using payload from:", predicatePath)
-	predicate, err := os.Open(predicatePath)
-	if err != nil {
-		return err
-	}
-	defer predicate.Close()
+func getSignedPayload(ctx context.Context, wrapped signature.Signer, predicate *os.File, predicatePath string,
+	predicateType string, hexDigest string, repo string) ([]byte, error) {
 
 	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
 		Predicate: predicate,
 		Type:      predicateType,
-		Digest:    h.Hex,
-		Repo:      digest.Repository.String(),
+		Digest:    hexDigest,
+		Repo:      repo,
 	})
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	payload, err := json.Marshal(sh)
 	if err != nil {
-		return err
-	}
-	signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
-	if err != nil {
-		return errors.Wrap(err, "signing")
-	}
-
-	if noUpload {
-		fmt.Println(string(signedPayload))
-		return nil
-	}
-
-	opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)}
-	if sv.Cert != nil {
-		opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
-	}
-
-	// Check whether we should be uploading to the transparency log
-	if sign.ShouldUploadToTlog(ctx, digest, force, ko.RekorURL) {
-		bundle, err := uploadToTlog(ctx, sv, ko.RekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) {
-			return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b)
-		})
-		if err != nil {
-			return err
-		}
-		opts = append(opts, static.WithBundle(bundle))
-	}
-
-	sig, err := static.NewAttestation(signedPayload, opts...)
-	if err != nil {
-		return err
-	}
-
-	se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
-	if err != nil {
-		return err
-	}
-
-	signOpts := []mutate.SignOption{
-		mutate.WithDupeDetector(dd),
-	}
-
-	if replace {
-		ro := cremote.NewReplaceOp(predicateURI)
-		signOpts = append(signOpts, mutate.WithReplaceOp(ro))
-	}
-
-	// Attach the attestation to the entity.
-	newSE, err := mutate.AttachAttestationToEntity(se, sig, signOpts...)
-	if err != nil {
-		return err
+		return nil, err
 	}
+	return wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
+}
 
-	// Publish the attestations associated with this entity
-	return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...)
+func attest(ctx context.Context, sv *sign.SignerVerifier, signedPayload []byte, rekorURL string) (*bundle.RekorBundle, error) {
+	return uploadToTlog(ctx, sv, rekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) {
+		return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b)
+	})
 }

cmd/cosign/cli/attest/attest_blob.go

@@ -0,0 +1,115 @@
+package attest
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/pkg/types"
+	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/signature/dsse"
+)
+
+// AttestBlobCmd implements the logic to attach attestation for a specified blob
+func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string,
+	certChainPath string, noUpload bool, predicatePath string, predicateType string, timeout time.Duration) error {
+
+	// A key file or token is required unless we're in experimental mode!
+	if options.EnableExperimental() {
+		if options.NOf(ko.KeyRef, ko.Sk) > 1 {
+			return &options.KeyParseError{}
+		}
+	} else {
+		if !options.OneOf(ko.KeyRef, ko.Sk) {
+			return &options.KeyParseError{}
+		}
+	}
+
+	var artifact []byte
+	var hexDigest string
+	var err error
+
+	if artifactHash == "" {
+		if artifactPath == "-" {
+			artifact, err = io.ReadAll(os.Stdin)
+		} else {
+			fmt.Fprintln(os.Stderr, "Using payload from:", artifactPath)
+			artifact, err = os.ReadFile(filepath.Clean(artifactPath))
+		}
+		if err != nil {
+			return err
+		} else if timeout != 0 {
+			var cancelFn context.CancelFunc
+			ctx, cancelFn = context.WithTimeout(ctx, timeout)
+			defer cancelFn()
+		}
+	}
+
+	if artifactHash == "" {
+		digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
+		if err != nil {
+			return err
+		}
+		hexDigest = strings.ToLower(hex.EncodeToString(digest))
+	} else {
+		hexDigest = artifactHash
+	}
+
+	sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko)
+	if err != nil {
+		return errors.Wrap(err, "getting signer")
+	}
+	defer sv.Close()
+	//pub, err := sv.PublicKey()
+	if err != nil {
+		return err
+	}
+
+	if timeout != 0 {
+		var cancelFn context.CancelFunc
+		ctx, cancelFn = context.WithTimeout(ctx, timeout)
+		defer cancelFn()
+	}
+
+	wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
+
+	fmt.Fprintln(os.Stderr, "Using payload from:", predicatePath)
+	predicate, err := os.Open(predicatePath)
+	if err != nil {
+		return err
+	}
+	defer predicate.Close()
+
+	base := path.Base(artifactPath)
+
+	signedPayload, err := getSignedPayload(ctx, wrapped, predicate, predicatePath, predicateType, hexDigest, base)
+	if err != nil {
+		return errors.Wrap(err, "signing")
+	}
+
+	if noUpload {
+		fmt.Println(string(signedPayload))
+		return nil
+	}
+
+	// Check whether we should be uploading to the transparency log
+	if options.EnableExperimental() {
+		fmt.Println("Uploading to Rekor")
+		_, err := attest(ctx, sv, signedPayload, ko.RekorURL)
+		if err != nil {
+			return err
+		}
+	}
+	return err
+}