From c817439e62878788f0b628ad08a8ce20ac5e0579 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Wed, 3 Jan 2024 19:39:42 -0600 Subject: [PATCH] feat: Add cosign registry opts for provenance registry (#729) triggered on specification of COSIGN_REPOSITORY env --------- Signed-off-by: saisatishkarra Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/verifier.go | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index bd0082278..62b0cb1cf 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -19,6 +19,8 @@ import ( "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils/container" + + ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" ) const VerifierName = "GHA" @@ -252,11 +254,27 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, if err != nil { return nil, nil, err } + + // Parse any provenance target repository set using environment variable COSIGN_REPOSITORY + provenanceTargetRepository, err := ociremote.GetEnvTargetRepository() + if err != nil { + return nil, nil, err + } + + registryClientOpts := []ociremote.Option{} + + // Append target repository to OCI Registry opts + // Must be authenticated against the specified target repository externally + if provenanceTargetRepository.Name() != "" { + registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository)) + } + opts := &cosign.CheckOpts{ - RootCerts: trustedRoot.FulcioRoot, - IntermediateCerts: trustedRoot.FulcioIntermediates, - RekorPubKeys: trustedRoot.RekorPubKeys, - CTLogPubKeys: trustedRoot.CTPubKeys, + RegistryClientOpts: registryClientOpts, + RootCerts: trustedRoot.FulcioRoot, + IntermediateCerts: trustedRoot.FulcioIntermediates, + RekorPubKeys: trustedRoot.RekorPubKeys, + CTLogPubKeys: trustedRoot.CTPubKeys, } atts, _, err := container.RunCosignImageVerification(ctx, artifactImage, opts)