From f056c3ef64c94f579d7591372fc323d8fb53f2b0 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Tue, 7 Jan 2025 16:44:07 +0100 Subject: [PATCH] Add support for verifying root checksum in cosign initialize (#3953) * Add support for verifying root checksum in cosign initialize Signed-off-by: Slavek Kabrda * Regenerate docs Signed-off-by: Slavek Kabrda * Update cmd/cosign/cli/options/deprecate.go Co-authored-by: Hayden B Signed-off-by: Slavek Kabrda * Use sha256 by default with the option to switch to sha512 Signed-off-by: Slavek Kabrda --------- Signed-off-by: Slavek Kabrda Co-authored-by: Hayden B --- cmd/cosign/cli/initialize.go | 11 +++--- cmd/cosign/cli/initialize/init.go | 23 ++++++++++++- cmd/cosign/cli/options/deprecate.go | 5 +++ cmd/cosign/cli/options/initialize.go | 8 +++-- doc/cosign_initialize.md | 16 +++++---- pkg/blob/load.go | 35 +++++++++++++++++++ pkg/blob/load_test.go | 50 ++++++++++++++++++++++++++++ 7 files changed, 135 insertions(+), 13 deletions(-) diff --git a/cmd/cosign/cli/initialize.go b/cmd/cosign/cli/initialize.go index a701ebb49fa..322ca99eb11 100644 --- a/cmd/cosign/cli/initialize.go +++ b/cmd/cosign/cli/initialize.go @@ -41,19 +41,22 @@ Any updated TUF repository will be written to $HOME/.sigstore/root/. Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates with Fulcio root CA) are pulled form the trusted metadata.`, - Example: `cosign initialize -mirror -out + Example: `cosign initialize --mirror --out # initialize root with distributed root keys, default mirror, and default out path. cosign initialize # initialize with an out-of-band root key file, using the default mirror. -cosign initialize -root +cosign initialize --root # initialize with an out-of-band root key file and custom repository mirror. -cosign initialize -mirror -root `, +cosign initialize --mirror --root + +# initialize with an out-of-band root key file and custom repository mirror while verifying root checksum. +cosign initialize --mirror --root --root-checksum `, PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, _ []string) error { - return initialize.DoInitialize(cmd.Context(), o.Root, o.Mirror) + return initialize.DoInitializeWithRootChecksum(cmd.Context(), o.Root, o.Mirror, o.RootChecksum) }, } diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go index 158bc0a5f0d..eca80ea15ea 100644 --- a/cmd/cosign/cli/initialize/init.go +++ b/cmd/cosign/cli/initialize/init.go @@ -20,17 +20,38 @@ import ( _ "embed" // To enable the `go:embed` directive. "encoding/json" "fmt" + "os" + "strings" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/pkg/blob" "github.com/sigstore/sigstore/pkg/tuf" ) func DoInitialize(ctx context.Context, root, mirror string) error { + return doInitialize(ctx, root, mirror, "", true) +} + +func DoInitializeWithRootChecksum(ctx context.Context, root, mirror, rootChecksum string) error { + return doInitialize(ctx, root, mirror, rootChecksum, false) +} + +func doInitialize(ctx context.Context, root, mirror, rootChecksum string, forceSkipChecksumValidation bool) error { // Get the initial trusted root contents. var rootFileBytes []byte var err error if root != "" { - rootFileBytes, err = blob.LoadFileOrURL(root) + if !forceSkipChecksumValidation { + if rootChecksum == "" && (strings.HasPrefix(root, "http://") || strings.HasPrefix(root, "https://")) { + fmt.Fprintln(os.Stderr, options.RootWithoutChecksumDeprecation) + } + } + verifyChecksum := !forceSkipChecksumValidation && (rootChecksum != "") + if verifyChecksum { + rootFileBytes, err = blob.LoadFileOrURLWithChecksum(root, rootChecksum) + } else { + rootFileBytes, err = blob.LoadFileOrURL(root) + } if err != nil { return err } diff --git a/cmd/cosign/cli/options/deprecate.go b/cmd/cosign/cli/options/deprecate.go index 76084afa179..39900375f90 100644 --- a/cmd/cosign/cli/options/deprecate.go +++ b/cmd/cosign/cli/options/deprecate.go @@ -19,3 +19,8 @@ const SBOMAttachmentDeprecation = "WARNING: SBOM attachments are deprecated " + "and support will be removed in a Cosign release soon after 2024-02-22 " + "(see https://github.com/sigstore/cosign/issues/2755). " + "Instead, please use SBOM attestations." + +const RootWithoutChecksumDeprecation = "WARNING: Fetching initial root from URL " + + "without providing its checksum is deprecated and will be disallowed in " + + "a future Cosign release. Please provide the initial root checksum " + + "via the --root-checksum argument." diff --git a/cmd/cosign/cli/options/initialize.go b/cmd/cosign/cli/options/initialize.go index ab91955ee7c..9af970e0ad5 100644 --- a/cmd/cosign/cli/options/initialize.go +++ b/cmd/cosign/cli/options/initialize.go @@ -22,8 +22,9 @@ import ( // InitializeOptions is the top level wrapper for the initialize command. type InitializeOptions struct { - Mirror string - Root string + Mirror string + Root string + RootChecksum string } var _ Interface = (*InitializeOptions)(nil) @@ -36,4 +37,7 @@ func (o *InitializeOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Root, "root", "", "path to trusted initial root. defaults to embedded root") _ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{}) + + cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "", + "checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:") } diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md index 84f4fa30272..1b927192696 100644 --- a/doc/cosign_initialize.md +++ b/doc/cosign_initialize.md @@ -25,24 +25,28 @@ cosign initialize [flags] ### Examples ``` -cosign initialize -mirror -out +cosign initialize --mirror --out # initialize root with distributed root keys, default mirror, and default out path. cosign initialize # initialize with an out-of-band root key file, using the default mirror. -cosign initialize -root +cosign initialize --root # initialize with an out-of-band root key file and custom repository mirror. -cosign initialize -mirror -root +cosign initialize --mirror --root + +# initialize with an out-of-band root key file and custom repository mirror while verifying root checksum. +cosign initialize --mirror --root --root-checksum ``` ### Options ``` - -h, --help help for initialize - --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev") - --root string path to trusted initial root. defaults to embedded root + -h, --help help for initialize + --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev") + --root string path to trusted initial root. defaults to embedded root + --root-checksum string checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512: ``` ### Options inherited from parent commands diff --git a/pkg/blob/load.go b/pkg/blob/load.go index 543af56fac1..8ee624e93a8 100644 --- a/pkg/blob/load.go +++ b/pkg/blob/load.go @@ -15,6 +15,9 @@ package blob import ( + "crypto/sha256" + "crypto/sha512" + "encoding/hex" "fmt" "io" "net/http" @@ -72,3 +75,35 @@ func LoadFileOrURL(fileRef string) ([]byte, error) { } return raw, nil } + +func LoadFileOrURLWithChecksum(fileRef string, checksum string) ([]byte, error) { + checksumParts := strings.Split(checksum, ":") + if len(checksumParts) >= 3 { + return nil, fmt.Errorf("wrong checksum input format, must have at most 1 colon: %s", checksum) + } + + checksumAlgo := sha256.New() + checksumValue := checksumParts[len(checksumParts)-1] + if len(checksumParts) == 2 { + switch checksumParts[0] { + case "sha256": // the default set above + case "sha512": + checksumAlgo = sha512.New() + default: + return nil, fmt.Errorf("unsupported checksum algorithm: %s", checksumParts[0]) + } + } + + fileContent, err := LoadFileOrURL(fileRef) + if err != nil { + return nil, err + } + + checksumAlgo.Write(fileContent) + computedChecksum := hex.EncodeToString(checksumAlgo.Sum(nil)) + if computedChecksum != checksumValue { + return nil, fmt.Errorf("incorrect checksum for file %s: expected %s but got %s", fileRef, checksumValue, computedChecksum) + } + + return fileContent, nil +} diff --git a/pkg/blob/load_test.go b/pkg/blob/load_test.go index 2e09ff5d061..58b6948b883 100644 --- a/pkg/blob/load_test.go +++ b/pkg/blob/load_test.go @@ -22,6 +22,7 @@ import ( "os" "path" "runtime" + "strings" "testing" ) @@ -97,3 +98,52 @@ func TestLoadURL(t *testing.T) { t.Error("LoadFileOrURL(): expected error for invalid scheme") } } + +func TestLoadURLWithChecksum(t *testing.T) { + data := []byte("test") + + server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { + rw.Write(data) + })) + defer server.Close() + + // default behavior with sha256 + actual, err := LoadFileOrURLWithChecksum( + server.URL, + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + ) + if err != nil { + t.Errorf("Reading from HTTP failed: %v", err) + } else if !bytes.Equal(actual, data) { + t.Errorf("LoadFileOrURL(HTTP) = '%s'; want '%s'", actual, data) + } + + // override checksum algo to sha512 + actual, err = LoadFileOrURLWithChecksum( + server.URL, + "sha512:ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff", + ) + if err != nil { + t.Errorf("Reading from HTTP failed: %v", err) + } else if !bytes.Equal(actual, data) { + t.Errorf("LoadFileOrURL(HTTP) = '%s'; want '%s'", actual, data) + } + + // ensure it fails with the wrong checksum + _, err = LoadFileOrURLWithChecksum( + server.URL, + "certainly not a correct checksum value", + ) + if err == nil || !strings.Contains(err.Error(), "incorrect checksum") { + t.Errorf("Expected an 'incorrect checksum' error, got: %v", err) + } + + // ensure it fails with incorrect algorithm + _, err = LoadFileOrURLWithChecksum( + server.URL, + "sha321123:foobar", + ) + if err == nil || !strings.Contains(err.Error(), "unsupported checksum") { + t.Errorf("Expected an 'unsupported checksum' error, got: %v", err) + } +}