adds tsa cert chain check for env var or tuf targets.

[ianhundere]

closes #3563

Summary

Creates parity between Cosign / TSA (e.g. TSA values are handled similarly to ctlog, fulcio, and rekor creds now) since sigstore/sigstore TUF client was recently updated to support the "TSA" usage type.

Currently, the TSA cert chain is required via Cosign's cli flag, though, as per #3563, Cosign can support reading the cert chain from either an environment variable or the TUF targets, similar to Fulcio certs, Rekor keys or the CTLog public key that can be provided on verification. I looked at RekorPubKeys and GetCTLogPubs as an example.

huge thanks to @aalsabag for helping w/ unit tests.

Release Note

• Checks for TSA cert-chain in environment variable, SIGSTORE_TSA_CERTIFICATE_FILE, and TUF targets

[cmurphy]

This looks pretty good to me, though I'm not a TSA or TUF expert.

It looks like the merge commit accidentally pulled in an unused import so this doesn't build.

This will need some tests.

[haydentherapper]

Thanks, sorry for the delay. Just a couple comments.

+1 to tests.

[ianhundere]

thanks for the feedback/comments, will try to implement in the next few weeks.

[ianhundere]

i've added some of the feedback, just working on tests and returning x509.Certificate structs instead of byte arrays to cut down on repetition in the verify files since i can handle unmarshalling via SplitPEMCertificateChain in tsalog.go; @haydentherapper thanks for the heads up on that.

[Meeki1l]

@ianhundere Can you tell me the approximate time of making all the improvements?

[ianhundere]

@Meeki1l if not today, by weds.

[ianhundere]

@haydentherapper / @cmurphy okay, i think that about does it.

[haydentherapper]

Thanks @ianhundere! Will take a closer look tomorrow. Can you take a look at failing tests?

[ianhundere]

Thanks @ianhundere! Will take a closer look tomorrow. Can you take a look at failing tests?

@haydentherapper no problem, thanks for the quick 👀 / feedback. 🙇

this commit fixes the failing units tests / lint errors:

• golangci-lint errors
• TestGetTSACertsFromTUF test

[ianhundere]

ah, had a couple more issues:

• fixed last lint issue
• copied splitPEMCertificateChain from internal/pkg/cosign/tsa/utils.go to avoid import cycle.

now running go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) works other than the current work around, GODEBUG: x509sha1=1, for the failing tests.

[codecov]

Codecov Report

Attention: Patch coverage is 26.92308% with 95 lines in your changes missing coverage. Please review.

Project coverage is 40.70%. Comparing base (2ef6022) to head (3fee9d8).
Report is 131 commits behind head on main.

Files	Patch %	Lines
pkg/cosign/tsa.go	37.50%	39 Missing and 6 partials ⚠️
cmd/cosign/cli/verify/verify.go	0.00%	15 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go	0.00%	15 Missing ⚠️
cmd/cosign/cli/verify/verify_blob.go	47.05%	6 Missing and 3 partials ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go	0.00%	6 Missing and 2 partials ⚠️
cmd/cosign/cli/options/verify.go	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3600      +/-   ##
==========================================
+ Coverage   40.10%   40.70%   +0.60%     
==========================================
  Files         155      159       +4     
  Lines       10044    10225     +181     
==========================================
+ Hits         4028     4162     +134     
- Misses       5530     5558      +28     
- Partials      486      505      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ianhundere]

this one is failing due to some infra/network issues:

Error from server (parsing address pool config: invalid CIDR "fc00:f853:ccd:e793::/64.255.1-fc00:f853:ccd:e793::/64.255.250" in pool "config": invalid IP range "fc00:f853:ccd:e793::/64.255.1-fc00:f853:ccd:e793::/64.255.250": invalid start IP "fc00:f853:ccd:e793::/64.255.1"): error when creating "./metallb-crds.yaml": admission webhook "ipaddresspoolvalidationwebhook.metallb.io" denied the request

[haydentherapper]

One last thing, need to run make docgen

[ianhundere]

One last thing, need to run make docgen

done / done 🙂

[ianhundere]

@haydentherapper thanks for the 👀 / lemme know if that satisfies everything.

[haydentherapper]

Just a few more places to update! Sorry for all the duplication across verify_* functions

[ianhundere]

Just a few more places to update! Sorry for all the duplication across verify_* functions

ah, i'll get those / thanks again.

edit: @haydentherapper all done

[haydentherapper]

Thank you for all of your work on this!

[cmurphy]

The error handling lgtm now 👍

[haydentherapper]

@cpanato would you be able to take a look at the test failures? I’m uncertain why they’re failing

[cpanato]

@cpanato, can you take a look at the test failures? I’m uncertain why they’re failing.

I will take a look; just bear with me :) i am traveling back home today

[ianhundere]

@cpanato would you be able to take a look at the test failures? I’m uncertain why they’re failing

looks like @bobcallaway merged a fix / updated metallb as per the sigstore slack (#general):

• slack chat
• bumps metallb

[haydentherapper]

Can you rebase?

[cpanato]

sorry for the delay, a rebase might fix

[ianhundere]

@haydentherapper done/done 🙂