sigstore · haydentherapper · Dec 16, 2024 · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -39,6 +39,6 @@ jobs:
 
       - run: make cosign conformance
 
-      - uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
+      - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14
         with:
           entrypoint: ${{ github.workspace }}/conformance
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -43,7 +43,7 @@ jobs:
       - check-signature
 
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.22.10-0@sha256:9ca2aa7224f2d12a2ef9e5f7a3fa6ccc64a000143b72f7c92d00f08065de8539
+      image: ghcr.io/gythialy/golang-cross:v1.23.2-0@sha256:8feb33a131baabdef112d924a4379ff6b0a4f00a4854f97b0dc73742198638bd
       volumes:
         - /usr:/host_usr
         - /opt:/host_opt

diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
@@ -15,20 +15,22 @@
 package main

 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"strings"
 
 	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
 	protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	"github.com/sigstore/sigstore-go/pkg/bundle"
 	"google.golang.org/protobuf/encoding/protojson"
 )

 var bundlePath *string
@@ -41,9 +43,7 @@
 
 func usage() {
 	fmt.Println("Usage:")
-	fmt.Printf("\t%s sign --identity-token TOKEN --signature FILE --certificate FILE FILE\n", os.Args[0])
 	fmt.Printf("\t%s sign-bundle --identity-token TOKEN --bundle FILE FILE\n", os.Args[0])
-	fmt.Printf("\t%s verify --signature FILE --certificate FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0])
 	fmt.Printf("\t%s verify-bundle --bundle FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0])
 }
 
@@ -94,101 +94,10 @@
 	args := []string{}
 
 	switch os.Args[1] {
-	case "sign":
-		args = append(args, "sign-blob")
-		if signaturePath != nil {
-			args = append(args, "--output-signature", *signaturePath)
-		}
-		if certPath != nil {
-			args = append(args, "--output-certificate", *certPath)
-		}
-		args = append(args, "-y")
-
 	case "sign-bundle":
 		args = append(args, "sign-blob")
 		args = append(args, "-y")
 
-	case "verify":
-		args = append(args, "verify-blob")
-
-		// TODO: for now, we handle `verify` by constructing a bundle
-		// (see https://github.com/sigstore/cosign/issues/3700)
-		//
-		// Today cosign only supports `--trusted-root` with the new bundle
-		// format. When cosign supports `--trusted-root` with detached signed
-		// material, we can supply this content with `--certificate`
-		// and `--signature` instead.
-		fileBytes, err := os.ReadFile(os.Args[len(os.Args)-1])
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		fileDigest := sha256.Sum256(fileBytes)
-
-		pb := protobundle.Bundle{
-			MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1",
-		}
-
-		if signaturePath != nil {
-			sig, err := os.ReadFile(*signaturePath)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			sigBytes, err := base64.StdEncoding.DecodeString(string(sig))
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			pb.Content = &protobundle.Bundle_MessageSignature{
-				MessageSignature: &protocommon.MessageSignature{
-					MessageDigest: &protocommon.HashOutput{
-						Algorithm: protocommon.HashAlgorithm_SHA2_256,
-						Digest:    fileDigest[:],
-					},
-					Signature: sigBytes,
-				},
-			}
-		}
-		if certPath != nil {
-			cert, err := os.ReadFile(*certPath)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			pemCert, _ := pem.Decode(cert)
-			if pemCert == nil {
-				log.Fatalf("unable to load cerficate from %s", *certPath)
-			}
-
-			signingCert := protocommon.X509Certificate{
-				RawBytes: pemCert.Bytes,
-			}
-
-			pb.VerificationMaterial = &protobundle.VerificationMaterial{
-				Content: &protobundle.VerificationMaterial_X509CertificateChain{
-					X509CertificateChain: &protocommon.X509CertificateChain{
-						Certificates: []*protocommon.X509Certificate{&signingCert},
-					},
-				},
-			}
-		}
-
-		bundleFile, err := os.CreateTemp(os.TempDir(), "bundle.sigstore.json")
-		if err != nil {
-			log.Fatal(err)
-		}
-		bundleFileName := bundleFile.Name()
-		pbBytes, err := protojson.Marshal(&pb)
-		if err != nil {
-			log.Fatal(err)
-		}
-		if err := os.WriteFile(bundleFileName, pbBytes, 0600); err != nil {
-			log.Fatal(err)
-		}
-		bundlePath = &bundleFileName
-		args = append(args, "--insecure-ignore-tlog")
-
 	case "verify-bundle":
 		args = append(args, "verify-blob")
 
@@ -242,20 +151,4 @@
 	if err != nil {
 		log.Fatal(err)
 	}
-
-	if os.Args[1] == "sign" && certPath != nil {
-		// We want the signature to be base64 encoded, but not the certificate
-		// So base64 decode the certificate
-		cert, err := os.ReadFile(*certPath)
-		if err != nil {
-			log.Fatal(err)
-		}
-		certB64Decode, err := base64.StdEncoding.DecodeString(string(cert))
-		if err != nil {
-			log.Fatal(err)
-		}
-		if err := os.WriteFile(*certPath, certB64Decode, 0600); err != nil {
-			log.Fatal(err)
-		}
-	}
 }
diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -43,15 +43,15 @@ type CreateCmd struct {
 func (c *CreateCmd) Exec(_ context.Context) error {
 	var fulcioCertAuthorities []root.CertificateAuthority
 	ctLogs := make(map[string]*root.TransparencyLog)
-	var timestampAuthorities []root.CertificateAuthority
+	var timestampAuthorities []root.TimestampingAuthority
 	rekorTransparencyLogs := make(map[string]*root.TransparencyLog)
 
 	for i := 0; i < len(c.CertChain); i++ {
-		fulcioAuthority, err := parsePEMFile(c.CertChain[i])
+		fulcioAuthority, err := parseCAPEMFile(c.CertChain[i])
 		if err != nil {
 			return err
 		}
-		fulcioCertAuthorities = append(fulcioCertAuthorities, *fulcioAuthority)
+		fulcioCertAuthorities = append(fulcioCertAuthorities, fulcioAuthority)
 	}
 
 	for i := 0; i < len(c.CtfeKeyPath); i++ {
@@ -103,11 +103,11 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	}
 
 	for i := 0; i < len(c.TSACertChainPath); i++ {
-		timestampAuthority, err := parsePEMFile(c.TSACertChainPath[i])
+		timestampAuthority, err := parseTAPEMFile(c.TSACertChainPath[i])
 		if err != nil {
 			return err
 		}
-		timestampAuthorities = append(timestampAuthorities, *timestampAuthority)
+		timestampAuthorities = append(timestampAuthorities, timestampAuthority)
 	}
 
 	newTrustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01,
@@ -137,13 +137,13 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	return nil
 }
 
-func parsePEMFile(path string) (*root.CertificateAuthority, error) {
+func parseCAPEMFile(path string) (root.CertificateAuthority, error) {
 	certs, err := parseCerts(path)
 	if err != nil {
 		return nil, err
 	}
 
-	var ca root.CertificateAuthority
+	var ca root.FulcioCertificateAuthority
 	ca.Root = certs[len(certs)-1]
 	ca.ValidityPeriodStart = certs[len(certs)-1].NotBefore
 	if len(certs) > 1 {
@@ -153,6 +153,22 @@ func parsePEMFile(path string) (*root.CertificateAuthority, error) {
 	return &ca, nil
 }
 
+func parseTAPEMFile(path string) (root.TimestampingAuthority, error) {
+	certs, err := parseCerts(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var ta root.SigstoreTimestampingAuthority
+	ta.Root = certs[len(certs)-1]
+	ta.ValidityPeriodStart = certs[len(certs)-1].NotBefore
+	if len(certs) > 1 {
+		ta.Intermediates = certs[:len(certs)-1]
+	}
+
+	return &ta, nil
+}
+
 func parseCerts(path string) ([]*x509.Certificate, error) {
 	var certs []*x509.Certificate
 

diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go
@@ -61,7 +61,7 @@ func TestCreateCmd(t *testing.T) {
 		t.Fatal("unexpected number of fulcio certificate authorities")
 	}
 
-	if len(fulcioCAs[0].Intermediates) != 1 {
+	if len(fulcioCAs[0].(*root.FulcioCertificateAuthority).Intermediates) != 1 {
 		t.Fatal("unexpected number of fulcio intermediate certificates")
 	}
 
@@ -70,7 +70,7 @@ func TestCreateCmd(t *testing.T) {
 		t.Fatal("unexpected number of timestamp authorities")
 	}
 
-	if len(timestampAuthorities[0].Intermediates) != 2 {
+	if len(timestampAuthorities[0].(*root.SigstoreTimestampingAuthority).Intermediates) != 2 {
 		t.Fatal("unexpected number of timestamp intermediate certificates")
 	}
 }

diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go
@@ -21,8 +21,11 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
@@ -164,22 +167,36 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s
 	}
 
 	if ignoreTlog && !useSignedTimestamps {
-		verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsUnsafe())
+		verifierConfig = append(verifierConfig, verify.WithCurrentTime())
 	}
 
-	// Perform verification
-	payload, err := payloadBytes(artifactRef)
-	if err != nil {
-		return nil, err
+	// Check if artifactRef is a digest or a file path
+	var artifactOpt verify.ArtifactPolicyOption
+	if _, err := os.Stat(artifactRef); err != nil {
+		hexAlg, hexDigest, ok := strings.Cut(artifactRef, ":")
+		if !ok {
+			return nil, err
+		}
+		digestBytes, err := hex.DecodeString(hexDigest)
+		if err != nil {
+			return nil, err
+		}
+		artifactOpt = verify.WithArtifactDigest(hexAlg, digestBytes)
+	} else {
+		// Perform verification
+		payload, err := payloadBytes(artifactRef)
+		if err != nil {
+			return nil, err
+		}
+		artifactOpt = verify.WithArtifact(bytes.NewBuffer(payload))
 	}
-	buf := bytes.NewBuffer(payload)
 
 	sev, err := verify.NewSignedEntityVerifier(trustedmaterial, verifierConfig...)
 	if err != nil {
 		return nil, err
 	}
 
-	return sev.Verify(bundle, verify.NewPolicy(verify.WithArtifact(buf), identityPolicies...))
+	return sev.Verify(bundle, verify.NewPolicy(artifactOpt, identityPolicies...))
 }
 
 func AssembleNewBundle(ctx context.Context, sigBytes, signedTimestamp []byte, envelope *dsse.Envelope, artifactRef string, cert *x509.Certificate, ignoreTlog bool, sigVerifier signature.Verifier, pkOpts []signature.PublicKeyOption, rekorClient *client.Rekor) (*sgbundle.Bundle, error) {

diff --git a/cmd/cosign/cli/verify/verify_bundle_test.go b/cmd/cosign/cli/verify/verify_bundle_test.go
@@ -23,7 +23,9 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/pem"
+	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@@ -36,6 +38,7 @@ func TestVerifyBundleWithKey(t *testing.T) {
 	ctx := context.Background()
 	artifact := "hello world"
 	digest := sha256.Sum256([]byte(artifact))
+	hexDigest := hex.EncodeToString(digest[:])
 
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	checkErr(t, err)
@@ -88,6 +91,13 @@ func TestVerifyBundleWithKey(t *testing.T) {
 	if result == nil {
 		t.Fatal("invalid verification result")
 	}
+
+	result2, err := verifyNewBundle(ctx, bundlePath, trustedRootPath, publicKeyPath, "", "", "", "", "", "", "", "", "", "", fmt.Sprintf("sha256:%s", hexDigest), false, true, false, true)
+	checkErr(t, err)
+
+	if result2 == nil {
+		t.Fatal("invalid verification result")
+	}
 }
 
 func checkErr(t *testing.T, err error) {