From 5b05f450545275ad6378c26dcd8b4ea23433dea3 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 25 Jun 2024 16:00:38 -0400 Subject: [PATCH 1/4] Add user agent to online Rekor requests and TUF requests. Depends on https://github.com/theupdateframework/go-tuf/pull/642. Signed-off-by: Zach Steindler --- cmd/conformance/main.go | 9 +++++++-- cmd/sigstore-go/main.go | 11 ++++++++++- examples/sigstore-go-signing/main.go | 6 ++++++ pkg/sign/certificate.go | 4 +++- pkg/sign/timestamping.go | 14 +++----------- pkg/sign/transparency.go | 8 +++++--- pkg/tuf/client.go | 7 +++++++ pkg/verify/signed_entity.go | 13 ++++++++++++- pkg/verify/tlog.go | 9 +++++---- pkg/verify/tlog_test.go | 18 +++++++++--------- 10 files changed, 67 insertions(+), 32 deletions(-) diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index 5ce05275..332f9216 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -25,12 +25,14 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/theupdateframework/go-tuf/v2/metadata/fetcher" "google.golang.org/protobuf/encoding/protojson" "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore-go/pkg/tuf" + "github.com/sigstore/sigstore-go/pkg/util" "github.com/sigstore/sigstore-go/pkg/verify" ) @@ -60,6 +62,9 @@ func getTrustedRoot(staging bool) root.TrustedMaterial { trustedRootJSON, err = os.ReadFile(*trustedRootPath) } else { opts := tuf.DefaultOptions() + fetcher := fetcher.DefaultFetcher{} + fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + opts.Fetcher = &fetcher if staging { opts.Root = tuf.StagingRoot() @@ -295,7 +300,7 @@ func main() { tr := getTrustedRoot(staging) verifierConfig := []verify.VerifierOption{} - verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsUnsafe(), verify.WithSignedCertificateTimestamps(1)) + verifierConfig = append(verifierConfig, verify.WithVersionString(Version), verify.WithoutAnyObserverTimestampsUnsafe(), verify.WithSignedCertificateTimestamps(1)) if len(tr.RekorLogs()) > 0 { verifierConfig = append(verifierConfig, verify.WithOnlineVerification()) } @@ -344,7 +349,7 @@ func main() { tr := getTrustedRoot(staging) verifierConfig := []verify.VerifierOption{} - verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1)) + verifierConfig = append(verifierConfig, verify.WithVersionString(Version), verify.WithSignedCertificateTimestamps(1)) // Check bundle and trusted root for signed timestamp information bundleTimestamps, err := b.Timestamps() diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go index bb03d9a7..cd103a3c 100644 --- a/cmd/sigstore-go/main.go +++ b/cmd/sigstore-go/main.go @@ -27,13 +27,17 @@ import ( "os" "time" + "github.com/sigstore/sigstore/pkg/signature" + "github.com/theupdateframework/go-tuf/v2/metadata/fetcher" + "github.com/sigstore/sigstore-go/pkg/bundle" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/tuf" + "github.com/sigstore/sigstore-go/pkg/util" "github.com/sigstore/sigstore-go/pkg/verify" - "github.com/sigstore/sigstore/pkg/signature" ) +var Version string var artifact *string var artifactDigest *string var artifactDigestAlgorithm *string @@ -101,6 +105,8 @@ func run() error { identityPolicies := []verify.PolicyOption{} var artifactPolicy verify.ArtifactPolicyOption + verifierConfig = append(verifierConfig, verify.WithVersionString(Version)) + if *requireCTlog { verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1)) } @@ -129,6 +135,9 @@ func run() error { if *tufRootURL != "" { opts := tuf.DefaultOptions() opts.RepositoryBaseURL = *tufRootURL + fetcher := fetcher.DefaultFetcher{} + fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + opts.Fetcher = &fetcher // Load the tuf root.json if provided, if not use public good if *tufTrustedRoot != "" { diff --git a/examples/sigstore-go-signing/main.go b/examples/sigstore-go-signing/main.go index fe7034d3..dad5c037 100644 --- a/examples/sigstore-go-signing/main.go +++ b/examples/sigstore-go-signing/main.go @@ -21,11 +21,13 @@ import ( "os" "time" + "github.com/theupdateframework/go-tuf/v2/metadata/fetcher" "google.golang.org/protobuf/encoding/protojson" "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore-go/pkg/tuf" + "github.com/sigstore/sigstore-go/pkg/util" ) var Version string @@ -83,9 +85,13 @@ func main() { opts := sign.BundleOptions{} // Get trusted_root.json + fetcher := fetcher.DefaultFetcher{} + fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + tufOptions := &tuf.Options{ Root: tuf.StagingRoot(), RepositoryBaseURL: tuf.StagingMirror, + Fetcher: &fetcher, } tufClient, err := tuf.New(tufOptions) if err != nil { diff --git a/pkg/sign/certificate.go b/pkg/sign/certificate.go index 269be029..9b897101 100644 --- a/pkg/sign/certificate.go +++ b/pkg/sign/certificate.go @@ -27,6 +27,8 @@ import ( "net/http" "strings" "time" + + "github.com/sigstore/sigstore-go/pkg/util" ) type CertificateProviderOptions struct { @@ -169,7 +171,7 @@ func (f *Fulcio) GetCertificate(ctx context.Context, keypair Keypair, opts *Cert } request.Header.Add("Authorization", "Bearer "+opts.IDToken) request.Header.Add("Content-Type", "application/json") - request.Header.Add("User-Agent", constructUserAgent(f.options.LibraryVersion)) + request.Header.Add("User-Agent", util.ConstructUserAgent(f.options.LibraryVersion)) response, err = f.client.Do(request) if err != nil { diff --git a/pkg/sign/timestamping.go b/pkg/sign/timestamping.go index ce85b34d..5c2b8b58 100644 --- a/pkg/sign/timestamping.go +++ b/pkg/sign/timestamping.go @@ -26,6 +26,8 @@ import ( "time" "github.com/digitorus/timestamp" + + "github.com/sigstore/sigstore-go/pkg/util" ) type TimestampAuthorityOptions struct { @@ -83,7 +85,7 @@ func (ta *TimestampAuthority) GetTimestamp(ctx context.Context, signature []byte return nil, err } request.Header.Add("Content-Type", "application/timestamp-query") - request.Header.Add("User-Agent", constructUserAgent(ta.options.LibraryVersion)) + request.Header.Add("User-Agent", util.ConstructUserAgent(ta.options.LibraryVersion)) response, err = ta.client.Do(request) if err != nil { @@ -122,13 +124,3 @@ func (ta *TimestampAuthority) GetTimestamp(ctx context.Context, signature []byte return body, nil } - -func constructUserAgent(version string) string { - userAgent := "sigstore-go" - if version != "" { - userAgent += "/" - userAgent += version - } - - return userAgent -} diff --git a/pkg/sign/transparency.go b/pkg/sign/transparency.go index dcc45560..8f8a1a0f 100644 --- a/pkg/sign/transparency.go +++ b/pkg/sign/transparency.go @@ -31,11 +31,13 @@ import ( "github.com/sigstore/rekor/pkg/types" "github.com/sigstore/rekor/pkg/types/dsse" "github.com/sigstore/rekor/pkg/types/hashedrekord" - "github.com/sigstore/rekor/pkg/util" + rekorUtil "github.com/sigstore/rekor/pkg/util" // To initialize rekor types _ "github.com/sigstore/rekor/pkg/types/dsse/v0.0.1" _ "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1" + + "github.com/sigstore/sigstore-go/pkg/util" ) type RekorClient interface { @@ -105,7 +107,7 @@ func (r *Rekor) GetTransparencyLogEntry(pubKeyPEM []byte, b *protobundle.Bundle) artifactProperties.PKIFormat = string(pki.X509) artifactProperties.SignatureBytes = messageSignature.Signature - artifactProperties.ArtifactHash = util.PrefixSHA(hexDigest) + artifactProperties.ArtifactHash = rekorUtil.PrefixSHA(hexDigest) var err error proposedEntry, err = hashedrekordType.CreateProposedEntry(context.TODO(), "", artifactProperties) @@ -126,7 +128,7 @@ func (r *Rekor) GetTransparencyLogEntry(pubKeyPEM []byte, b *protobundle.Bundle) params.SetProposedEntry(proposedEntry) if r.options.Client == nil { - client, err := client.GetRekorClient(r.options.BaseURL, client.WithUserAgent(constructUserAgent(r.options.LibraryVersion)), client.WithRetryCount(r.options.Retries)) + client, err := client.GetRekorClient(r.options.BaseURL, client.WithUserAgent(util.ConstructUserAgent(r.options.LibraryVersion)), client.WithRetryCount(r.options.Retries)) if err != nil { return err } diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go index f655f540..2f37962d 100644 --- a/pkg/tuf/client.go +++ b/pkg/tuf/client.go @@ -21,7 +21,10 @@ import ( "time" "github.com/theupdateframework/go-tuf/v2/metadata/config" + "github.com/theupdateframework/go-tuf/v2/metadata/fetcher" "github.com/theupdateframework/go-tuf/v2/metadata/updater" + + "github.com/sigstore/sigstore-go/pkg/util" ) // Client is a Sigstore TUF client @@ -56,6 +59,10 @@ func New(opts *Options) (*Client, error) { if opts.Fetcher != nil { c.cfg.Fetcher = opts.Fetcher + } else { + fetcher := fetcher.DefaultFetcher{} + fetcher.SetHTTPUserAgent(util.ConstructUserAgent("")) + c.cfg.Fetcher = &fetcher } // Upon client creation, we may not perform a full TUF update, diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go index 45bc014d..90046de5 100644 --- a/pkg/verify/signed_entity.go +++ b/pkg/verify/signed_entity.go @@ -70,6 +70,8 @@ type VerifierConfig struct { // nolint: revive // rather than a provided signed or log timestamp. Most workflows will // not use this option weDoNotExpectAnyObserverTimestamps bool + // optional sigstore-go version to use in user agent for outbound requests + version string } type VerifierOption func(*VerifierConfig) error @@ -202,6 +204,15 @@ func WithoutAnyObserverTimestampsUnsafe() VerifierOption { } } +// WithVersionString is used to optionally specify a specific version of +// sigstore-go, to use in user agent for outbound requests +func WithVersionString(version string) VerifierOption { + return func(c *VerifierConfig) error { + c.version = version + return nil + } +} + func (c *VerifierConfig) Validate() error { if !c.requireObserverTimestamps && !c.weExpectSignedTimestamps && !c.requireIntegratedTimestamps && !c.weDoNotExpectAnyObserverTimestamps { return errors.New("when initializing a new SignedEntityVerifier, you must specify at least one of " + @@ -616,7 +627,7 @@ func (v *SignedEntityVerifier) VerifyTransparencyLogInclusion(entity SignedEntit if v.config.weExpectTlogEntries { // log timestamps should be verified if with WithIntegratedTimestamps or WithObserverTimestamps is used verifiedTlogTimestamps, err := VerifyArtifactTransparencyLog(entity, v.trustedMaterial, v.config.tlogEntriesThreshold, - v.config.requireIntegratedTimestamps || v.config.requireObserverTimestamps, v.config.performOnlineVerification) + v.config.requireIntegratedTimestamps || v.config.requireObserverTimestamps, v.config.performOnlineVerification, v.config.version) if err != nil { return nil, err } diff --git a/pkg/verify/tlog.go b/pkg/verify/tlog.go index 6769b3bc..ff125d26 100644 --- a/pkg/verify/tlog.go +++ b/pkg/verify/tlog.go @@ -32,6 +32,7 @@ import ( "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/tlog" + "github.com/sigstore/sigstore-go/pkg/util" ) // VerifyArtifactTransparencyLog verifies that the given entity has been logged @@ -41,7 +42,7 @@ import ( // that must be verified. // // If online is true, the log entry is verified against the Rekor server. -func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.TrustedMaterial, logThreshold int, trustIntegratedTime, online bool) ([]time.Time, error) { //nolint:revive +func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.TrustedMaterial, logThreshold int, trustIntegratedTime, online bool, version string) ([]time.Time, error) { //nolint:revive entries, err := entity.TlogEntries() if err != nil { return nil, err @@ -120,7 +121,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru continue } - client, err := getRekorClient(tlogVerifier.BaseURL) + client, err := getRekorClient(tlogVerifier.BaseURL, version) if err != nil { return nil, err } @@ -198,8 +199,8 @@ func getVerifier(publicKey crypto.PublicKey, hashFunc crypto.Hash) (*signature.V return &verifier, nil } -func getRekorClient(baseURL string) (*rekorGeneratedClient.Rekor, error) { - client, err := rekorClient.GetRekorClient(baseURL) +func getRekorClient(baseURL, version string) (*rekorGeneratedClient.Rekor, error) { + client, err := rekorClient.GetRekorClient(baseURL, rekorClient.WithUserAgent(util.ConstructUserAgent(version))) if err != nil { return nil, err } diff --git a/pkg/verify/tlog_test.go b/pkg/verify/tlog_test.go index 3ff4845c..ae708712 100644 --- a/pkg/verify/tlog_test.go +++ b/pkg/verify/tlog_test.go @@ -36,12 +36,12 @@ func TestTlogVerifier(t *testing.T) { assert.NoError(t, err) var ts []time.Time - ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false) + ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false, "") assert.NoError(t, err) // 1 verified timestamp assert.Len(t, ts, 1) - ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, false, false) + ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, false, false, "") assert.NoError(t, err) // 0 verified timestamps, since integrated timestamps are ignored assert.Len(t, ts, 0) @@ -49,7 +49,7 @@ func TestTlogVerifier(t *testing.T) { virtualSigstore2, err := ca.NewVirtualSigstore() assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore2, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore2, 1, true, false, "") assert.Error(t, err) // different sigstore instance should fail to verify // Attempt to use tlog with integrated time outside certificate validity. @@ -59,7 +59,7 @@ func TestTlogVerifier(t *testing.T) { entity, err = virtualSigstore.AttestAtTime("foo@fighters.com", "issuer", statement, time.Now().Add(30*time.Minute)) assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false, "") assert.Error(t, err) } @@ -96,11 +96,11 @@ func TestIgnoredTLogEntries(t *testing.T) { assert.NoError(t, err) // success: entry that cannot be verified is ignored - _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 1, true, false, "") assert.NoError(t, err) // failure: threshold of 2 is not met since 1 untrusted entry is ignored - _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 2, true, false) + _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 2, true, false, "") assert.Error(t, err) } @@ -138,7 +138,7 @@ func TestInvalidTLogEntries(t *testing.T) { assert.NoError(t, err) // failure: threshold of 1 is not met with invalid entry - _, err = verify.VerifyArtifactTransparencyLog(&invalidTLogEntity{entity}, virtualSigstore, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(&invalidTLogEntity{entity}, virtualSigstore, 1, true, false, "") assert.Error(t, err) if err.Error() != "entry must contain an inclusion proof and/or promise" { t.Errorf("expected error with missing proof/promises, got: %v", err.Error()) @@ -162,7 +162,7 @@ func TestNoTLogEntries(t *testing.T) { assert.NoError(t, err) // failure: threshold of 1 is not met with no entries - _, err = verify.VerifyArtifactTransparencyLog(&noTLogEntity{entity}, virtualSigstore, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(&noTLogEntity{entity}, virtualSigstore, 1, true, false, "") assert.Error(t, err) if !strings.Contains(err.Error(), "not enough verified log entries from transparency log") { t.Errorf("expected error with timestamp threshold, got: %v", err.Error()) @@ -190,6 +190,6 @@ func TestDuplicateTlogEntries(t *testing.T) { entity, err := virtualSigstore.Attest("foofighters@example.com", "issuer", statement) assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(&dupTlogEntity{entity}, virtualSigstore, 1, true, false) + _, err = verify.VerifyArtifactTransparencyLog(&dupTlogEntity{entity}, virtualSigstore, 1, true, false, "") assert.Error(t, err) // duplicate tlog entries should fail to verify } From 1894da8c5bda0aaee602640bb039e7dd8d8787d2 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 25 Jun 2024 16:09:27 -0400 Subject: [PATCH 2/4] Add pkg/util/util.go Signed-off-by: Zach Steindler --- pkg/util/util.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 pkg/util/util.go diff --git a/pkg/util/util.go b/pkg/util/util.go new file mode 100644 index 00000000..617b1b7d --- /dev/null +++ b/pkg/util/util.go @@ -0,0 +1,25 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package util + +func ConstructUserAgent(version string) string { + userAgent := "sigstore-go" + if version != "" { + userAgent += "/" + userAgent += version + } + + return userAgent +} From 8f654cfaf489a93193ee820dc46fe647ff054d53 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Mon, 1 Jul 2024 09:58:52 -0400 Subject: [PATCH 3/4] Update to use latest go-tuf with user agent functionality Signed-off-by: Zach Steindler --- examples/oci-image-verification/go.mod | 4 ++-- examples/oci-image-verification/go.sum | 10 +++++----- go.mod | 4 ++-- go.sum | 12 +++++------- 4 files changed, 14 insertions(+), 16 deletions(-) diff --git a/examples/oci-image-verification/go.mod b/examples/oci-image-verification/go.mod index efec2d63..8d1ab739 100644 --- a/examples/oci-image-verification/go.mod +++ b/examples/oci-image-verification/go.mod @@ -68,12 +68,12 @@ require ( github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.18.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect github.com/vbatts/tar-split v0.11.3 // indirect diff --git a/examples/oci-image-verification/go.sum b/examples/oci-image-verification/go.sum index 90eac161..b43f8bd8 100644 --- a/examples/oci-image-verification/go.sum +++ b/examples/oci-image-verification/go.sum @@ -71,7 +71,7 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AX github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= @@ -295,8 +295,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= @@ -317,8 +317,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 h1:AH/4455EGJqYHx6KcrWJ9Bv/h9xae+SP5EGgmmbQBSA= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= diff --git a/go.mod b/go.mod index d910f2b7..39d0703f 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/sigstore/sigstore v1.8.4 github.com/sigstore/timestamp-authority v1.2.2 github.com/stretchr/testify v1.9.0 - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 + github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 golang.org/x/crypto v0.24.0 golang.org/x/mod v0.18.0 google.golang.org/protobuf v1.34.2 @@ -67,7 +67,7 @@ require ( github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect - github.com/spf13/cobra v1.8.0 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.18.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect diff --git a/go.sum b/go.sum index a9b61eba..55fc1f06 100644 --- a/go.sum +++ b/go.sum @@ -69,7 +69,7 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= @@ -273,16 +273,14 @@ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zq github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= @@ -301,8 +299,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9 h1:AH/4455EGJqYHx6KcrWJ9Bv/h9xae+SP5EGgmmbQBSA= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240701122707-5abb6219c8d9/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= From 4e2ef06f738aa244ad75c90a19db841f0dc1271a Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Mon, 1 Jul 2024 15:34:54 -0400 Subject: [PATCH 4/4] Use debug.ReadBuildInfo() instead of Version via ldflag Signed-off-by: Zach Steindler --- Makefile | 11 ++++------- cmd/conformance/main.go | 17 +++++++---------- cmd/sigstore-go/main.go | 5 +---- examples/sigstore-go-signing/main.go | 6 +----- pkg/sign/certificate.go | 4 +--- pkg/sign/timestamping.go | 4 +--- pkg/sign/transparency.go | 4 +--- pkg/tuf/client.go | 2 +- pkg/util/util.go | 20 ++++++++++++++++---- pkg/verify/signed_entity.go | 13 +------------ pkg/verify/tlog.go | 8 ++++---- pkg/verify/tlog_test.go | 18 +++++++++--------- 12 files changed, 47 insertions(+), 65 deletions(-) diff --git a/Makefile b/Makefile index f1a5da23..043033be 100644 --- a/Makefile +++ b/Makefile @@ -12,21 +12,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -VERSION := `git describe --tags` -LDFLAGS = -ldflags "-X main.Version=$(VERSION)" - .PHONY: all all: build build-examples .PHONY: build build: - go build $(LDFLAGS) ./cmd/sigstore-go - go build $(LDFLAGS) -o conformance ./cmd/conformance + go build ./cmd/sigstore-go + go build -o conformance ./cmd/conformance .PHONY: build-examples build-examples: - go build -C ./examples/oci-image-verification $(LDFLAGS) -o oci-image-verification . - go build -C ./examples/sigstore-go-signing $(LDFLAGS) -o sigstore-go-signing . + go build -C ./examples/oci-image-verification -o oci-image-verification . + go build -C ./examples/sigstore-go-signing -o sigstore-go-signing . .PHONY: test test: diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index 332f9216..4a7031ca 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -36,7 +36,6 @@ import ( "github.com/sigstore/sigstore-go/pkg/verify" ) -var Version string var bundlePath *string var certPath *string var certOIDC *string @@ -63,7 +62,7 @@ func getTrustedRoot(staging bool) root.TrustedMaterial { } else { opts := tuf.DefaultOptions() fetcher := fetcher.DefaultFetcher{} - fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + fetcher.SetHTTPUserAgent(util.ConstructUserAgent()) opts.Fetcher = &fetcher if staging { @@ -137,9 +136,8 @@ func signBundle(withRekor bool) (*protobundle.Bundle, error) { } fulcioOpts := &sign.FulcioOptions{ - BaseURL: fmt.Sprintf("https://fulcio.%s.dev", instance), - Timeout: timeout, - LibraryVersion: Version, + BaseURL: fmt.Sprintf("https://fulcio.%s.dev", instance), + Timeout: timeout, } signingOptions.CertificateProvider = sign.NewFulcio(fulcioOpts) signingOptions.CertificateProviderOptions = &sign.CertificateProviderOptions{ @@ -148,9 +146,8 @@ func signBundle(withRekor bool) (*protobundle.Bundle, error) { if withRekor { rekorOpts := &sign.RekorOptions{ - BaseURL: fmt.Sprintf("https://rekor.%s.dev", instance), - Timeout: timeout, - LibraryVersion: Version, + BaseURL: fmt.Sprintf("https://rekor.%s.dev", instance), + Timeout: timeout, } signingOptions.TransparencyLogs = append(signingOptions.TransparencyLogs, sign.NewRekor(rekorOpts)) } @@ -300,7 +297,7 @@ func main() { tr := getTrustedRoot(staging) verifierConfig := []verify.VerifierOption{} - verifierConfig = append(verifierConfig, verify.WithVersionString(Version), verify.WithoutAnyObserverTimestampsUnsafe(), verify.WithSignedCertificateTimestamps(1)) + verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsUnsafe(), verify.WithSignedCertificateTimestamps(1)) if len(tr.RekorLogs()) > 0 { verifierConfig = append(verifierConfig, verify.WithOnlineVerification()) } @@ -349,7 +346,7 @@ func main() { tr := getTrustedRoot(staging) verifierConfig := []verify.VerifierOption{} - verifierConfig = append(verifierConfig, verify.WithVersionString(Version), verify.WithSignedCertificateTimestamps(1)) + verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1)) // Check bundle and trusted root for signed timestamp information bundleTimestamps, err := b.Timestamps() diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go index cd103a3c..21abc587 100644 --- a/cmd/sigstore-go/main.go +++ b/cmd/sigstore-go/main.go @@ -37,7 +37,6 @@ import ( "github.com/sigstore/sigstore-go/pkg/verify" ) -var Version string var artifact *string var artifactDigest *string var artifactDigestAlgorithm *string @@ -105,8 +104,6 @@ func run() error { identityPolicies := []verify.PolicyOption{} var artifactPolicy verify.ArtifactPolicyOption - verifierConfig = append(verifierConfig, verify.WithVersionString(Version)) - if *requireCTlog { verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1)) } @@ -136,7 +133,7 @@ func run() error { opts := tuf.DefaultOptions() opts.RepositoryBaseURL = *tufRootURL fetcher := fetcher.DefaultFetcher{} - fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + fetcher.SetHTTPUserAgent(util.ConstructUserAgent()) opts.Fetcher = &fetcher // Load the tuf root.json if provided, if not use public good diff --git a/examples/sigstore-go-signing/main.go b/examples/sigstore-go-signing/main.go index dad5c037..6548aa65 100644 --- a/examples/sigstore-go-signing/main.go +++ b/examples/sigstore-go-signing/main.go @@ -30,7 +30,6 @@ import ( "github.com/sigstore/sigstore-go/pkg/util" ) -var Version string var idToken *string var intoto *bool var tsa *bool @@ -86,7 +85,7 @@ func main() { // Get trusted_root.json fetcher := fetcher.DefaultFetcher{} - fetcher.SetHTTPUserAgent(util.ConstructUserAgent(Version)) + fetcher.SetHTTPUserAgent(util.ConstructUserAgent()) tufOptions := &tuf.Options{ Root: tuf.StagingRoot(), @@ -115,7 +114,6 @@ func main() { BaseURL: "https://fulcio.sigstage.dev", Timeout: time.Duration(30 * time.Second), Retries: 1, - LibraryVersion: Version, } opts.CertificateProvider = sign.NewFulcio(fulcioOpts) opts.CertificateProviderOptions = &sign.CertificateProviderOptions{ @@ -128,7 +126,6 @@ func main() { URL: "https://timestamp.githubapp.com/api/v1/timestamp", Timeout: time.Duration(30 * time.Second), Retries: 1, - LibraryVersion: Version, } opts.TimestampAuthorities = append(opts.TimestampAuthorities, sign.NewTimestampAuthority(tsaOpts)) @@ -141,7 +138,6 @@ func main() { BaseURL: "https://rekor.sigstage.dev", Timeout: time.Duration(90 * time.Second), Retries: 1, - LibraryVersion: Version, } opts.TransparencyLogs = append(opts.TransparencyLogs, sign.NewRekor(rekorOpts)) } diff --git a/pkg/sign/certificate.go b/pkg/sign/certificate.go index 9b897101..75ba7a6e 100644 --- a/pkg/sign/certificate.go +++ b/pkg/sign/certificate.go @@ -52,8 +52,6 @@ type FulcioOptions struct { Timeout time.Duration // Optional number of times to retry on HTTP 5XX Retries uint - // Optional version string for user agent - LibraryVersion string // Optional Transport (for dependency injection) Transport http.RoundTripper } @@ -171,7 +169,7 @@ func (f *Fulcio) GetCertificate(ctx context.Context, keypair Keypair, opts *Cert } request.Header.Add("Authorization", "Bearer "+opts.IDToken) request.Header.Add("Content-Type", "application/json") - request.Header.Add("User-Agent", util.ConstructUserAgent(f.options.LibraryVersion)) + request.Header.Add("User-Agent", util.ConstructUserAgent()) response, err = f.client.Do(request) if err != nil { diff --git a/pkg/sign/timestamping.go b/pkg/sign/timestamping.go index 5c2b8b58..55f25fa4 100644 --- a/pkg/sign/timestamping.go +++ b/pkg/sign/timestamping.go @@ -37,8 +37,6 @@ type TimestampAuthorityOptions struct { Timeout time.Duration // Optional number of times to retry on HTTP 5XX Retries uint - // Optional version string for user agent - LibraryVersion string // Optional Transport (for dependency injection) Transport http.RoundTripper } @@ -85,7 +83,7 @@ func (ta *TimestampAuthority) GetTimestamp(ctx context.Context, signature []byte return nil, err } request.Header.Add("Content-Type", "application/timestamp-query") - request.Header.Add("User-Agent", util.ConstructUserAgent(ta.options.LibraryVersion)) + request.Header.Add("User-Agent", util.ConstructUserAgent()) response, err = ta.client.Do(request) if err != nil { diff --git a/pkg/sign/transparency.go b/pkg/sign/transparency.go index 8f8a1a0f..f8cc1ec5 100644 --- a/pkg/sign/transparency.go +++ b/pkg/sign/transparency.go @@ -59,8 +59,6 @@ type RekorOptions struct { Timeout time.Duration // Optional number of times to retry Retries uint - // Optional version string for user agent - LibraryVersion string // Optional client (for dependency injection) Client RekorClient } @@ -128,7 +126,7 @@ func (r *Rekor) GetTransparencyLogEntry(pubKeyPEM []byte, b *protobundle.Bundle) params.SetProposedEntry(proposedEntry) if r.options.Client == nil { - client, err := client.GetRekorClient(r.options.BaseURL, client.WithUserAgent(util.ConstructUserAgent(r.options.LibraryVersion)), client.WithRetryCount(r.options.Retries)) + client, err := client.GetRekorClient(r.options.BaseURL, client.WithUserAgent(util.ConstructUserAgent()), client.WithRetryCount(r.options.Retries)) if err != nil { return err } diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go index 2f37962d..134b2d73 100644 --- a/pkg/tuf/client.go +++ b/pkg/tuf/client.go @@ -61,7 +61,7 @@ func New(opts *Options) (*Client, error) { c.cfg.Fetcher = opts.Fetcher } else { fetcher := fetcher.DefaultFetcher{} - fetcher.SetHTTPUserAgent(util.ConstructUserAgent("")) + fetcher.SetHTTPUserAgent(util.ConstructUserAgent()) c.cfg.Fetcher = &fetcher } diff --git a/pkg/util/util.go b/pkg/util/util.go index 617b1b7d..4ab68528 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -14,11 +14,23 @@ package util -func ConstructUserAgent(version string) string { +import ( + "runtime/debug" +) + +func ConstructUserAgent() string { userAgent := "sigstore-go" - if version != "" { - userAgent += "/" - userAgent += version + + buildInfo, ok := debug.ReadBuildInfo() + if !ok { + return userAgent + } + + for _, eachDep := range buildInfo.Deps { + if eachDep.Path == "github.com/sigstore/sigstore-go" { + userAgent += "/" + userAgent += eachDep.Version + } } return userAgent diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go index 90046de5..45bc014d 100644 --- a/pkg/verify/signed_entity.go +++ b/pkg/verify/signed_entity.go @@ -70,8 +70,6 @@ type VerifierConfig struct { // nolint: revive // rather than a provided signed or log timestamp. Most workflows will // not use this option weDoNotExpectAnyObserverTimestamps bool - // optional sigstore-go version to use in user agent for outbound requests - version string } type VerifierOption func(*VerifierConfig) error @@ -204,15 +202,6 @@ func WithoutAnyObserverTimestampsUnsafe() VerifierOption { } } -// WithVersionString is used to optionally specify a specific version of -// sigstore-go, to use in user agent for outbound requests -func WithVersionString(version string) VerifierOption { - return func(c *VerifierConfig) error { - c.version = version - return nil - } -} - func (c *VerifierConfig) Validate() error { if !c.requireObserverTimestamps && !c.weExpectSignedTimestamps && !c.requireIntegratedTimestamps && !c.weDoNotExpectAnyObserverTimestamps { return errors.New("when initializing a new SignedEntityVerifier, you must specify at least one of " + @@ -627,7 +616,7 @@ func (v *SignedEntityVerifier) VerifyTransparencyLogInclusion(entity SignedEntit if v.config.weExpectTlogEntries { // log timestamps should be verified if with WithIntegratedTimestamps or WithObserverTimestamps is used verifiedTlogTimestamps, err := VerifyArtifactTransparencyLog(entity, v.trustedMaterial, v.config.tlogEntriesThreshold, - v.config.requireIntegratedTimestamps || v.config.requireObserverTimestamps, v.config.performOnlineVerification, v.config.version) + v.config.requireIntegratedTimestamps || v.config.requireObserverTimestamps, v.config.performOnlineVerification) if err != nil { return nil, err } diff --git a/pkg/verify/tlog.go b/pkg/verify/tlog.go index ff125d26..7cc82751 100644 --- a/pkg/verify/tlog.go +++ b/pkg/verify/tlog.go @@ -42,7 +42,7 @@ import ( // that must be verified. // // If online is true, the log entry is verified against the Rekor server. -func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.TrustedMaterial, logThreshold int, trustIntegratedTime, online bool, version string) ([]time.Time, error) { //nolint:revive +func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.TrustedMaterial, logThreshold int, trustIntegratedTime, online bool) ([]time.Time, error) { //nolint:revive entries, err := entity.TlogEntries() if err != nil { return nil, err @@ -121,7 +121,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru continue } - client, err := getRekorClient(tlogVerifier.BaseURL, version) + client, err := getRekorClient(tlogVerifier.BaseURL) if err != nil { return nil, err } @@ -199,8 +199,8 @@ func getVerifier(publicKey crypto.PublicKey, hashFunc crypto.Hash) (*signature.V return &verifier, nil } -func getRekorClient(baseURL, version string) (*rekorGeneratedClient.Rekor, error) { - client, err := rekorClient.GetRekorClient(baseURL, rekorClient.WithUserAgent(util.ConstructUserAgent(version))) +func getRekorClient(baseURL string) (*rekorGeneratedClient.Rekor, error) { + client, err := rekorClient.GetRekorClient(baseURL, rekorClient.WithUserAgent(util.ConstructUserAgent())) if err != nil { return nil, err } diff --git a/pkg/verify/tlog_test.go b/pkg/verify/tlog_test.go index ae708712..3ff4845c 100644 --- a/pkg/verify/tlog_test.go +++ b/pkg/verify/tlog_test.go @@ -36,12 +36,12 @@ func TestTlogVerifier(t *testing.T) { assert.NoError(t, err) var ts []time.Time - ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false, "") + ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false) assert.NoError(t, err) // 1 verified timestamp assert.Len(t, ts, 1) - ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, false, false, "") + ts, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, false, false) assert.NoError(t, err) // 0 verified timestamps, since integrated timestamps are ignored assert.Len(t, ts, 0) @@ -49,7 +49,7 @@ func TestTlogVerifier(t *testing.T) { virtualSigstore2, err := ca.NewVirtualSigstore() assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore2, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore2, 1, true, false) assert.Error(t, err) // different sigstore instance should fail to verify // Attempt to use tlog with integrated time outside certificate validity. @@ -59,7 +59,7 @@ func TestTlogVerifier(t *testing.T) { entity, err = virtualSigstore.AttestAtTime("foo@fighters.com", "issuer", statement, time.Now().Add(30*time.Minute)) assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(entity, virtualSigstore, 1, true, false) assert.Error(t, err) } @@ -96,11 +96,11 @@ func TestIgnoredTLogEntries(t *testing.T) { assert.NoError(t, err) // success: entry that cannot be verified is ignored - _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 1, true, false) assert.NoError(t, err) // failure: threshold of 2 is not met since 1 untrusted entry is ignored - _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 2, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(&oneTrustedOneUntrustedLogEntry{entity, untrustedEntity}, virtualSigstore, 2, true, false) assert.Error(t, err) } @@ -138,7 +138,7 @@ func TestInvalidTLogEntries(t *testing.T) { assert.NoError(t, err) // failure: threshold of 1 is not met with invalid entry - _, err = verify.VerifyArtifactTransparencyLog(&invalidTLogEntity{entity}, virtualSigstore, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(&invalidTLogEntity{entity}, virtualSigstore, 1, true, false) assert.Error(t, err) if err.Error() != "entry must contain an inclusion proof and/or promise" { t.Errorf("expected error with missing proof/promises, got: %v", err.Error()) @@ -162,7 +162,7 @@ func TestNoTLogEntries(t *testing.T) { assert.NoError(t, err) // failure: threshold of 1 is not met with no entries - _, err = verify.VerifyArtifactTransparencyLog(&noTLogEntity{entity}, virtualSigstore, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(&noTLogEntity{entity}, virtualSigstore, 1, true, false) assert.Error(t, err) if !strings.Contains(err.Error(), "not enough verified log entries from transparency log") { t.Errorf("expected error with timestamp threshold, got: %v", err.Error()) @@ -190,6 +190,6 @@ func TestDuplicateTlogEntries(t *testing.T) { entity, err := virtualSigstore.Attest("foofighters@example.com", "issuer", statement) assert.NoError(t, err) - _, err = verify.VerifyArtifactTransparencyLog(&dupTlogEntity{entity}, virtualSigstore, 1, true, false, "") + _, err = verify.VerifyArtifactTransparencyLog(&dupTlogEntity{entity}, virtualSigstore, 1, true, false) assert.Error(t, err) // duplicate tlog entries should fail to verify }