add input for --provenance-repository while image verification

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
slsa-framework · Jan 15, 2024 · 107f4e9 · 107f4e9
1 parent f09d99f
commit 107f4e9
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 22 deletions.
diff --git a/cli/slsa-verifier/verify.go b/cli/slsa-verifier/verify.go
@@ -96,6 +96,9 @@ func verifyImageCmd() *cobra.Command {
 			if cmd.Flags().Changed("provenance-path") {
 				v.ProvenancePath = &o.ProvenancePath
 			}
+			if cmd.Flags().Changed("provenance-repository") {
+				v.ProvenanceRepository = &o.ProvenanceRepository
+			}
 			if cmd.Flags().Changed("source-branch") {
 				v.SourceBranch = &o.SourceBranch
 			}

diff --git a/cli/slsa-verifier/verify/options.go b/cli/slsa-verifier/verify/options.go
@@ -38,8 +38,9 @@ type VerifyOptions struct {
 	BuildWorkflowInputs workflowInputs
 	BuilderID           string
 	/* Other */
-	ProvenancePath  string
-	PrintProvenance bool
+	ProvenancePath       string
+	ProvenanceRepository string
+	PrintProvenance      bool
 }
 
 var _ Interface = (*VerifyOptions)(nil)
@@ -66,6 +67,9 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
 	/* Other options */
 	cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
 		"path to a provenance file")
+	/* Other options */
+	cmd.Flags().StringVar(&o.ProvenanceRepository, "provenance-repository", "",
+		"image repository for provenance. Format: <registry>/<repository>")
 
 	cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
 		"[optional] print the verified provenance to stdout")

diff --git a/cli/slsa-verifier/verify/verify_image.go b/cli/slsa-verifier/verify/verify_image.go
@@ -30,14 +30,15 @@ type ComputeDigestFn func(string) (string, error)
 // Note: nil branch, tag, version-tag and builder-id means we ignore them during verification.
 type VerifyImageCommand struct {
 	// May be nil if supplied alongside in the registry
-	ProvenancePath      *string
-	BuilderID           *string
-	SourceURI           string
-	SourceBranch        *string
-	SourceTag           *string
-	SourceVersionTag    *string
-	BuildWorkflowInputs map[string]string
-	PrintProvenance     bool
+	ProvenancePath       *string
+	ProvenanceRepository *string
+	BuilderID            *string
+	SourceURI            string
+	SourceBranch         *string
+	SourceTag            *string
+	SourceVersionTag     *string
+	BuildWorkflowInputs  map[string]string
+	PrintProvenance      bool
 }
 
 func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*utils.TrustedBuilderID, error) {
@@ -70,7 +71,12 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
 		}
 	}
 
-	verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
+	var provenanceRepository string
+	if c.ProvenanceRepository != nil {
+		provenanceRepository = *c.ProvenanceRepository
+	}
+
+	verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceRepository, provenanceOpts, builderOpts)
 	if err != nil {
 		return nil, err
 	}

diff --git a/register/register.go b/register/register.go
@@ -24,8 +24,8 @@ type SLSAVerifier interface {
 
 	// VerifyImage verifies a provenance for a supplied OCI image.
 	VerifyImage(ctx context.Context,
-		provenance []byte, artifactImage string,
-		provenanceOpts *options.ProvenanceOpts,
+		provenance []byte, provenanceRepository string,
+		artifactImage string, provenanceOpts *options.ProvenanceOpts,
 		builderOpts *options.BuilderOpts,
 	) ([]byte, *utils.TrustedBuilderID, error)
 

diff --git a/verifiers/internal/gcb/verifier.go b/verifiers/internal/gcb/verifier.go
@@ -50,8 +50,8 @@ func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context,
 
 // VerifyImage verifies provenance for an OCI image.
 func (v *GCBVerifier) VerifyImage(ctx context.Context,
-	provenance []byte, artifactImage string,
-	provenanceOpts *options.ProvenanceOpts,
+	provenance []byte, provenanceRepository string,
+	artifactImage string, provenanceOpts *options.ProvenanceOpts,
 	builderOpts *options.BuilderOpts,
 ) ([]byte, *utils.TrustedBuilderID, error) {
 	prov, err := ProvenanceFromBytes(provenance)

diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/rekor/pkg/client"
@@ -245,8 +246,8 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context,
 
 // VerifyImage verifies provenance for an OCI image.
 func (v *GHAVerifier) VerifyImage(ctx context.Context,
-	provenance []byte, artifactImage string,
-	provenanceOpts *options.ProvenanceOpts,
+	provenance []byte, provenanceRepository string,
+	artifactImage string, provenanceOpts *options.ProvenanceOpts,
 	builderOpts *options.BuilderOpts,
 ) ([]byte, *utils.TrustedBuilderID, error) {
 	/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
@@ -255,10 +256,19 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
 		return nil, nil, err
 	}
 
-	// Parse any provenance target repository set using environment variable COSIGN_REPOSITORY
-	provenanceTargetRepository, err := ociremote.GetEnvTargetRepository()
-	if err != nil {
-		return nil, nil, err
+	var provenanceTargetRepository name.Repository
+	// Consume input for --provenance-repository when set
+	if provenanceRepository != "" {
+		provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
+		provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 
 	registryClientOpts := []ociremote.Option{}

diff --git a/verifiers/verifier.go b/verifiers/verifier.go
@@ -37,14 +37,15 @@ func getVerifier(builderOpts *options.BuilderOpts) (register.SLSAVerifier, error
 
 func VerifyImage(ctx context.Context, artifactImage string,
 	provenance []byte,
+	provenanceRepository string,
 	provenanceOpts *options.ProvenanceOpts,
 	builderOpts *options.BuilderOpts,
 ) ([]byte, *utils.TrustedBuilderID, error) {
 	verifier, err := getVerifier(builderOpts)
 	if err != nil {
 		return nil, nil, err
 	}
-	return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
+	return verifier.VerifyImage(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
 }
 
 func VerifyArtifact(ctx context.Context,