diff --git a/cli/slsa-verifier/verify.go b/cli/slsa-verifier/verify.go index 7d5a95be5..fcaaaf870 100644 --- a/cli/slsa-verifier/verify.go +++ b/cli/slsa-verifier/verify.go @@ -96,6 +96,9 @@ func verifyImageCmd() *cobra.Command { if cmd.Flags().Changed("provenance-path") { v.ProvenancePath = &o.ProvenancePath } + if cmd.Flags().Changed("provenance-repository") { + v.ProvenanceRepository = &o.ProvenanceRepository + } if cmd.Flags().Changed("source-branch") { v.SourceBranch = &o.SourceBranch } diff --git a/cli/slsa-verifier/verify/options.go b/cli/slsa-verifier/verify/options.go index c21e3fcc4..daac23634 100644 --- a/cli/slsa-verifier/verify/options.go +++ b/cli/slsa-verifier/verify/options.go @@ -38,8 +38,9 @@ type VerifyOptions struct { BuildWorkflowInputs workflowInputs BuilderID string /* Other */ - ProvenancePath string - PrintProvenance bool + ProvenancePath string + ProvenanceRepository string + PrintProvenance bool } var _ Interface = (*VerifyOptions)(nil) @@ -66,6 +67,9 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) { /* Other options */ cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "", "path to a provenance file") + /* Other options */ + cmd.Flags().StringVar(&o.ProvenanceRepository, "provenance-repository", "", + "image repository for provenance. Format: /") cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false, "[optional] print the verified provenance to stdout") diff --git a/cli/slsa-verifier/verify/verify_image.go b/cli/slsa-verifier/verify/verify_image.go index 9bf8c50e3..8785edeb0 100644 --- a/cli/slsa-verifier/verify/verify_image.go +++ b/cli/slsa-verifier/verify/verify_image.go @@ -30,14 +30,15 @@ type ComputeDigestFn func(string) (string, error) // Note: nil branch, tag, version-tag and builder-id means we ignore them during verification. type VerifyImageCommand struct { // May be nil if supplied alongside in the registry - ProvenancePath *string - BuilderID *string - SourceURI string - SourceBranch *string - SourceTag *string - SourceVersionTag *string - BuildWorkflowInputs map[string]string - PrintProvenance bool + ProvenancePath *string + ProvenanceRepository *string + BuilderID *string + SourceURI string + SourceBranch *string + SourceTag *string + SourceVersionTag *string + BuildWorkflowInputs map[string]string + PrintProvenance bool } func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*utils.TrustedBuilderID, error) { @@ -70,7 +71,12 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti } } - verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts) + var provenanceRepository string + if c.ProvenanceRepository != nil { + provenanceRepository = *c.ProvenanceRepository + } + + verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceRepository, provenanceOpts, builderOpts) if err != nil { return nil, err } diff --git a/register/register.go b/register/register.go index 787bb1f3c..adbd8599f 100644 --- a/register/register.go +++ b/register/register.go @@ -24,8 +24,8 @@ type SLSAVerifier interface { // VerifyImage verifies a provenance for a supplied OCI image. VerifyImage(ctx context.Context, - provenance []byte, artifactImage string, - provenanceOpts *options.ProvenanceOpts, + provenance []byte, provenanceRepository string, + artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) diff --git a/verifiers/internal/gcb/verifier.go b/verifiers/internal/gcb/verifier.go index 511065009..abff5cea0 100644 --- a/verifiers/internal/gcb/verifier.go +++ b/verifiers/internal/gcb/verifier.go @@ -50,8 +50,8 @@ func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context, // VerifyImage verifies provenance for an OCI image. func (v *GCBVerifier) VerifyImage(ctx context.Context, - provenance []byte, artifactImage string, - provenanceOpts *options.ProvenanceOpts, + provenance []byte, provenanceRepository string, + artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { prov, err := ProvenanceFromBytes(provenance) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 62b0cb1cf..ed66d9809 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -9,6 +9,7 @@ import ( "os" "strings" + "github.com/google/go-containerregistry/pkg/name" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/rekor/pkg/client" @@ -245,8 +246,8 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, // VerifyImage verifies provenance for an OCI image. func (v *GHAVerifier) VerifyImage(ctx context.Context, - provenance []byte, artifactImage string, - provenanceOpts *options.ProvenanceOpts, + provenance []byte, provenanceRepository string, + artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { /* Retrieve any valid signed attestations that chain up to Fulcio root CA. */ @@ -255,10 +256,19 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, return nil, nil, err } - // Parse any provenance target repository set using environment variable COSIGN_REPOSITORY - provenanceTargetRepository, err := ociremote.GetEnvTargetRepository() - if err != nil { - return nil, nil, err + var provenanceTargetRepository name.Repository + // Consume input for --provenance-repository when set + if provenanceRepository != "" { + provenanceTargetRepository, err = name.NewRepository(provenanceRepository) + if err != nil { + return nil, nil, err + } + } else { + // If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment + provenanceTargetRepository, err = ociremote.GetEnvTargetRepository() + if err != nil { + return nil, nil, err + } } registryClientOpts := []ociremote.Option{} diff --git a/verifiers/verifier.go b/verifiers/verifier.go index 745523d09..2256a5630 100644 --- a/verifiers/verifier.go +++ b/verifiers/verifier.go @@ -37,6 +37,7 @@ func getVerifier(builderOpts *options.BuilderOpts) (register.SLSAVerifier, error func VerifyImage(ctx context.Context, artifactImage string, provenance []byte, + provenanceRepository string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { @@ -44,7 +45,7 @@ func VerifyImage(ctx context.Context, artifactImage string, if err != nil { return nil, nil, err } - return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts) + return verifier.VerifyImage(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts) } func VerifyArtifact(ctx context.Context,