From 5e0005e47528d1a63fd92fe84f57b50ee2902e58 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Tue, 2 Jan 2024 18:42:59 -0600 Subject: [PATCH 1/3] Add cosign registry opts for provenance registry triggered on specification of COSIGN_REPOSITORY env Signed-off-by: saisatishkarra --- verifiers/internal/gha/verifier.go | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index bd0082278..62b0cb1cf 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -19,6 +19,8 @@ import ( "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils/container" + + ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" ) const VerifierName = "GHA" @@ -252,11 +254,27 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, if err != nil { return nil, nil, err } + + // Parse any provenance target repository set using environment variable COSIGN_REPOSITORY + provenanceTargetRepository, err := ociremote.GetEnvTargetRepository() + if err != nil { + return nil, nil, err + } + + registryClientOpts := []ociremote.Option{} + + // Append target repository to OCI Registry opts + // Must be authenticated against the specified target repository externally + if provenanceTargetRepository.Name() != "" { + registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository)) + } + opts := &cosign.CheckOpts{ - RootCerts: trustedRoot.FulcioRoot, - IntermediateCerts: trustedRoot.FulcioIntermediates, - RekorPubKeys: trustedRoot.RekorPubKeys, - CTLogPubKeys: trustedRoot.CTPubKeys, + RegistryClientOpts: registryClientOpts, + RootCerts: trustedRoot.FulcioRoot, + IntermediateCerts: trustedRoot.FulcioIntermediates, + RekorPubKeys: trustedRoot.RekorPubKeys, + CTLogPubKeys: trustedRoot.CTPubKeys, } atts, _, err := container.RunCosignImageVerification(ctx, artifactImage, opts) From 12ad7267e936af08ae11dae006d3826b6dd75005 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Wed, 3 Jan 2024 09:45:50 -0600 Subject: [PATCH 2/3] Add provenance target repository doc Signed-off-by: saisatishkarra --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index 1d654341a..59dad17db 100644 --- a/README.md +++ b/README.md @@ -274,6 +274,29 @@ Get the digest for your container _without_ pulling it using the [crane](https:/ IMAGE="${IMAGE}@"$(crane digest "${IMAGE}") ``` +**Optional:** + +Refer [Specifying a provenance target repository](https://docs.sigstore.dev/system_config/registry_support/#specifying-registry) when stored separately: + +- Make sure to authenticate against the provenance target repository + +- _Defaults_ when **NOT** specified: + + **_registry_**: `index.docker.io` + + **_namespace_**: `library` + + **_provenance-target-repository_**: **Required** + +- Run the below to set provenance target repository + ```shell + export COSIGN_REPOSITORY=// + ``` + + + + + To verify a container image, run the following command. Note that to use `ghcr.io` you need to set the `GH_TOKEN` environment variable as well. ```shell From f426176e91be3997ac98e8ee0c67e70cdba6a936 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:28:10 -0800 Subject: [PATCH 3/3] Remove the optional READM section Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- README.md | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/README.md b/README.md index 59dad17db..1d654341a 100644 --- a/README.md +++ b/README.md @@ -274,29 +274,6 @@ Get the digest for your container _without_ pulling it using the [crane](https:/ IMAGE="${IMAGE}@"$(crane digest "${IMAGE}") ``` -**Optional:** - -Refer [Specifying a provenance target repository](https://docs.sigstore.dev/system_config/registry_support/#specifying-registry) when stored separately: - -- Make sure to authenticate against the provenance target repository - -- _Defaults_ when **NOT** specified: - - **_registry_**: `index.docker.io` - - **_namespace_**: `library` - - **_provenance-target-repository_**: **Required** - -- Run the below to set provenance target repository - ```shell - export COSIGN_REPOSITORY=// - ``` - - - - - To verify a container image, run the following command. Note that to use `ghcr.io` you need to set the `GH_TOKEN` environment variable as well. ```shell