Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add cosign registry opts for provenance registry #729

Merged
merged 4 commits into from
Jan 4, 2024
Merged

feat: Add cosign registry opts for provenance registry #729

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5e0005e
Add cosign registry opts for provenance registry
saisatishkarra Jan 3, 2024
12ad726
Add provenance target repository doc
saisatishkarra Jan 3, 2024
f426176
Remove the optional READM section
laurentsimon Jan 4, 2024
5c37020
Merge branch 'main' into feat/provenance-registry-co-opts
laurentsimon Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions verifiers/internal/gha/verifier.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils/container"

ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
)

const VerifierName = "GHA"
Expand Down Expand Up @@ -252,11 +254,27 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
if err != nil {
return nil, nil, err
}

// Parse any provenance target repository set using environment variable COSIGN_REPOSITORY
provenanceTargetRepository, err := ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
}

registryClientOpts := []ociremote.Option{}

// Append target repository to OCI Registry opts
// Must be authenticated against the specified target repository externally
if provenanceTargetRepository.Name() != "" {
registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
}

opts := &cosign.CheckOpts{
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
RegistryClientOpts: registryClientOpts,
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
}
atts, _, err := container.RunCosignImageVerification(ctx,
artifactImage, opts)
Expand Down
Loading