diff --git a/go.mod b/go.mod index 45b0d305..f784e021 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,6 @@ require ( github.com/google/go-containerregistry v0.19.2 github.com/google/uuid v1.6.0 github.com/sebdah/goldie/v2 v2.5.3 - github.com/secure-systems-lab/go-securesystemslib v0.8.0 github.com/sigstore/sigstore v1.8.4 github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 @@ -20,6 +19,7 @@ require ( github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/sergi/go-diff v1.2.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect golang.org/x/crypto v0.23.0 // indirect diff --git a/pkg/integrity/dsse.go b/pkg/integrity/dsse.go index a566433f..8a32dc2d 100644 --- a/pkg/integrity/dsse.go +++ b/pkg/integrity/dsse.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2023, Sylabs Inc. All rights reserved. +// Copyright (c) 2022-2024, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -9,27 +9,39 @@ import ( "bytes" "context" "crypto" + "encoding/base64" "encoding/json" "errors" "fmt" "io" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/sigstore/sigstore/pkg/signature/options" ) const metadataMediaType = "application/vnd.sylabs.sif-metadata+json" type dsseEncoder struct { - es *dsse.EnvelopeSigner - h crypto.Hash - payloadType string + ss []signature.Signer + opts []signature.SignOption } // newDSSEEncoder returns an encoder that signs messages in DSSE format according to opts, with key // material from ss. SHA256 is used as the hash algorithm, unless overridden by opts. -func newDSSEEncoder(ss []signature.Signer, opts ...signature.SignOption) (*dsseEncoder, error) { +func newDSSEEncoder(ss []signature.Signer, opts ...signature.SignOption) *dsseEncoder { + return &dsseEncoder{ + ss: ss, + opts: opts, + } +} + +// signMessage signs the message from r in DSSE format, and writes the result to w. On success, the +// hash function is returned. +func (en *dsseEncoder) signMessage(ctx context.Context, w io.Writer, r io.Reader) (crypto.Hash, error) { + opts := en.opts + opts = append(opts, options.WithContext(ctx)) + var so crypto.SignerOpts for _, opt := range opts { opt.ApplyCryptoSignerOpts(&so) @@ -41,57 +53,25 @@ func newDSSEEncoder(ss []signature.Signer, opts ...signature.SignOption) (*dsseE opts = append(opts, options.WithCryptoSignerOpts(so)) } - dss := make([]dsse.Signer, 0, len(ss)) - for _, s := range ss { - ds, err := newDSSESigner(s, opts...) - if err != nil { - return nil, err - } - - dss = append(dss, ds) - } - - es, err := dsse.NewEnvelopeSigner(dss...) - if err != nil { - return nil, err - } - - return &dsseEncoder{ - es: es, - h: so.HashFunc(), - payloadType: metadataMediaType, - }, nil -} - -// signMessage signs the message from r in DSSE format, and writes the result to w. On success, the -// hash function is returned. -func (en *dsseEncoder) signMessage(ctx context.Context, w io.Writer, r io.Reader) (crypto.Hash, error) { - body, err := io.ReadAll(r) - if err != nil { - return 0, err - } - - e, err := en.es.SignPayload(ctx, en.payloadType, body) + s := dsse.WrapMultiSigner(metadataMediaType, en.ss...) + b, err := s.SignMessage(r, opts...) if err != nil { return 0, err } - return en.h, json.NewEncoder(w).Encode(e) + _, err = w.Write(b) + return so.HashFunc(), err } type dsseDecoder struct { - vs []signature.Verifier - threshold int - payloadType string + vs []signature.Verifier } // newDSSEDecoder returns a decoder that verifies messages in DSSE format using key material from // vs. func newDSSEDecoder(vs ...signature.Verifier) *dsseDecoder { return &dsseDecoder{ - vs: vs, - threshold: 1, // Envelope considered verified if at least one verifier succeeds. - payloadType: metadataMediaType, + vs: vs, } } @@ -103,112 +83,78 @@ var ( // verifyMessage reads a message from r, verifies its signature(s), and returns the message // contents. On success, the accepted public keys are set in vr. func (de *dsseDecoder) verifyMessage(ctx context.Context, r io.Reader, h crypto.Hash, vr *VerifyResult) ([]byte, error) { //nolint:lll - vs := make([]dsse.Verifier, 0, len(de.vs)) + // Wrap the verifiers so we can accumulate the accepted public keys. + vs := make([]signature.Verifier, 0, len(de.vs)) for _, v := range de.vs { - dv, err := newDSSEVerifier(v, options.WithCryptoSignerOpts(h)) - if err != nil { - return nil, err - } - - vs = append(vs, dv) + vs = append(vs, wrappedVerifier{ + Verifier: v, + keys: &vr.keys, + }) } - v, err := dsse.NewMultiEnvelopeVerifier(de.threshold, vs...) + raw, err := io.ReadAll(r) if err != nil { return nil, err } - var e dsse.Envelope - if err := json.NewDecoder(r).Decode(&e); err != nil { - return nil, err - } + v := dsse.WrapMultiVerifier(metadataMediaType, 1, vs...) - vr.aks, err = v.Verify(ctx, &e) - if err != nil { + if err := v.VerifySignature(bytes.NewReader(raw), nil, options.WithContext(ctx), options.WithHash(h)); err != nil { return nil, fmt.Errorf("%w: %w", errDSSEVerifyEnvelopeFailed, err) } - if e.PayloadType != de.payloadType { - return nil, fmt.Errorf("%w: %v", errDSSEUnexpectedPayloadType, e.PayloadType) - } - - return e.DecodeB64Payload() -} - -type dsseSigner struct { - s signature.Signer - opts []signature.SignOption - pub crypto.PublicKey -} - -// newDSSESigner returns a dsse.Signer that uses s to sign according to opts. -func newDSSESigner(s signature.Signer, opts ...signature.SignOption) (*dsseSigner, error) { - pub, err := s.PublicKey() - if err != nil { + var e dsseEnvelope + if err := json.Unmarshal(raw, &e); err != nil { return nil, err } - return &dsseSigner{ - s: s, - opts: opts, - pub: pub, - }, nil -} - -// Sign signs the supplied data. -func (s *dsseSigner) Sign(ctx context.Context, data []byte) ([]byte, error) { - opts := s.opts - opts = append(opts, options.WithContext(ctx)) + if e.PayloadType != metadataMediaType { + return nil, fmt.Errorf("%w: %v", errDSSEUnexpectedPayloadType, e.PayloadType) + } - return s.s.SignMessage(bytes.NewReader(data), opts...) + return e.DecodedPayload() } -// KeyID returns the key ID associated with s. -func (s dsseSigner) KeyID() (string, error) { - return dsse.SHA256KeyID(s.pub) +type wrappedVerifier struct { + signature.Verifier + keys *[]crypto.PublicKey } -type dsseVerifier struct { - v signature.Verifier - opts []signature.VerifyOption - pub crypto.PublicKey -} +func (wv wrappedVerifier) VerifySignature(signature, message io.Reader, opts ...signature.VerifyOption) error { + err := wv.Verifier.VerifySignature(signature, message, opts...) + if err == nil { + pub, err := wv.Verifier.PublicKey() + if err != nil { + return err + } -// newDSSEVerifier returns a dsse.Verifier that uses v to verify according to opts. -func newDSSEVerifier(v signature.Verifier, opts ...signature.VerifyOption) (*dsseVerifier, error) { - pub, err := v.PublicKey() - if err != nil { - return nil, err + *wv.keys = append(*wv.keys, pub) } - - return &dsseVerifier{ - v: v, - opts: opts, - pub: pub, - }, nil -} - -// Verify verifies that sig is a valid signature of data. -func (v *dsseVerifier) Verify(ctx context.Context, data, sig []byte) error { - opts := v.opts - opts = append(opts, options.WithContext(ctx)) - - return v.v.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data), opts...) + return err } -// Public returns the public key associated with v. -func (v *dsseVerifier) Public() crypto.PublicKey { - return v.pub +// dsseEnvelope describes a DSSE envelope. +type dsseEnvelope struct { + PayloadType string `json:"payloadType"` + Payload string `json:"payload"` + Signatures []struct { + KeyID string `json:"keyid"` + Sig string `json:"sig"` + } `json:"signatures"` } -// KeyID returns the key ID associated with v. -func (v *dsseVerifier) KeyID() (string, error) { - return dsse.SHA256KeyID(v.pub) +// DecodedPayload returns the decoded payload from envelope e. +func (e *dsseEnvelope) DecodedPayload() ([]byte, error) { + b, err := base64.StdEncoding.DecodeString(e.Payload) + if err != nil { + return base64.URLEncoding.DecodeString(e.Payload) + } + return b, nil } // isDSSESignature returns true if r contains a signature in a DSSE envelope. func isDSSESignature(r io.Reader) bool { - var e dsse.Envelope + var e dsseEnvelope if err := json.NewDecoder(r).Decode(&e); err != nil { return false } diff --git a/pkg/integrity/dsse_test.go b/pkg/integrity/dsse_test.go index fe61f364..ec1cbb14 100644 --- a/pkg/integrity/dsse_test.go +++ b/pkg/integrity/dsse_test.go @@ -17,8 +17,8 @@ import ( "testing" "github.com/sebdah/goldie/v2" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/sigstore/sigstore/pkg/signature/options" ) @@ -81,10 +81,7 @@ func Test_dsseEncoder_signMessage(t *testing.T) { t.Run(tt.name, func(t *testing.T) { b := bytes.Buffer{} - en, err := newDSSEEncoder(tt.signers, tt.signOpts...) - if err != nil { - t.Fatal(err) - } + en := newDSSEEncoder(tt.signers, tt.signOpts...) ht, err := en.signMessage(context.Background(), &b, strings.NewReader(testMessage)) if got, want := err, tt.wantErr; (got != nil) != want { @@ -105,28 +102,30 @@ func Test_dsseEncoder_signMessage(t *testing.T) { // corruptPayloadType corrupts the payload type of e and re-signs the envelope. The result is a // cryptographically valid envelope with an unexpected payload types. -func corruptPayloadType(t *testing.T, en *dsseEncoder, e *dsse.Envelope) { +func corruptPayloadType(t *testing.T, en *dsseEncoder, e *dsseEnvelope) { t.Helper() - body, err := e.DecodeB64Payload() + body, err := e.DecodedPayload() if err != nil { t.Fatal(err) } - bad, err := en.es.SignPayload(context.Background(), "bad", body) + bad, err := dsse.WrapMultiSigner("bad", en.ss...).SignMessage(bytes.NewReader(body)) if err != nil { t.Fatal(err) } - *e = *bad + if err := json.Unmarshal(bad, e); err != nil { + t.Fatal(err) + } } // corruptPayload corrupts the payload in e. The result is that the signature(s) in e do not match // the payload. -func corruptPayload(t *testing.T, _ *dsseEncoder, e *dsse.Envelope) { +func corruptPayload(t *testing.T, _ *dsseEncoder, e *dsseEnvelope) { t.Helper() - body, err := e.DecodeB64Payload() + body, err := e.DecodedPayload() if err != nil { t.Fatal(err) } @@ -136,7 +135,7 @@ func corruptPayload(t *testing.T, _ *dsseEncoder, e *dsse.Envelope) { // corruptSignatures corrupts the signature(s) in e. The result is that the signature(s) in e do // not match the payload. -func corruptSignatures(t *testing.T, _ *dsseEncoder, e *dsse.Envelope) { +func corruptSignatures(t *testing.T, _ *dsseEncoder, e *dsseEnvelope) { t.Helper() for i, sig := range e.Signatures { @@ -156,7 +155,7 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) { name string signers []signature.Signer signOpts []signature.SignOption - corrupter func(*testing.T, *dsseEncoder, *dsse.Envelope) + corrupter func(*testing.T, *dsseEncoder, *dsseEnvelope) de *dsseDecoder wantErr error wantMessage string @@ -185,8 +184,7 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) { de: newDSSEDecoder( getTestVerifier(t, "rsa-public.pem", crypto.SHA256), ), - wantErr: errDSSEVerifyEnvelopeFailed, - wantKeys: []crypto.PublicKey{}, + wantErr: errDSSEVerifyEnvelopeFailed, }, { name: "CorruptSignatures", @@ -197,8 +195,7 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) { de: newDSSEDecoder( getTestVerifier(t, "rsa-public.pem", crypto.SHA256), ), - wantErr: errDSSEVerifyEnvelopeFailed, - wantKeys: []crypto.PublicKey{}, + wantErr: errDSSEVerifyEnvelopeFailed, }, { name: "Multi_SHA256", @@ -321,10 +318,7 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) { t.Run(tt.name, func(t *testing.T) { b := bytes.Buffer{} - en, err := newDSSEEncoder(tt.signers, tt.signOpts...) - if err != nil { - t.Fatal(err) - } + en := newDSSEEncoder(tt.signers, tt.signOpts...) // Sign and encode message. h, err := en.signMessage(context.Background(), &b, strings.NewReader(testMessage)) @@ -334,7 +328,7 @@ func Test_dsseDecoder_verifyMessage(t *testing.T) { // Introduce corruption, if applicable. if tt.corrupter != nil { - var e dsse.Envelope + var e dsseEnvelope if err := json.Unmarshal(b.Bytes(), &e); err != nil { t.Fatal(err) } diff --git a/pkg/integrity/result.go b/pkg/integrity/result.go index 6e0e3b1a..d2acef0b 100644 --- a/pkg/integrity/result.go +++ b/pkg/integrity/result.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved. +// Copyright (c) 2020-2024, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file // distributed with the sources of this project regarding your rights to use or distribute this // software. @@ -9,7 +9,6 @@ import ( "crypto" "github.com/ProtonMail/go-crypto/openpgp" - "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sylabs/sif/v2/pkg/sif" ) @@ -17,7 +16,7 @@ import ( type VerifyResult struct { sig sif.Descriptor verified []sif.Descriptor - aks []dsse.AcceptedKey + keys []crypto.PublicKey e *openpgp.Entity err error } @@ -34,11 +33,7 @@ func (r VerifyResult) Verified() []sif.Descriptor { // Keys returns the public key(s) used to verify the signature. func (r VerifyResult) Keys() []crypto.PublicKey { - keys := make([]crypto.PublicKey, 0, len(r.aks)) - for _, ak := range r.aks { - keys = append(keys, ak.Public) - } - return keys + return r.keys } // Entity returns the signing entity, or nil if the signing entity could not be determined. diff --git a/pkg/integrity/sign.go b/pkg/integrity/sign.go index b5052421..002810a8 100644 --- a/pkg/integrity/sign.go +++ b/pkg/integrity/sign.go @@ -337,11 +337,7 @@ func NewSigner(f *sif.FileImage, opts ...SignerOpt) (*Signer, error) { var en encoder switch { case so.ss != nil: - var err error - en, err = newDSSEEncoder(so.ss) - if err != nil { - return nil, fmt.Errorf("integrity: %w", err) - } + en = newDSSEEncoder(so.ss) case so.e != nil: timeFunc := time.Now if so.timeFunc != nil { diff --git a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/ED25519.golden b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/ED25519.golden index 2e545c67..b69b23d7 100644 --- a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/ED25519.golden +++ b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/ED25519.golden @@ -1 +1 @@ -{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:x6l8ZblpSSXGaPMCzySedWg88BwIFcz8jlPb6el0mFs","sig":"SNnYRFIhDwWjk0pxoreaNiLea6L2WAFUm4boxnv7jiBNGmvMnbCxdsHYsTRBLXvMJHwEfKGvHFJmi9VvMe4JCQ=="}]} +{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:x6l8ZblpSSXGaPMCzySedWg88BwIFcz8jlPb6el0mFs","sig":"SNnYRFIhDwWjk0pxoreaNiLea6L2WAFUm4boxnv7jiBNGmvMnbCxdsHYsTRBLXvMJHwEfKGvHFJmi9VvMe4JCQ=="}]} \ No newline at end of file diff --git a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/Multi.golden b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/Multi.golden index b4322d20..a7e10585 100644 --- a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/Multi.golden +++ b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/Multi.golden @@ -1 +1 @@ -{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]} +{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="},{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]} \ No newline at end of file diff --git a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA256.golden b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA256.golden index 0bc3e8d6..33c03ca9 100644 --- a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA256.golden +++ b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA256.golden @@ -1 +1 @@ -{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]} +{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"qtxC0N3TWRUOOF4nAFwf8izZMVhpGca/s0STBi2h/OU/lND9M4uPG70LMGJ+n2GhCOyKKLR5BpgtlUkBpwhsxiPDqyyXFE2/Rvu/MsNicNIal7A1E64X3iOrMmaXK7qHDY6TpwC0KlxTOsh2XHJSM/cItgebkiRn5ZaZl48/10IzMsq/nOr0k9fGdAdgeApnRAQzBuHzcSAMpz8k9ovbyecfwuNLxXk6PO3isetpFx2j1d11gNfmwE54lCQ9ZGC3hiTJVt9WLBP+xC5AGoiX9f5FQpRzQrg9xGjyfwZDF4PSE9UFfUAC4fGPdultxUPXp8afWocJwbDgZBOkUKgE2L16LtMYSPFMdmAy615Ah6AOyudDTY+6iUr8D7YFdXgkjuQOGxtk7Wh2AIwk1lTOF4nrpycNjOJawBW5AFxdjEJ0LvG/XEJgSC88RoAkQ0YdN7j5N8nNf4+bZJ+CmTXPWU0MdFVDgI59bJKUJU/lt1WM/ZEIzujCgtqYKwCc8LNl5Fruh+2nHmtsAS3bxxPv51Nbw5d8T316SBp0bhjY+R7OncQDaP2FQ+nwpUXuDX3Tr9pqMJxDgErbIATOdSaRQ3KB1iC5gzTwIikuwPIxAuB2Gb5wWGxhqqfx7iA38TpnP5x8YXsjGCseUxFjrKoj5uL1p6ayGXOPJy/D9FsQVtA="}]} \ No newline at end of file diff --git a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA384.golden b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA384.golden index 46c14754..f8e82afe 100644 --- a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA384.golden +++ b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA384.golden @@ -1 +1 @@ -{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"p30wIIYvuxg1vLuVMSBCb9HlLjCJuHcW4ORi1GHSFzFxqLMkUVcGZvLotyA+25tInLqwX8SfTXkuIM1LnvwrrjOubi2Om8Cd9gyZqYP5Dx+BsPbAEmDgBkmV/2am6voKmpXuzNlXYocyCezw+Px+oxJI3bmFMCTjkFf5q4ah5HWvDMgfpa9T7oj13iS1WtLE2W6S5yuaIu/5gGQAWrxKKIhjAGEyS9+6I9VJEP2d2hJPDyey7YatM2Z7BfukVml/IBKoYo4cz50Y5fLfA+DstjpxQzQ0t/LyuntvsMVnOEH0n1C59aEku7RTFDVoA7GKvhSnWmGr4lD/33ZHeUDSNDWGoYo2rKeWUby+Z4Jyf27AbK2TrPvB3bxjIt7EoB4yuG1bmHgv6Agf7U43o8SZxo5mWEU/HOxulNRyE/W4quoVnD3slAIAfhDoOPo1flqaWFApPj4toyCuieQq2AheJxyP//crJnI+iLy3eUVWPELbSFpD4Gg2NKJ3PjiTx2XZndy5QVguAbjQy5RmMiFZ9Hk5qmV71wGDaBsGPKIDesM8CAXu3YOkhAEa36HYg9whgPsWDWjPe0VNzoN4UqXcjsb986n2M7AHVv+XHURf9MepRPy/pjShR0xUAeRFrZz8sBlhqaIXZcPwLBNSgZ91B5y/+VOy5aeOFTtfDG4nows="}]} +{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"p30wIIYvuxg1vLuVMSBCb9HlLjCJuHcW4ORi1GHSFzFxqLMkUVcGZvLotyA+25tInLqwX8SfTXkuIM1LnvwrrjOubi2Om8Cd9gyZqYP5Dx+BsPbAEmDgBkmV/2am6voKmpXuzNlXYocyCezw+Px+oxJI3bmFMCTjkFf5q4ah5HWvDMgfpa9T7oj13iS1WtLE2W6S5yuaIu/5gGQAWrxKKIhjAGEyS9+6I9VJEP2d2hJPDyey7YatM2Z7BfukVml/IBKoYo4cz50Y5fLfA+DstjpxQzQ0t/LyuntvsMVnOEH0n1C59aEku7RTFDVoA7GKvhSnWmGr4lD/33ZHeUDSNDWGoYo2rKeWUby+Z4Jyf27AbK2TrPvB3bxjIt7EoB4yuG1bmHgv6Agf7U43o8SZxo5mWEU/HOxulNRyE/W4quoVnD3slAIAfhDoOPo1flqaWFApPj4toyCuieQq2AheJxyP//crJnI+iLy3eUVWPELbSFpD4Gg2NKJ3PjiTx2XZndy5QVguAbjQy5RmMiFZ9Hk5qmV71wGDaBsGPKIDesM8CAXu3YOkhAEa36HYg9whgPsWDWjPe0VNzoN4UqXcjsb986n2M7AHVv+XHURf9MepRPy/pjShR0xUAeRFrZz8sBlhqaIXZcPwLBNSgZ91B5y/+VOy5aeOFTtfDG4nows="}]} \ No newline at end of file diff --git a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA512.golden b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA512.golden index 5ade7939..f9f2e7f5 100644 --- a/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA512.golden +++ b/pkg/integrity/testdata/Test_dsseEncoder_signMessage/RSA_SHA512.golden @@ -1 +1 @@ -{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"QgK1Nf31jAGUaF8uUHiTCQdRaXXh4tUvX1r/n8TPv+jKYhwKTrwYYMHol0gzo1m/OmhTn8XC3vZ1cuVyvhhhBjIgux2gee+7Rm9Vzu5WwDeH0haU1tgUXcGqqLSc7Udh1zkT8+peGSTytF1ZCPuDxYJhKe6b5ZkT8vbd6nC5zHOAe9PRAp+VoJg3okvQvdWgphHcdpFM4eF6h4qTi9A5BlKCkL4MCdfKJWg0T/aLNQLI7+eKxqk7mWPcraTXqPUnyptQ4z+pO6nocNaTYx6Ouh4vkiMKzokesQxTwZz+/80Y/Ig1hvcljR7VPFrCfInhKU5o7ljjB8CQEN+MaFqtFVsAatO6ttC0Msj7iozaj+Cqm0PwrysIfQaRWGkMgnFkMEhgO4aebBLNLoAVBf92oY06lNsIPQofNi6id7s0R8ch6fuQ0N/4GjmDRCfaYYS5pQuA8TYIVVBCkjzMLgjInD1QQV/MxSDRNPLOrKcnF8j6ub0iknWaDyuBsIzjIe0D4QDdOJDxzhC3G4cqtPXfnvfJaGs7n0t05Y2sT4Z/5mGKw2yAJRd4g7Ur1HawcLdN42Bt200C6yXovmpV6MZglNLUttfQBffZQOSB7nK9jkBtHZca7YsUQIas9sIBbRX3HLzNfnz3MDhjuquLo4w633ZPoY+IPmcs/3x3QVX3tU8="}]} +{"payloadType":"application/vnd.sylabs.sif-metadata+json","payload":"eyJPbmUiOjEsIlR3byI6Mn0K","signatures":[{"keyid":"SHA256:BhCwr7qZulYcOMSl2Jt2DuYHxHNnN6th4NdMqR/PGa4","sig":"QgK1Nf31jAGUaF8uUHiTCQdRaXXh4tUvX1r/n8TPv+jKYhwKTrwYYMHol0gzo1m/OmhTn8XC3vZ1cuVyvhhhBjIgux2gee+7Rm9Vzu5WwDeH0haU1tgUXcGqqLSc7Udh1zkT8+peGSTytF1ZCPuDxYJhKe6b5ZkT8vbd6nC5zHOAe9PRAp+VoJg3okvQvdWgphHcdpFM4eF6h4qTi9A5BlKCkL4MCdfKJWg0T/aLNQLI7+eKxqk7mWPcraTXqPUnyptQ4z+pO6nocNaTYx6Ouh4vkiMKzokesQxTwZz+/80Y/Ig1hvcljR7VPFrCfInhKU5o7ljjB8CQEN+MaFqtFVsAatO6ttC0Msj7iozaj+Cqm0PwrysIfQaRWGkMgnFkMEhgO4aebBLNLoAVBf92oY06lNsIPQofNi6id7s0R8ch6fuQ0N/4GjmDRCfaYYS5pQuA8TYIVVBCkjzMLgjInD1QQV/MxSDRNPLOrKcnF8j6ub0iknWaDyuBsIzjIe0D4QDdOJDxzhC3G4cqtPXfnvfJaGs7n0t05Y2sT4Z/5mGKw2yAJRd4g7Ur1HawcLdN42Bt200C6yXovmpV6MZglNLUttfQBffZQOSB7nK9jkBtHZca7YsUQIas9sIBbRX3HLzNfnz3MDhjuquLo4w633ZPoY+IPmcs/3x3QVX3tU8="}]} \ No newline at end of file diff --git a/pkg/integrity/verify_test.go b/pkg/integrity/verify_test.go index dbea56f0..e8be1a52 100644 --- a/pkg/integrity/verify_test.go +++ b/pkg/integrity/verify_test.go @@ -1069,7 +1069,6 @@ func TestVerifier_Verify(t *testing.T) { testCallback: true, wantCBSignature: sigPGP, wantCBVerified: verifiedPGP, - wantCBKeys: []crypto.PublicKey{}, wantCBEntity: e, }, { @@ -1081,7 +1080,6 @@ func TestVerifier_Verify(t *testing.T) { testCallback: true, ignoreError: true, wantCBSignature: sigPGP, - wantCBKeys: []crypto.PublicKey{}, wantCBEntity: nil, wantCBErr: &SignatureNotValidError{ID: 3}, },