Pass a nop verifier to dupe detection (#81)

I believe the dupe detector takes a verifier so that it only replaces attestations that match a verifier. The verifier we pass into Attest is ephemeral and probably not what the dupe detector really wants. For attestations that fail to verify, the dupe detector just ignores the error and continues. For our use case, we always want to replace by predicate type and don't care about keeping around multiple identities/verifiers. We _want_ to clobber whatever was there before and update it with the most recent identity. Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
chainguard-dev · Oct 9, 2023 · 826412b · 826412b
1 parent 89876bd
commit 826412b
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/internal/secant/attest.go b/internal/secant/attest.go
@@ -3,6 +3,7 @@ package secant
 import (
 	"bytes"
 	"context"
+	"crypto"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -25,6 +26,7 @@ import (
 	ctypes "github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -66,6 +68,10 @@ func Attest(ctx context.Context, statements []*types.Statement, sv types.Cosigne
 	// so we use a placeholder here.
 	se := ociremote.SignedUnknown(digest)
 
+	// We use a dupe detector that always verifies because we always want to replace
+	// things with a matching predicate type.
+	dd := cremote.NewDupeDetector(&alwaysVerifier{})
+
 	for _, statement := range statements {
 		// Make sure these statements are all for the same subject.
 		if digest != statement.Digest {
@@ -151,7 +157,7 @@ func Attest(ctx context.Context, statements []*types.Statement, sv types.Cosigne
 		}
 
 		signOpts := []mutate.SignOption{
-			mutate.WithDupeDetector(cremote.NewDupeDetector(sv)),
+			mutate.WithDupeDetector(dd),
 			mutate.WithReplaceOp(cremote.NewReplaceOp(predicateType)),
 		}
 
@@ -187,3 +193,15 @@ func parsePredicateType(t string) (string, error) {
 	}
 	return uri, nil
 }
+
+type alwaysVerifier struct{}
+
+// This only exists to satisfy cosign interface jungle.
+func (av *alwaysVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.PublicKey, error) {
+	panic("this should not get called ever")
+}
+
+// This always verifies.
+func (av *alwaysVerifier) VerifySignature(signature, message io.Reader, opts ...signature.VerifyOption) error {
+	return nil
+}