diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b4ae0388f85b..f6a4f8703362 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: @@ -54,7 +54,7 @@ jobs: - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Set up Cloud SDK - uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 with: workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign' service_account: 'github-actions@projectsigstore.iam.gserviceaccount.com' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ef374897231b..1be045d5f7e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -67,7 +67,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 with: languages: ${{ matrix.language }} @@ -75,4 +75,4 @@ jobs: run: make cosign - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 diff --git a/.github/workflows/cross.yaml b/.github/workflows/cross.yaml index d142b62e5f17..e38aa6f0e05b 100644 --- a/.github/workflows/cross.yaml +++ b/.github/workflows/cross.yaml @@ -67,7 +67,7 @@ jobs: echo "artifactsfilename=$name" >> $GITHUB_ENV - name: Upload artifacts if: github.event_name != 'pull_request' - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: artifacts-${{ env.artifactsfilename }} path: | diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index cbc1b6512da4..c30112030495 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -73,3 +73,17 @@ jobs: - name: Run e2e_signblob_tsa_mtls.sh shell: bash run: make && PATH="$PWD:$PATH" ./test/e2e_signblob_tsa_mtls.sh + + e2e-test-pkcs11: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: '1.21' + check-latest: true + + - name: Run pkcs11 end-to-end tests + shell: bash + run: ./test/e2e_test_pkcs11.sh diff --git a/.github/workflows/kind-e2e-insecure-registry.yaml b/.github/workflows/kind-e2e-insecure-registry.yaml index c742e6eb3bbd..7b3914dd6300 100644 --- a/.github/workflows/kind-e2e-insecure-registry.yaml +++ b/.github/workflows/kind-e2e-insecure-registry.yaml @@ -54,10 +54,10 @@ jobs: - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v1.6.1 + - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@dd648994340a5d03225d97abf19c9bf1086c3f07 # v4.40.5 + uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 - name: Install Cosign run: | diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index a9fd8d286a4a..72ce1388f440 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -57,7 +57,7 @@ jobs: - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Install yq - uses: mikefarah/yq@dd648994340a5d03225d97abf19c9bf1086c3f07 # v4.40.5 + uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 - name: build cosign run: | diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml index bd986c74056d..a391502e6a7b 100644 --- a/.github/workflows/scorecard-action.yml +++ b/.github/workflows/scorecard-action.yml @@ -44,7 +44,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif @@ -52,6 +52,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/upload-sarif@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 with: sarif_file: results.sarif diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 98c6bc09a84a..141448f6629e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -73,7 +73,7 @@ jobs: GODEBUG: x509sha1=1 run: go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) - name: Upload Coverage Report - uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # v3.1.5 + uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 with: env_vars: OS - name: Run Go tests w/ `-race` @@ -175,7 +175,7 @@ jobs: go-version: '1.21' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 with: # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. version: v1.55 diff --git a/CHANGELOG.md b/CHANGELOG.md index 841e7e47a1be..12b80e6f667b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,38 @@ +# v2.2.3 + +## Bug Fixes + +* Fix race condition on verification with multiple signatures attached to image (#3486) +* fix(clean): Fix clean cmd for private registries (#3446) +* Fixed BYO PKI verification (#3427) + +## Features + +* Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466) +* Add support for OpenVEX predicate type (#3405) + +## Documentation + +* Resolves #3088: `version` sub-command expected behaviour documentation and testing (#3447) +* add examples for cosign attach signature cmd (#3468) + +## Misc + +* Remove CertSubject function (#3467) +* Use local rekor and fulcio instances in e2e tests (#3478) + +## Contributors + +* aalsabag +* Bob Callaway +* Carlos Tadeu Panato Junior +* Colleen Murphy +* Hayden B +* Mukuls77 +* Omri Bornstein +* Puerco +* vivek kumar sahu + # v2.2.2 v2.2.2 adds a new container with a shell, `gcr.io/projectsigstore/cosign:vx.y.z-dev`, in addition to the existing @@ -25,7 +60,7 @@ For private deployments, we have also added an alias for `--insecure-skip-log`, ## Documentation -* Update SBOM_SPEC.md (#3358) +* Update SBOM\_SPEC.md (#3358) ## Contributors diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 73b473a6ab23..644b85bf3524 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -74,6 +74,7 @@ func Attest() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 3e7c6fe36b4e..3cefa61ba535 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -61,6 +61,7 @@ func AttestBlob() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/download/sbom.go b/cmd/cosign/cli/download/sbom.go index 79c6968fac29..66ff42572599 100644 --- a/cmd/cosign/cli/download/sbom.go +++ b/cmd/cosign/cli/download/sbom.go @@ -100,7 +100,9 @@ func SBOMCmd( } sboms = append(sboms, string(sbom)) - fmt.Fprint(out, string(sbom)) + if _, err := out.Write(sbom); err != nil { + return nil, err + } return sboms, nil } diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index de555d47b27f..cc3e12ca9be3 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -38,9 +38,10 @@ import ( ) const ( - flowNormal = "normal" - flowDevice = "device" - flowToken = "token" + flowNormal = "normal" + flowDevice = "device" + flowToken = "token" + flowClientCredentials = "client_credentials" ) type oidcConnector interface { @@ -89,6 +90,8 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) { c := &realConnector{} switch flow { + case flowClientCredentials: + c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer) case flowDevice: c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer) case flowNormal: diff --git a/cmd/cosign/cli/generate/generate.go b/cmd/cosign/cli/generate/generate.go index ef5cac0cea1e..ee2e6b459a59 100644 --- a/cmd/cosign/cli/generate/generate.go +++ b/cmd/cosign/cli/generate/generate.go @@ -17,7 +17,6 @@ package generate import ( "context" - "fmt" "io" "github.com/google/go-containerregistry/pkg/name" @@ -49,6 +48,6 @@ func GenerateCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef if err != nil { return err } - fmt.Fprint(w, string(json)) + w.Write(json) return nil } diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go index 291710c077b4..0e28d559408f 100644 --- a/cmd/cosign/cli/options/fulcio.go +++ b/cmd/cosign/cli/options/fulcio.go @@ -24,6 +24,7 @@ const DefaultFulcioURL = "https://fulcio.sigstore.dev" // FulcioOptions is the wrapper for Fulcio related options. type FulcioOptions struct { URL string + AuthFlow string IdentityToken string InsecureSkipFulcioVerify bool } @@ -36,6 +37,9 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.URL, "fulcio-url", DefaultFulcioURL, "address of sigstore PKI server") + cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "", + "fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment.") + cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "", "identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index f89d227bfa03..8c3c241618a0 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -143,7 +143,7 @@ func (o *VerifyAttestationOptions) AddFlags(cmd *cobra.Command) { "whether to check the claims found") cmd.Flags().StringSliceVar(&o.Policies, "policy", nil, - "specify CUE or Rego files will be using for validation") + "specify CUE or Rego files with policies to be used for validation") cmd.Flags().StringVarP(&o.Output, "output", "o", "json", "output format for the signing image information (json|text)") diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index e937be58ae93..03e30f13f589 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -107,6 +107,7 @@ race conditions or (worse) malicious tampering. Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index ce3035a1d158..1783d056ac0e 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -75,6 +75,7 @@ func SignBlob() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/triangulate.go b/cmd/cosign/cli/triangulate.go index 808de7036fc6..0cf60e978a83 100644 --- a/cmd/cosign/cli/triangulate.go +++ b/cmd/cosign/cli/triangulate.go @@ -29,7 +29,7 @@ func Triangulate() *cobra.Command { cmd := &cobra.Command{ Use: "triangulate", - Short: "Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.", + Short: "Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.", Example: " cosign triangulate ", PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, args []string) error { diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 9648ef3613a9..bd172a3aae1c 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -24,6 +24,7 @@ import ( "errors" "fmt" "io" + "io/fs" "os" "path/filepath" @@ -313,7 +314,7 @@ func base64signature(sigRef, bundlePath string) (string, error) { case sigRef != "": targetSig, err = blob.LoadFileOrURL(sigRef) if err != nil { - if !os.IsNotExist(err) { + if !errors.Is(err, fs.ErrNotExist) { // ignore if file does not exist, it can be a base64 encoded string as well return "", err } diff --git a/doc/cosign.md b/doc/cosign.md index c3eec43dffae..d7f90aae4691 100644 --- a/doc/cosign.md +++ b/doc/cosign.md @@ -36,7 +36,7 @@ A tool for Container Signing, Verification and Storage in an OCI registry. * [cosign sign](cosign_sign.md) - Sign the supplied container image. * [cosign sign-blob](cosign_sign-blob.md) - Sign the supplied blob, outputting the base64-encoded signature to stdout. * [cosign tree](cosign_tree.md) - Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations -* [cosign triangulate](cosign_triangulate.md) - Outputs the located cosign image reference. This is the location cosign stores the specified artifact type. +* [cosign triangulate](cosign_triangulate.md) - Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type. * [cosign upload](cosign_upload.md) - Provides utilities for uploading artifacts to a registry * [cosign verify](cosign_verify.md) - Verify a signature on the supplied container image * [cosign verify-attestation](cosign_verify-attestation.md) - Verify an attestation on the supplied container image diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 515999fecf39..a6baddae9f20 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -36,6 +36,7 @@ cosign attest-blob [flags] --bundle string write everything required to verify the blob to a FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") --hash string hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash -h, --help help for attest-blob diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 95a436d2784e..27158c333d41 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -47,6 +47,7 @@ cosign attest [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index f49b54619068..8bd0c42075a9 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -38,6 +38,7 @@ cosign sign-blob [flags] ``` --b64 whether to base64 encode the output (default true) --bundle string write everything required to verify the blob to a FILE + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index a6cf48855369..1b31d1a382e4 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -76,6 +76,7 @@ cosign sign [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_triangulate.md b/doc/cosign_triangulate.md index 1f8e36874bc0..07b414948431 100644 --- a/doc/cosign_triangulate.md +++ b/doc/cosign_triangulate.md @@ -1,6 +1,6 @@ ## cosign triangulate -Outputs the located cosign image reference. This is the location cosign stores the specified artifact type. +Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type. ``` cosign triangulate [flags] diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 29fd18e6bea6..caa192147231 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -81,7 +81,7 @@ cosign verify-attestation [flags] --max-workers int the amount of maximum workers for parallel executions (default 10) --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") - --policy strings specify CUE or Rego files will be using for validation + --policy strings specify CUE or Rego files with policies to be used for validation --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure --registry-password string registry basic auth password --registry-token string registry bearer auth token diff --git a/go.mod b/go.mod index f6a65f12363b..7ea1c6f94b02 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/sigstore/cosign/v2 go 1.21 require ( - cuelang.org/go v0.7.0 + cuelang.org/go v0.7.1 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 github.com/buildkite/agent/v3 v3.62.0 @@ -17,7 +17,7 @@ require ( github.com/go-piv/piv-go v1.11.0 github.com/google/certificate-transparency-go v1.1.7 github.com/google/go-cmp v0.6.0 - github.com/google/go-containerregistry v0.18.0 + github.com/google/go-containerregistry v0.19.0 github.com/google/go-github/v55 v55.0.0 github.com/in-toto/in-toto-golang v0.9.0 github.com/kelseyhightower/envconfig v1.4.0 @@ -31,13 +31,13 @@ require ( github.com/pkg/errors v0.9.1 github.com/secure-systems-lab/go-securesystemslib v0.8.0 github.com/sigstore/fulcio v1.4.3 - github.com/sigstore/rekor v1.3.4 - github.com/sigstore/sigstore v1.8.1 - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1 - github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1 - github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1 - github.com/sigstore/timestamp-authority v1.2.1 + github.com/sigstore/rekor v1.3.5 + github.com/sigstore/sigstore v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 + github.com/sigstore/timestamp-authority v1.2.2 github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.18.2 @@ -45,13 +45,13 @@ require ( github.com/stretchr/testify v1.8.4 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - github.com/xanzy/go-gitlab v0.96.0 - go.step.sm/crypto v0.42.1 - golang.org/x/crypto v0.18.0 - golang.org/x/oauth2 v0.16.0 + github.com/xanzy/go-gitlab v0.98.0 + go.step.sm/crypto v0.43.1 + golang.org/x/crypto v0.20.0 + golang.org/x/oauth2 v0.17.0 golang.org/x/sync v0.6.0 - golang.org/x/term v0.16.0 - google.golang.org/api v0.159.0 + golang.org/x/term v0.17.0 + google.golang.org/api v0.167.0 k8s.io/api v0.28.3 k8s.io/apimachinery v0.28.3 k8s.io/client-go v0.28.3 @@ -60,18 +60,18 @@ require ( ) require ( - cloud.google.com/go/compute v1.23.3 // indirect + cloud.google.com/go/compute v1.23.4 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect - cloud.google.com/go/iam v1.1.5 // indirect - cloud.google.com/go/kms v1.15.5 // indirect + cloud.google.com/go/iam v1.1.6 // indirect + cloud.google.com/go/kms v1.15.7 // indirect cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect @@ -99,23 +99,23 @@ require ( github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.50.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect - github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect + github.com/aws/aws-sdk-go v1.50.25 // indirect + github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.4 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.4 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect - github.com/aws/smithy-go v1.19.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.29.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 // indirect + github.com/aws/smithy-go v1.20.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/buildkite/go-pipeline v0.3.2 // indirect @@ -144,7 +144,7 @@ require ( github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.1 // indirect + github.com/go-jose/go-jose/v3 v3.0.2 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.22.0 // indirect @@ -152,8 +152,8 @@ require ( github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect github.com/go-openapi/loads v0.21.5 // indirect - github.com/go-openapi/spec v0.20.13 // indirect - github.com/go-openapi/validate v0.22.4 // indirect + github.com/go-openapi/spec v0.20.14 // indirect + github.com/go-openapi/validate v0.22.6 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect @@ -169,7 +169,7 @@ require ( github.com/google/tink/go v1.7.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect - github.com/googleapis/gax-go/v2 v2.12.0 // indirect + github.com/googleapis/gax-go/v2 v2.12.1 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect @@ -180,11 +180,11 @@ require ( github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.5 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect - github.com/hashicorp/vault/api v1.10.0 // indirect + github.com/hashicorp/vault/api v1.12.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect - github.com/jellydator/ttlcache/v3 v3.1.1 // indirect + github.com/jellydator/ttlcache/v3 v3.2.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -244,33 +244,33 @@ require ( github.com/zeebo/errs v1.3.0 // indirect go.mongodb.org/mongo-driver v1.13.1 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect - go.opentelemetry.io/otel v1.22.0 // indirect - go.opentelemetry.io/otel/metric v1.22.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect + go.opentelemetry.io/otel v1.23.0 // indirect + go.opentelemetry.io/otel/metric v1.23.0 // indirect go.opentelemetry.io/otel/sdk v1.22.0 // indirect - go.opentelemetry.io/otel/trace v1.22.0 // indirect + go.opentelemetry.io/otel/trace v1.23.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/net v0.21.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.15.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac // indirect - google.golang.org/grpc v1.61.0 // indirect + google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/grpc v1.61.1 // indirect google.golang.org/protobuf v1.32.0 // indirect gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/klog/v2 v2.120.0 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect diff --git a/go.sum b/go.sum index 2fe170890b9f..15f7758b80ba 100644 --- a/go.sum +++ b/go.sum @@ -1,34 +1,34 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.111.0 h1:YHLKNupSD1KqjDbQ3+LVdQ81h/UJbJyZG203cEfnQgM= -cloud.google.com/go v0.111.0/go.mod h1:0mibmpKP1TyOOFYQY5izo0LnT+ecvOQ0Sg3OdmMiNRU= -cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= -cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM= +cloud.google.com/go v0.112.0/go.mod h1:3jEEVwZ/MHU4djK5t5RHuKOA/GbLddgTdVubX1qnPD4= +cloud.google.com/go/compute v1.23.4 h1:EBT9Nw4q3zyE7G45Wvv3MzolIrCJEuHys5muLY0wvAw= +cloud.google.com/go/compute v1.23.4/go.mod h1:/EJMj55asU6kAFnuZET8zqgwgJ9FvXWXOkkfQZa4ioI= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= -cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= -cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= -cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= -cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= +cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= +cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= +cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM= +cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI= cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 h1:zkiIe8AxZ/kDjqQN+mDKc5BxoVJOqioSdqApjc+eB1I= cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13/go.mod h1:XGKYSMtsJWfqQYPwq51ZygxAPqpEUj/9bdg16iDPTAA= -cuelang.org/go v0.7.0 h1:gMztinxuKfJwMIxtboFsNc6s8AxwJGgsJV+3CuLffHI= -cuelang.org/go v0.7.0/go.mod h1:ix+3dM/bSpdG9xg6qpCgnJnpeLtciZu+O/rDbywoMII= +cuelang.org/go v0.7.1 h1:wSuUSIKR9M1yrph57l8EJATWVRWHaq/Zd0dFUL10PC8= +cuelang.org/go v0.7.1/go.mod h1:ix+3dM/bSpdG9xg6qpCgnJnpeLtciZu+O/rDbywoMII= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18 h1:rd389Q26LMy03gG4anandGFC2LW/xvjga5GezeeaxQk= -github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230618160516-e936619f9f18/go.mod h1:fgJuSBrJP5qZtKqaMJE0hmhS2tmRH+44IkfZvjtaf1M= +github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg= +github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw= github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= @@ -118,44 +118,44 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdK github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.50.0 h1:HBtrLeO+QyDKnc3t1+5DR1RxodOHCGr8ZcrHudpv7jI= -github.com/aws/aws-sdk-go v1.50.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.50.25 h1:vhiHtLYybv1Nhx3Kv18BBC6L0aPJHaG9aeEsr92W99c= +github.com/aws/aws-sdk-go v1.50.25/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= -github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o= -github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8= -github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= +github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w= +github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo= +github.com/aws/aws-sdk-go-v2/config v1.27.4 h1:AhfWb5ZwimdsYTgP7Od8E9L1u4sKmDW2ZVeLcf2O42M= +github.com/aws/aws-sdk-go-v2/config v1.27.4/go.mod h1:zq2FFXK3A416kiukwpsd+rD4ny6JC7QSkp4QdN1Mp2g= +github.com/aws/aws-sdk-go-v2/credentials v1.17.4 h1:h5Vztbd8qLppiPwX+y0Q6WiwMZgpd9keKe2EAENgAuI= +github.com/aws/aws-sdk-go-v2/credentials v1.17.4/go.mod h1:+30tpwrkOgvkJL1rUZuRLoxcJwtI/OkeBLYnHxJtVe0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 h1:AK0J8iYBFeUk2Ax7O8YpLtFsfhdOByh2QIkHmigpRYk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2/go.mod h1:iRlGzMix0SExQEviAyptRWRGdYNo3+ufW/lCzvKVTUc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= -github.com/aws/aws-sdk-go-v2/service/kms v1.27.9 h1:W9PbZAZAEcelhhjb7KuwUtf+Lbc+i7ByYJRuWLlnxyQ= -github.com/aws/aws-sdk-go-v2/service/kms v1.27.9/go.mod h1:2tFmR7fQnOdQlM2ZCEPpFnBIQD1U8wmXmduBgZbOag0= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0= +github.com/aws/aws-sdk-go-v2/service/kms v1.29.1 h1:OdjJjUWFlMZLAMl54ASxIpZdGEesY4BH3/c0HAPSFdI= +github.com/aws/aws-sdk-go-v2/service/kms v1.29.1/go.mod h1:Cbx2uxEX0bAB7SlSY+ys05ZBkEb8IbmuAOcGVmDfJFs= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 h1:utEGkfdQ4L6YW/ietH7111ZYglLJvS+sLriHJ1NBJEQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.1/go.mod h1:RsYqzYr2F2oPDdpy+PdhephuZxTfjHQe7SOBcZGoAU8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 h1:9/GylMS45hGGFCcMrUZDVayQE1jYSIN6da9jo7RAYIw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1/go.mod h1:YjAPFn4kGFqKC54VsHs5fn5B6d+PCY2tziEa3U/GB5Y= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA= github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= -github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= +github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= +github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -283,9 +283,8 @@ github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyN github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= -github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= -github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-jose/go-jose/v3 v3.0.2 h1:2Edjn8Nrb44UvTdp84KU0bBPs1cO7noRCybtS3eJEUQ= +github.com/go-jose/go-jose/v3 v3.0.2/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -303,20 +302,20 @@ github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRz github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8= github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto= github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU= -github.com/go-openapi/spec v0.20.13 h1:XJDIN+dLH6vqXgafnl5SUIMnzaChQ6QTo0/UPMbkIaE= -github.com/go-openapi/spec v0.20.13/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw= +github.com/go-openapi/spec v0.20.14 h1:7CBlRnw+mtjFGlPDRZmAMnq35cRzI91xj03HVyUi/Do= +github.com/go-openapi/spec v0.20.14/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw= github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI= github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4= github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= -github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8= -github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A= +github.com/go-openapi/validate v0.22.6 h1:+NhuwcEYpWdO5Nm4bmvhGLW0rt1Fcc532Mu3wpypXfo= +github.com/go-openapi/validate v0.22.6/go.mod h1:eaddXSqKeTg5XpSmj1dYyFTK/95n/XHwcOY+BMxKMyM= github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= -github.com/go-rod/rod v0.114.5 h1:1x6oqnslwFVuXJbJifgxspJUd3O4ntaGhRLHt+4Er9c= -github.com/go-rod/rod v0.114.5/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= +github.com/go-rod/rod v0.114.7 h1:h4pimzSOUnw7Eo41zdJA788XsawzHjJMyzCE3BrBww0= +github.com/go-rod/rod v0.114.7/go.mod h1:aiedSEFg5DwG/fnNbUOTPMTTWX3MRj6vIs/a684Mthw= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= @@ -377,8 +376,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.18.0 h1:ShE7erKNPqRh5ue6Z9DUOlk04WsnFWPO6YGr3OxnfoQ= -github.com/google/go-containerregistry v0.18.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= +github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSPlQ/ywc5JbB8Ic= +github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -393,16 +392,16 @@ github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= -github.com/google/trillian v1.5.3 h1:3ioA5p09qz+U9/t2riklZtaQdZclaStp0/eQNfewNRg= -github.com/google/trillian v1.5.3/go.mod h1:p4tcg7eBr7aT6DxrAoILpc3uXNfcuAvZSnQKonVg+Eo= +github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4= +github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= -github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= -github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/googleapis/gax-go/v2 v2.12.1 h1:9F8GV9r9ztXyAi00gsMQHNoF51xPZm8uj1dpYt2ZETM= +github.com/googleapis/gax-go/v2 v2.12.1/go.mod h1:61M8vcyyXR2kqKFxKrfA22jaA8JGF7Dc8App1U3H6jc= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= @@ -435,8 +434,8 @@ github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2w github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= -github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4= +github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -449,8 +448,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= -github.com/jellydator/ttlcache/v3 v3.1.1 h1:RCgYJqo3jgvhl+fEWvjNW8thxGWsgxi+TPhRir1Y9y8= -github.com/jellydator/ttlcache/v3 v3.1.1/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= +github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE= +github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= @@ -609,20 +608,20 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/fulcio v1.4.3 h1:9JcUCZjjVhRF9fmhVuz6i1RyhCc/EGCD7MOl+iqCJLQ= github.com/sigstore/fulcio v1.4.3/go.mod h1:BQPWo7cfxmJwgaHlphUHUpFkp5+YxeJes82oo39m5og= -github.com/sigstore/rekor v1.3.4 h1:RGIia1iOZU7fOiiP2UY/WFYhhp50S5aUm7YrM8aiA6E= -github.com/sigstore/rekor v1.3.4/go.mod h1:1GubPVO2yO+K0m0wt/3SHFqnilr/hWbsjSOe7Vzxrlg= -github.com/sigstore/sigstore v1.8.1 h1:mAVposMb14oplk2h/bayPmIVdzbq2IhCgy4g6R0ZSjo= -github.com/sigstore/sigstore v1.8.1/go.mod h1:02SL1158BSj15bZyOFz7m+/nJzLZfFd9A8ab3Kz7w/E= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1 h1:rEDdUefulkIQaMJyzLwtgPDLNXBIltBABiFYfb0YmgQ= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.1/go.mod h1:RCdYCc1IxCYWzh2IdzdA6Yf7JIY0cMRqH08fpQYechw= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1 h1:DvRWG99QGWZC5mp42SEde2Xke/Q384Idnj2da7yB+Mk= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.1/go.mod h1:s13mo3a0UCQS3+PAUUZfvKe48sMDMsHk2GE1b2YfPcU= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1 h1:lwdRsJv1UbBemuk7w5YfXAQilQxMoFevrzamdPbG0wY= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.1/go.mod h1:2OaSQ80EcdyVRSQ3T4d1lsc6Scopblsiq8U2AEk5K1A= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1 h1:9Ki0qudKpc1FQdef7xHO2bkLyTuw+qNUpWRzjBEmF4c= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.1/go.mod h1:nhIgyu4YwwNgalIwTGsoAzam16jjAn3ADRSWKbWPwGI= -github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q= -github.com/sigstore/timestamp-authority v1.2.1/go.mod h1:Ce+vWWEf0QaKLY2u6mpwEJbmYXEVeOfUk4fQ69kE6ck= +github.com/sigstore/rekor v1.3.5 h1:QoVXcS7NppKY+rpbEFVHr4evGDZBBSh65X0g8PXoUkQ= +github.com/sigstore/rekor v1.3.5/go.mod h1:CWqOk/fmnPwORQmm7SyDgB54GTJizqobbZ7yOP1lvw8= +github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= +github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2 h1:e0EtUcE7cqWBxxME7h6upA3EA0IR3EOE3F1t+WHOdTc= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2/go.mod h1:07qBxPjI9bsgdQRiBz27Ai+gl6hgr//vwXMZzTX87Us= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 h1:Fgt4dC9OozkLEtMO6JYfFgqNdSDG1y1uAdiJgrtZYN4= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2/go.mod h1:BT+jh/GK55djPRHqTYu937eq29Zzusf1t0qVbrcn4Aw= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 h1:aX6hLH5v3JdOQJJ6+uCMmeDjcwyfQMLmXKJVl6HtzAg= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2/go.mod h1:OEFPub6XKsX6Fl/PpeIpQTsukG3I0CFWb9saHINV72U= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 h1:hRC8sGPQtnTcoOqWbCNAvLpW1pHL4CQl7FT55IrEof8= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2/go.mod h1:frWJBbYRRHnbLE9h1fH349Mde84NZh6hDrnKqhPgMNU= +github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= +github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= @@ -685,8 +684,8 @@ github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinC github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 h1:+dBg5k7nuTE38VVdoroRsT0Z88fmvdYrI2EjzJst35I= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1/go.mod h1:nmuySobZb4kFgFy6BptpXp/BBw+xFSyvVPP6auoJB4k= -github.com/xanzy/go-gitlab v0.96.0 h1:LGkZ+wSNMRtHIBaYE4Hq3dZVjprwHv3Y1+rhKU3WETs= -github.com/xanzy/go-gitlab v0.96.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= +github.com/xanzy/go-gitlab v0.98.0 h1:psTMbnA0vSo512M8WUpM5YIFPxrdQ/11V0y/5SdzIIg= +github.com/xanzy/go-gitlab v0.98.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= @@ -719,26 +718,26 @@ go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/ go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= -go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= -go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 h1:P+/g8GpuJGYbOp2tAdKrIPUX9JO02q8Q0YNlHolpibA= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0/go.mod h1:tIKj3DbO8N9Y2xo52og3irLsPI4GW02DSMtrVgNMgxg= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 h1:doUP+ExOpH3spVTLS0FcWGLnQrPct/hD/bCPbDRUEAU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0/go.mod h1:rdENBZMT2OE6Ne/KLwpiXudnAsbdrdBaqBvTN8M8BgA= +go.opentelemetry.io/otel v1.23.0 h1:Df0pqjqExIywbMCMTxkAwzjLZtRf+bBKLbUcpxO2C9E= +go.opentelemetry.io/otel v1.23.0/go.mod h1:YCycw9ZeKhcJFrb34iVSkyT0iczq/zYDtZYFufObyB0= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 h1:H2JFgRcGiyHg7H7bwcwaQJYrNFqCqrbTQ8K4p1OvDu8= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0/go.mod h1:WfCWp1bGoYK8MeULtI15MmQVczfR+bFkk0DF3h06QmQ= -go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= -go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= +go.opentelemetry.io/otel/metric v1.23.0 h1:pazkx7ss4LFVVYSxYew7L5I6qvLXHA0Ap2pwV+9Cnpo= +go.opentelemetry.io/otel/metric v1.23.0/go.mod h1:MqUW2X2a6Q8RN96E2/nqNoT+z9BSms20Jb7Bbp+HiTo= go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= -go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0= -go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= +go.opentelemetry.io/otel/trace v1.23.0 h1:37Ik5Ib7xfYVb4V1UtnT97T1jI+AoIYkJyPkuL4iJgI= +go.opentelemetry.io/otel/trace v1.23.0/go.mod h1:GSGTbIClEsuZrGIzoEHqsVfxgn5UkggkflQwDScNUsk= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.step.sm/crypto v0.42.1 h1:OmwHm3GJO8S4VGWL3k4+I+Q4P/F2s+j8msvTyGnh1Vg= -go.step.sm/crypto v0.42.1/go.mod h1:yNcTLFQBnYCA75fC5bklBoTAT7y0dRZsB1TkinB8JMs= +go.step.sm/crypto v0.43.1 h1:18Z/M49SnFDPXvFbfoN/ugE1i0J7phLWARhSQs/XSDI= +go.step.sm/crypto v0.43.1/go.mod h1:9n90D/SWjH1hTyQn1hgviUGyK8YRv743S8UZHYbt4BU= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -746,7 +745,6 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -760,8 +758,9 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg= +golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w= golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= @@ -799,11 +798,11 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= -golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= -golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= +golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -845,8 +844,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -854,8 +853,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -891,8 +890,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.159.0 h1:fVTj+7HHiUYz4JEZCHHoRIeQX7h5FMzrA2RF/DzDdbs= -google.golang.org/api v0.159.0/go.mod h1:0mu0TpK33qnydLvWqbImq2b1eQ5FHRSDCBzAxX9ZHyw= +google.golang.org/api v0.167.0 h1:CKHrQD1BLRii6xdkatBDXyKzM0mkawt2QP+H3LtPmSE= +google.golang.org/api v0.167.0/go.mod h1:4FcBc686KFi7QI/U51/2GKKevfZMpM17sCdibqe/bSA= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= @@ -900,20 +899,20 @@ google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg= -google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917/go.mod h1:pZqR+glSb11aJ+JQcczCvgf47+duRuzNSKqE8YAQnV0= -google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM= -google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac h1:nUQEQmH/csSvFECKYRv6HWEyypysidKl2I6Qpsglq/0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240116215550-a9fa1716bcac/go.mod h1:daQN87bsDqDoe316QbbvX60nMoJQa4r6Ds0ZuoAe5yA= +google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 h1:g/4bk7P6TPMkAUbUhquq98xey1slwvuVJPosdBqYJlU= +google.golang.org/genproto v0.0.0-20240205150955-31a09d347014/go.mod h1:xEgQu1e4stdSSsxPDK8Azkrk/ECl5HvdPf6nbZrTS5M= +google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 h1:x9PwdEgd11LgK+orcck69WVRo7DezSO4VUMPI4xpc8A= +google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014/go.mod h1:rbHMSEDyoYX62nRVLOCc4Qt1HbsdytAYoVwgjiOhF3I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 h1:hZB7eLIaYlW9qXRfCq/qDaPdbeY3757uARz5Vvfv+cY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:YUWgXUFRPfoYK1IHMuxH5K6nPEXSCzIMljnQ59lLRCk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= -google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= +google.golang.org/grpc v1.61.1 h1:kLAiWrZs7YeDM6MumDe7m3y4aM6wacLzM1Y/wiLP9XY= +google.golang.org/grpc v1.61.1/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -960,8 +959,8 @@ k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8= k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4= k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= +k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= diff --git a/internal/pkg/cosign/common.go b/internal/pkg/cosign/common.go index a3ad5d7efb73..a1aa8ebc35f0 100644 --- a/internal/pkg/cosign/common.go +++ b/internal/pkg/cosign/common.go @@ -18,6 +18,7 @@ import ( "errors" "hash" "io" + "io/fs" "os" ) @@ -27,7 +28,7 @@ const ( func FileExists(filename string) (bool, error) { info, err := os.Stat(filename) - if os.IsNotExist(err) { + if errors.Is(err, fs.ErrNotExist) { return false, nil } if err != nil { diff --git a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go index 3d86353c35f5..3b44da884201 100644 --- a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go +++ b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go @@ -56,6 +56,13 @@ func GetIntermediates() (*x509.CertPool, error) { return intermediates, singletonRootErr } +// ReInit reinitializes the global roots and intermediates, overriding the sync.Once lock. +// This is only to be used for tests, where the trust root environment variables may change after the roots are initialized in the module. +func ReInit() error { + roots, intermediates, singletonRootErr = initRoots() + return singletonRootErr +} + func initRoots() (*x509.CertPool, *x509.CertPool, error) { rootPool := x509.NewCertPool() // intermediatePool should be nil if no intermediates are found diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 141a07eea53f..abd551d80282 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -27,6 +27,7 @@ import ( "encoding/json" "encoding/pem" "fmt" + "io/fs" "net/http" "os" "regexp" @@ -592,8 +593,8 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C } if len(sl) == 0 { - return nil, false, &ErrNoMatchingSignatures{ - errors.New("no matching signatures"), + return nil, false, &ErrNoSignaturesFound{ + errors.New("no signatures found"), } } @@ -834,7 +835,7 @@ func loadSignatureFromFile(ctx context.Context, sigRef string, signedImgRef name var b64sig string targetSig, err := blob.LoadFileOrURL(sigRef) if err != nil { - if !os.IsNotExist(err) { + if !errors.Is(err, fs.ErrNotExist) { return nil, err } targetSig = []byte(sigRef) diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 578d349056cc..03d88842d4ea 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -46,6 +46,7 @@ import ( "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" tsaMock "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/mock" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/static" "github.com/sigstore/cosign/v2/pkg/types" "github.com/sigstore/cosign/v2/test" @@ -237,6 +238,44 @@ func CreateTestBundle(ctx context.Context, t *testing.T, rekor signature.Signer, return b } +func Test_verifySignaturesErrNoSignaturesFound(t *testing.T) { + _, _, err := verifySignatures(context.Background(), &fakeOCISignatures{}, v1.Hash{}, nil) + var e *ErrNoSignaturesFound + if !errors.As(err, &e) { + t.Fatalf("%T{%q} is not a %T", err, err, &ErrNoSignaturesFound{}) + } +} + +func Test_verifySignaturesErrNoMatchingSignatures(t *testing.T) { + rootCert, rootKey, _ := test.GenerateRootCa() + subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey) + leafCert, privKey, _ := test.GenerateLeafCert("subject@mail.com", "oidc-issuer", subCert, subKey) + pemRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert.Raw}) + pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) + pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) + + rootPool := x509.NewCertPool() + rootPool.AddCert(rootCert) + + payload := []byte{1, 2, 3, 4} + h := sha256.Sum256(payload) + signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) + + ociSig, _ := static.NewSignature(payload, + base64.StdEncoding.EncodeToString(signature), + static.WithCertChain(pemLeaf, appendSlices([][]byte{pemSub, pemRoot}))) + _, _, err := verifySignatures(context.Background(), &fakeOCISignatures{signatures: []oci.Signature{ociSig}}, v1.Hash{}, &CheckOpts{ + RootCerts: rootPool, + IgnoreSCT: true, + IgnoreTlog: true, + Identities: []Identity{{Subject: "another-subject@mail.com", Issuer: "oidc-issuer"}}}) + + var e *ErrNoMatchingSignatures + if !errors.As(err, &e) { + t.Fatalf("%T{%q} is not a %T", err, err, &ErrNoMatchingSignatures{}) + } +} + func TestVerifyImageSignatureWithNoChain(t *testing.T) { ctx := context.Background() rootCert, rootKey, _ := test.GenerateRootCa() diff --git a/pkg/providers/interface.go b/pkg/providers/interface.go index 30d595aa5bd5..d85f067f0ac7 100644 --- a/pkg/providers/interface.go +++ b/pkg/providers/interface.go @@ -80,7 +80,7 @@ func Provide(ctx context.Context, audience string) (string, error) { } id, err = provider.p.Provide(ctx, audience) if err == nil { - return id, err + return id, nil } } // return the last id/err combo, unless there wasn't an error in diff --git a/test/e2e_test.go b/test/e2e_test.go index 09c397eb1767..028a2cb622ea 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -24,11 +24,12 @@ import ( "crypto" "crypto/rand" "crypto/sha256" - "crypto/x509" "encoding/base64" "encoding/json" "encoding/pem" "fmt" + "io" + "net/http" "net/http/httptest" "net/url" "os" @@ -54,12 +55,15 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli" "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach" "github.com/sigstore/cosign/v2/cmd/cosign/cli/attest" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/dockerfile" "github.com/sigstore/cosign/v2/cmd/cosign/cli/download" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/manifest" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/pkg/cosign" @@ -76,9 +80,9 @@ import ( ) const ( - serverEnv = "REKOR_SERVER" rekorURL = "http://127.0.0.1:3000" fulcioURL = "http://127.0.0.1:5555" + certID = "foo@bar.com" ) var keyPass = []byte("hello") @@ -87,7 +91,7 @@ var passFunc = func(_ bool) ([]byte, error) { return keyPass, nil } -var verify = func(keyRef, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment string) error { +var verify = func(keyRef, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment string, skipTlogVerify bool) error { cmd := cliverify.VerifyCommand{ KeyRef: keyRef, RekorURL: rekorURL, @@ -95,8 +99,8 @@ var verify = func(keyRef, imageRef string, checkClaims bool, annotations map[str Annotations: sigs.AnnotationsMap{Annotations: annotations}, Attachment: attachment, HashAlgorithm: crypto.SHA256, - IgnoreTlog: true, MaxWorkers: 10, + IgnoreTlog: skipTlogVerify, } args := []string{imageRef} @@ -107,6 +111,7 @@ var verify = func(keyRef, imageRef string, checkClaims bool, annotations map[str var verifyTSA = func(keyRef, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment, tsaCertChain string, skipTlogVerify bool) error { cmd := cliverify.VerifyCommand{ KeyRef: keyRef, + RekorURL: rekorURL, CheckClaims: checkClaims, Annotations: sigs.AnnotationsMap{Annotations: annotations}, Attachment: attachment, @@ -127,6 +132,7 @@ var verifyKeylessTSA = func(imageRef string, tsaCertChain string, skipSCT bool, CertOidcIssuerRegexp: ".*", CertIdentityRegexp: ".*", }, + RekorURL: rekorURL, HashAlgorithm: crypto.SHA256, TSACertChainPath: tsaCertChain, IgnoreSCT: skipSCT, @@ -143,12 +149,12 @@ var verifyKeylessTSA = func(imageRef string, tsaCertChain string, skipSCT bool, var verifyLocal = func(keyRef, path string, checkClaims bool, annotations map[string]interface{}, attachment string) error { cmd := cliverify.VerifyCommand{ KeyRef: keyRef, + RekorURL: rekorURL, CheckClaims: checkClaims, Annotations: sigs.AnnotationsMap{Annotations: annotations}, Attachment: attachment, HashAlgorithm: crypto.SHA256, LocalImage: true, - IgnoreTlog: true, MaxWorkers: 10, } @@ -157,12 +163,34 @@ var verifyLocal = func(keyRef, path string, checkClaims bool, annotations map[st return cmd.Exec(context.Background(), args) } +var verifyOffline = func(keyRef, imageRef string, checkClaims bool, annotations map[string]interface{}, attachment string) error { + cmd := cliverify.VerifyCommand{ + KeyRef: keyRef, + RekorURL: "notreal", + Offline: true, + CheckClaims: checkClaims, + Annotations: sigs.AnnotationsMap{Annotations: annotations}, + Attachment: attachment, + HashAlgorithm: crypto.SHA256, + MaxWorkers: 10, + } + + args := []string{imageRef} + + return cmd.Exec(context.Background(), args) +} + var ro = &options.RootOptions{Timeout: options.DefaultTimeout} func TestSignVerify(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -173,23 +201,29 @@ func TestSignVerify(t *testing.T) { ctx := context.Background() // Verify should fail at first - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) // So should download mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify and download should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Look for a specific annotation - mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, ""), t) + mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) so.AnnotationOptions = options.AnnotationOptions{ Annotations: []string{"foo=bar"}, @@ -198,16 +232,21 @@ func TestSignVerify(t *testing.T) { must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // It should match this time. - must(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, ""), t) + must(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) // But two doesn't work - mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, ""), t) + mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", false), t) } func TestSignVerifyClean(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -218,28 +257,38 @@ func TestSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify and download should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now clean signature from the given image must(cli.CleanCmd(ctx, options.RegistryOptions{}, "all", imgName, true), t) // It doesn't work - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) } func TestImportSignVerifyClean(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -250,21 +299,27 @@ func TestImportSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify and download should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now clean signature from the given image must(cli.CleanCmd(ctx, options.RegistryOptions{}, "all", imgName, true), t) // It doesn't work - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) } func TestAttestVerify(t *testing.T) { @@ -380,7 +435,7 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri must(verifyAttestation.Exec(ctx, []string{imgName}), t) // Look for a specific annotation - mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, ""), t) + mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t) } func TestAttestationDownload(t *testing.T) { @@ -879,9 +934,6 @@ func TestAttachWithRFC3161Timestamp(t *testing.T) { pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - rootPool := x509.NewCertPool() - rootPool.AddCert(rootCert) - payloadref := mkfile(b.String(), td, t) h := sha256.Sum256(b.Bytes()) @@ -952,9 +1004,6 @@ func TestAttachWithRekorBundle(t *testing.T) { pemSub := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: subCert.Raw}) pemLeaf := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: leafCert.Raw}) - rootPool := x509.NewCertPool() - rootPool.AddCert(rootCert) - payloadref := mkfile(b.String(), td, t) h := sha256.Sum256(b.Bytes()) @@ -999,12 +1048,14 @@ func TestAttachWithRekorBundle(t *testing.T) { } func TestRekorBundle(t *testing.T) { - // turn on the tlog - defer setenv(t, env.VariableExperimental.String(), "1")() + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -1014,29 +1065,34 @@ func TestRekorBundle(t *testing.T) { _, privKeyPath, pubKeyPath := keypair(t, td) ko := options.KeyOpts{ - KeyRef: privKeyPath, - PassFunc: passFunc, - RekorURL: rekorURL, + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } // Sign the image must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Make sure verify works - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) // Make sure offline verification works with bundling - // use rekor prod since we have hardcoded the public key - os.Setenv(serverEnv, "notreal") - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verifyOffline(pubKeyPath, imgName, true, nil, ""), t) } func TestRekorOutput(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") bundlePath := filepath.Join(td, "bundle.sig") @@ -1053,13 +1109,14 @@ func TestRekorOutput(t *testing.T) { BundlePath: bundlePath, } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } // Sign the image must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Make sure verify works - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) if file, err := os.ReadFile(bundlePath); err != nil { t.Fatal(err) @@ -1070,15 +1127,18 @@ func TestRekorOutput(t *testing.T) { } } // Make sure offline verification works with bundling - // use rekor prod since we have hardcoded the public key - os.Setenv(serverEnv, "notreal") - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verifyOffline(pubKeyPath, imgName, true, nil, ""), t) } func TestFulcioBundle(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -1088,25 +1148,26 @@ func TestFulcioBundle(t *testing.T) { _, privKeyPath, pubKeyPath := keypair(t, td) ko := options.KeyOpts{ - KeyRef: privKeyPath, - PassFunc: passFunc, - RekorURL: rekorURL, - FulcioURL: fulcioURL, + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + FulcioURL: fulcioURL, + SkipConfirmation: true, } so := options.SignOptions{ Upload: true, + TlogUpload: true, IssueCertificate: true, } // Sign the image must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Make sure verify works - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) // Make sure offline verification works with bundling // use rekor prod since we have hardcoded the public key - os.Setenv(serverEnv, "notreal") - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verifyOffline(pubKeyPath, imgName, true, nil, ""), t) } func TestRFC3161Timestamp(t *testing.T) { @@ -1165,6 +1226,12 @@ func TestRFC3161Timestamp(t *testing.T) { } func TestRekorBundleAndRFC3161Timestamp(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + // TSA server needed to create timestamp viper.Set("timestamp-signer", "memory") viper.Set("timestamp-signer-hash", "sha256") @@ -1194,7 +1261,6 @@ func TestRekorBundleAndRFC3161Timestamp(t *testing.T) { repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -1222,9 +1288,14 @@ func TestRekorBundleAndRFC3161Timestamp(t *testing.T) { } func TestDuplicateSign(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "cosign-e2e") @@ -1235,19 +1306,23 @@ func TestDuplicateSign(t *testing.T) { ctx := context.Background() // Verify should fail at first - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + mustErr(verify(pubKeyPath, imgName, true, nil, "", true), t) // So should download mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + } so := options.SignOptions{ Upload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify and download should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) + // Ignore the tlog, because uploading to the tlog causes new signatures with new timestamp entries to be appended. + must(verify(pubKeyPath, imgName, true, nil, "", true), t) must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Signing again should work just fine... @@ -1272,11 +1347,11 @@ func TestKeyURLVerify(t *testing.T) { keyRef := "https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub" img := "gcr.io/distroless/base:latest" - must(verify(keyRef, img, true, nil, ""), t) + must(verify(keyRef, img, true, nil, "", false), t) } func TestGenerateKeyPairEnvVar(t *testing.T) { - defer setenv(t, "COSIGN_PASSWORD", "foo")() + t.Setenv("COSIGN_PASSWORD", "foo") keys, err := cosign.GenerateKeyPair(generate.GetPass) if err != nil { t.Fatal(err) @@ -1299,7 +1374,7 @@ func TestGenerateKeyPairK8s(t *testing.T) { os.Chdir(wd) }() password := "foo" - defer setenv(t, "COSIGN_PASSWORD", password)() + t.Setenv("COSIGN_PASSWORD", password) ctx := context.Background() name := "cosign-secret" namespace := "default" @@ -1332,6 +1407,12 @@ func TestGenerateKeyPairK8s(t *testing.T) { } func TestMultipleSignatures(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() @@ -1347,36 +1428,43 @@ func TestMultipleSignatures(t *testing.T) { _, priv2, pub2 := keypair(t, td2) // Verify should fail at first for both keys - mustErr(verify(pub1, imgName, true, nil, ""), t) - mustErr(verify(pub2, imgName, true, nil, ""), t) + mustErr(verify(pub1, imgName, true, nil, "", false), t) + mustErr(verify(pub2, imgName, true, nil, "", false), t) // Now sign the image with one key - ko := options.KeyOpts{KeyRef: priv1, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: priv1, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify should work with that one, but not the other - must(verify(pub1, imgName, true, nil, ""), t) - mustErr(verify(pub2, imgName, true, nil, ""), t) + must(verify(pub1, imgName, true, nil, "", false), t) + mustErr(verify(pub2, imgName, true, nil, "", false), t) // Now sign with the other key too ko.KeyRef = priv2 must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify should work with both - must(verify(pub1, imgName, true, nil, ""), t) - must(verify(pub2, imgName, true, nil, ""), t) + must(verify(pub1, imgName, true, nil, "", false), t) + must(verify(pub2, imgName, true, nil, "", false), t) } func TestSignBlob(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } blob := "someblob" td1 := t.TempDir() td2 := t.TempDir() - t.Cleanup(func() { - os.RemoveAll(td1) - os.RemoveAll(td2) - }) bp := filepath.Join(td1, blob) if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { @@ -1427,9 +1515,6 @@ func TestSignBlob(t *testing.T) { func TestSignBlobBundle(t *testing.T) { blob := "someblob" td1 := t.TempDir() - t.Cleanup(func() { - os.RemoveAll(td1) - }) bp := filepath.Join(td1, blob) bundlePath := filepath.Join(td1, "bundle.sig") @@ -1437,6 +1522,11 @@ func TestSignBlobBundle(t *testing.T) { t.Fatal(err) } + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td1) + if err != nil { + t.Fatal(err) + } + _, privKeyPath1, pubKeyPath1 := keypair(t, td1) ctx := context.Background() @@ -1472,12 +1562,17 @@ func TestSignBlobBundle(t *testing.T) { } // Point to a fake rekor server to make sure offline verification of the tlog entry works - os.Setenv(serverEnv, "notreal") + verifyBlobCmd.RekorURL = "notreal" verifyBlobCmd.IgnoreTlog = false must(verifyBlobCmd.Exec(ctx, bp), t) } func TestSignBlobRFC3161TimestampBundle(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } // TSA server needed to create timestamp viper.Set("timestamp-signer", "memory") viper.Set("timestamp-signer-hash", "sha256") @@ -1486,13 +1581,9 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { t.Cleanup(server.Close) blob := "someblob" - td1 := t.TempDir() - t.Cleanup(func() { - os.RemoveAll(td1) - }) - bp := filepath.Join(td1, blob) - bundlePath := filepath.Join(td1, "bundle.sig") - tsPath := filepath.Join(td1, "rfc3161Timestamp.json") + bp := filepath.Join(td, blob) + bundlePath := filepath.Join(td, "bundle.sig") + tsPath := filepath.Join(td, "rfc3161Timestamp.json") if err := os.WriteFile(bp, []byte(blob), 0644); err != nil { t.Fatal(err) @@ -1518,7 +1609,7 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { t.Fatalf("error writing chain payload to temp file: %v", err) } - _, privKeyPath1, pubKeyPath1 := keypair(t, td1) + _, privKeyPath1, pubKeyPath1 := keypair(t, td) ctx := context.Background() @@ -1556,6 +1647,7 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { t.Fatal(err) } // Point to a fake rekor server to make sure offline verification of the tlog entry works + verifyBlobCmd.RekorURL = "notreal" verifyBlobCmd.IgnoreTlog = false must(verifyBlobCmd.Exec(ctx, bp), t) } @@ -1775,6 +1867,11 @@ func TestUploadDownload(t *testing.T) { } func TestSaveLoad(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } tests := []struct { description string getSignedEntity func(t *testing.T, n string) (name.Reference, *remote.Descriptor, func()) @@ -1803,12 +1900,18 @@ func TestSaveLoad(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) // save the image to a temp dir imageDir := t.TempDir() @@ -1820,15 +1923,20 @@ func TestSaveLoad(t *testing.T) { // load the image from the temp dir into a new image and verify the new image imgName2 := path.Join(repo, fmt.Sprintf("save-load-%d-2", i)) must(cli.LoadCmd(ctx, options.LoadOptions{Directory: imageDir}, imgName2), t) - must(verify(pubKeyPath, imgName2, true, nil, ""), t) + must(verify(pubKeyPath, imgName2, true, nil, "", false), t) }) } } func TestSaveLoadAttestation(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() - td := t.TempDir() imgName := path.Join(repo, "save-load") @@ -1839,12 +1947,18 @@ func TestSaveLoadAttestation(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{ + KeyRef: privKeyPath, + PassFunc: passFunc, + RekorURL: rekorURL, + SkipConfirmation: true, + } so := options.SignOptions{ - Upload: true, + Upload: true, + TlogUpload: true, } must(sign.SignCmd(ro, ko, so, []string{imgName}), t) - must(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", false), t) // now, append an attestation to the image slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }` @@ -1871,7 +1985,7 @@ func TestSaveLoadAttestation(t *testing.T) { // load the image from the temp dir into a new image and verify the new image imgName2 := path.Join(repo, "save-load-2") must(cli.LoadCmd(ctx, options.LoadOptions{Directory: imageDir}, imgName2), t) - must(verify(pubKeyPath, imgName2, true, nil, ""), t) + must(verify(pubKeyPath, imgName2, true, nil, "", false), t) // Use cue to verify attestation on the new image policyPath := filepath.Join(td, "policy.cue") verifyAttestation := cliverify.VerifyAttestationCommand{ @@ -1893,6 +2007,12 @@ func TestSaveLoadAttestation(t *testing.T) { } func TestAttachSBOM(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + repo, stop := reg(t) defer stop() ctx := context.Background() @@ -1907,7 +2027,7 @@ func TestAttachSBOM(t *testing.T) { if errPl == nil { t.Fatalf("Expected error when passing Platform to single arch image") } - _, err := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, img.Name(), &out) + _, err = download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, img.Name(), &out) if err == nil { t.Fatal("Expected error") } @@ -1940,20 +2060,25 @@ func TestAttachSBOM(t *testing.T) { _, _, pubKeyPath2 := keypair(t, td2) // Verify should fail on a bad input - mustErr(verify(pubKeyPath1, imgName, true, nil, "sbom"), t) - mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom"), t) + mustErr(verify(pubKeyPath1, imgName, true, nil, "sbom", false), t) + mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom", false), t) // Now sign the sbom with one key - ko1 := options.KeyOpts{KeyRef: privKeyPath1, PassFunc: passFunc} + ko1 := options.KeyOpts{ + KeyRef: privKeyPath1, + PassFunc: passFunc, + RekorURL: rekorURL, + } so := options.SignOptions{ Upload: true, + TlogUpload: true, Attachment: "sbom", } must(sign.SignCmd(ro, ko1, so, []string{imgName}), t) // Now verify should work with that one, but not the other - must(verify(pubKeyPath1, imgName, true, nil, "sbom"), t) - mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom"), t) + must(verify(pubKeyPath1, imgName, true, nil, "sbom", false), t) + mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom", false), t) } func TestAttachSBOM_bom_flag(t *testing.T) { @@ -2047,56 +2172,6 @@ func TestAttachSBOM_bom_flag(t *testing.T) { } } -func setenv(t *testing.T, k, v string) func() { - if err := os.Setenv(k, v); err != nil { - t.Fatalf("error setting env: %v", err) - } - return func() { - os.Unsetenv(k) - } -} - -func TestTlog(t *testing.T) { - repo, stop := reg(t) - defer stop() - td := t.TempDir() - - imgName := path.Join(repo, "cosign-e2e") - - _, _, cleanup := mkimage(t, imgName) - defer cleanup() - - _, privKeyPath, pubKeyPath := keypair(t, td) - - // Verify should fail at first - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) - - // Now sign the image without the tlog - ko := options.KeyOpts{ - KeyRef: privKeyPath, - PassFunc: passFunc, - RekorURL: rekorURL, - } - so := options.SignOptions{ - Upload: true, - } - must(sign.SignCmd(ro, ko, so, []string{imgName}), t) - - // Now verify should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) - - // TODO: priyawadhwa@ to figure out how to add an entry to the tlog without using keyless signing - // We could add an --upload-tlog flag, but it's a bit weird since we have a --no-upload-tlog flag too right now. - - // Verify shouldn't work since we haven't put anything in it yet. - // mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) - - // // Sign again with the tlog env var on - // must(sign.SignCmd(ro, ko, so, []string{imgName}), t) - // // And now verify works! - // must(verify(pubKeyPath, imgName, true, nil, ""), t) -} - func TestNoTlog(t *testing.T) { repo, stop := reg(t) defer stop() @@ -2110,7 +2185,7 @@ func TestNoTlog(t *testing.T) { _, privKeyPath, pubKeyPath := keypair(t, td) // Verify should fail at first - mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + mustErr(verify(pubKeyPath, imgName, true, nil, "", true), t) // Now sign the image without the tlog ko := options.KeyOpts{ @@ -2124,18 +2199,7 @@ func TestNoTlog(t *testing.T) { must(sign.SignCmd(ro, ko, so, []string{imgName}), t) // Now verify should work! - must(verify(pubKeyPath, imgName, true, nil, ""), t) - - // TODO: Uncomment once we have a way to tell `cosign verify` that we want to verify with a public key - // and a tlog entry - - // // Sign again and make sure tlog upload is set to false - // so = options.SignOptions{ - // TlogUpload: false, - // } - // must(sign.SignCmd(ro, ko, so, []string{imgName}), t) - // // And verify it still fails. - // mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) + must(verify(pubKeyPath, imgName, true, nil, "", true), t) } func TestGetPublicKeyCustomOut(t *testing.T) { @@ -2183,6 +2247,16 @@ func mkfile(contents, td string, t *testing.T) string { return f.Name() } +func mkfileWithExt(contents, td, ext string, t *testing.T) string { + f := mkfile(contents, td, t) + newName := f + ext + err := os.Rename(f, newName) + if err != nil { + t.Fatal(err) + } + return newName +} + func mkimage(t *testing.T, n string) (name.Reference, *remote.Descriptor, func()) { ref, err := name.ParseReference(n, name.WeakValidation) if err != nil { @@ -2290,9 +2364,14 @@ func registryClientOpts(ctx context.Context) []remote.Option { // 3. Take the bundle from image1 and store it on the signature in image2 // 4. Verification of image2 should now fail, since the bundle is for a different signature func TestInvalidBundle(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + regName, stop := reg(t) defer stop() - td := t.TempDir() img1 := path.Join(regName, "cosign-e2e") @@ -2314,7 +2393,7 @@ func TestInvalidBundle(t *testing.T) { } must(sign.SignCmd(ro, ko, so, []string{img1}), t) // verify image1 - must(verify(pubKeyPath, img1, true, nil, ""), t) + must(verify(pubKeyPath, img1, true, nil, "", false), t) // extract the bundle from image1 si, err := ociremote.SignedImage(imgRef, remoteOpts) must(err, t) @@ -2333,7 +2412,6 @@ func TestInvalidBundle(t *testing.T) { // Now, we move on to image2 // Sign image2 and DO NOT store the entry in rekor - defer setenv(t, env.VariableExperimental.String(), "0")() img2 := path.Join(regName, "unrelated") imgRef2, _, cleanup := mkimage(t, img2) defer cleanup() @@ -2342,7 +2420,7 @@ func TestInvalidBundle(t *testing.T) { TlogUpload: false, } must(sign.SignCmd(ro, ko, so, []string{img2}), t) - must(verify(pubKeyPath, img2, true, nil, ""), t) + must(verify(pubKeyPath, img2, true, nil, "", true), t) si2, err := ociremote.SignedEntity(imgRef2, remoteOpts) must(err, t) @@ -2364,7 +2442,7 @@ func TestInvalidBundle(t *testing.T) { if err := remote.Delete(sigsTag); err != nil { t.Fatal(err) } - mustErr(verify(pubKeyPath, img2, true, nil, ""), t) + mustErr(verify(pubKeyPath, img2, true, nil, "", false), t) newSig, err := mutate.Signature(gottenSigs2[0], mutate.WithBundle(bund)) must(err, t) @@ -2458,9 +2536,14 @@ func TestAttestBlobSignVerify(t *testing.T) { } func TestOffline(t *testing.T) { + td := t.TempDir() + err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td) + if err != nil { + t.Fatal(err) + } + regName, stop := reg(t) defer stop() - td := t.TempDir() img1 := path.Join(regName, "cosign-e2e") @@ -2480,9 +2563,10 @@ func TestOffline(t *testing.T) { } must(sign.SignCmd(ro, ko, so, []string{img1}), t) // verify image1 online and offline - must(verify(pubKeyPath, img1, true, nil, ""), t) + must(verify(pubKeyPath, img1, true, nil, "", false), t) verifyCmd := &cliverify.VerifyCommand{ KeyRef: pubKeyPath, + RekorURL: "notreal", Offline: true, CheckClaims: true, MaxWorkers: 10, @@ -2516,7 +2600,7 @@ func TestOffline(t *testing.T) { newImage, err := mutate.AttachSignatureToEntity(si, newSig) must(err, t) - mustErr(verify(pubKeyPath, img1, true, nil, ""), t) + mustErr(verify(pubKeyPath, img1, true, nil, "", false), t) if err := ociremote.WriteSignatures(sigsTag.Repository, newImage); err != nil { t.Fatal(err) } @@ -2524,3 +2608,303 @@ func TestOffline(t *testing.T) { // Confirm offline verification fails mustErr(verifyCmd.Exec(ctx, []string{img1}), t) } + +func TestDockerfileVerify(t *testing.T) { + td := t.TempDir() + + // set up SIGSTORE_ variables to point to keys for the local instances + err := setLocalEnv(t, td) + if err != nil { + t.Fatal(err) + } + + // unset the roots that were generated for timestamp signing, they won't work here + err = fulcioroots.ReInit() + if err != nil { + t.Fatal(err) + } + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + // create some images + repo, stop := reg(t) + defer stop() + signedImg1 := path.Join(repo, "cosign-e2e-dockerfile-signed1") + _, _, cleanup1 := mkimage(t, signedImg1) + defer cleanup1() + signedImg2 := path.Join(repo, "cosign-e2e-dockerfile-signed2") + _, _, cleanup2 := mkimage(t, signedImg2) + defer cleanup2() + unsignedImg := path.Join(repo, "cosign-e2e-dockerfile-unsigned") + _, _, cleanupUnsigned := mkimage(t, unsignedImg) + defer cleanupUnsigned() + + // sign the images using --identity-token + ko := options.KeyOpts{ + FulcioURL: fulcioURL, + RekorURL: rekorURL, + IDToken: identityToken, + SkipConfirmation: true, + } + so := options.SignOptions{ + Upload: true, + TlogUpload: true, + SkipConfirmation: true, + } + ctx := context.Background() + must(sign.SignCmd(ro, ko, so, []string{signedImg1}), t) + must(sign.SignCmd(ro, ko, so, []string{signedImg2}), t) + + // create the dockerfiles + singleStageDockerfileContents := fmt.Sprintf(` +FROM %s +`, signedImg1) + singleStageDockerfile := mkfile(singleStageDockerfileContents, td, t) + + unsignedBuildStageDockerfileContents := fmt.Sprintf(` +FROM %s + +FROM %s + +FROM %s +`, signedImg1, unsignedImg, signedImg2) + unsignedBuildStageDockerfile := mkfile(unsignedBuildStageDockerfileContents, td, t) + + fromAsDockerfileContents := fmt.Sprintf(` +FROM --platform=linux/amd64 %s AS base +`, signedImg1) + fromAsDockerfile := mkfile(fromAsDockerfileContents, td, t) + + withArgDockerfileContents := ` +ARG test_image + +FROM ${test_image} +` + withArgDockerfile := mkfile(withArgDockerfileContents, td, t) + + withLowercaseDockerfileContents := fmt.Sprintf(` +from %s +`, signedImg1) + withLowercaseDockerfile := mkfile(withLowercaseDockerfileContents, td, t) + + issuer := os.Getenv("OIDC_URL") + + tests := []struct { + name string + dockerfile string + baseOnly bool + env map[string]string + wantErr bool + }{ + { + name: "verify single stage", + dockerfile: singleStageDockerfile, + }, + { + name: "verify unsigned build stage", + dockerfile: unsignedBuildStageDockerfile, + wantErr: true, + }, + { + name: "verify base image only", + dockerfile: unsignedBuildStageDockerfile, + baseOnly: true, + }, + { + name: "verify from as", + dockerfile: fromAsDockerfile, + }, + { + name: "verify with arg", + dockerfile: withArgDockerfile, + env: map[string]string{"test_image": signedImg1}, + }, + { + name: "verify image exists but is unsigned", + dockerfile: withArgDockerfile, + env: map[string]string{"test_image": unsignedImg}, + wantErr: true, + }, + { + name: "verify with lowercase", + dockerfile: withLowercaseDockerfile, + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + cmd := dockerfile.VerifyDockerfileCommand{ + VerifyCommand: cliverify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: issuer, + CertIdentity: certID, + }, + RekorURL: rekorURL, + }, + BaseOnly: test.baseOnly, + } + args := []string{test.dockerfile} + for k, v := range test.env { + t.Setenv(k, v) + } + if test.wantErr { + mustErr(cmd.Exec(ctx, args), t) + } else { + must(cmd.Exec(ctx, args), t) + } + }) + } +} + +func TestManifestVerify(t *testing.T) { + td := t.TempDir() + + // set up SIGSTORE_ variables to point to keys for the local instances + err := setLocalEnv(t, td) + if err != nil { + t.Fatal(err) + } + + // unset the roots that were generated for timestamp signing, they won't work here + err = fulcioroots.ReInit() + if err != nil { + t.Fatal(err) + } + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + // create some images + repo, stop := reg(t) + defer stop() + signedImg := path.Join(repo, "cosign-e2e-manifest-signed") + _, _, cleanup := mkimage(t, signedImg) + defer cleanup() + unsignedImg := path.Join(repo, "cosign-e2e-manifest-unsigned") + _, _, cleanupUnsigned := mkimage(t, unsignedImg) + defer cleanupUnsigned() + + // sign the images using --identity-token + ko := options.KeyOpts{ + FulcioURL: fulcioURL, + RekorURL: rekorURL, + IDToken: identityToken, + SkipConfirmation: true, + } + so := options.SignOptions{ + Upload: true, + TlogUpload: true, + SkipConfirmation: true, + } + ctx := context.Background() + must(sign.SignCmd(ro, ko, so, []string{signedImg}), t) + + // create the manifests + manifestTemplate := ` +apiVersion: v1 +kind: Pod +metadata: + name: single-pod +spec: + containers: + - name: %s + image: %s +` + signedManifestContents := fmt.Sprintf(manifestTemplate, "signed-img", signedImg) + signedManifest := mkfileWithExt(signedManifestContents, td, ".yaml", t) + unsignedManifestContents := fmt.Sprintf(manifestTemplate, "unsigned-img", unsignedImg) + unsignedManifest := mkfileWithExt(unsignedManifestContents, td, ".yaml", t) + + issuer := os.Getenv("OIDC_URL") + + tests := []struct { + name string + manifest string + wantErr bool + }{ + { + name: "signed manifest", + manifest: signedManifest, + }, + { + name: "unsigned manifest", + manifest: unsignedManifest, + wantErr: true, + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + cmd := manifest.VerifyManifestCommand{ + VerifyCommand: cliverify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: issuer, + CertIdentity: certID, + }, + RekorURL: rekorURL, + }, + } + args := []string{test.manifest} + if test.wantErr { + mustErr(cmd.Exec(ctx, args), t) + } else { + must(cmd.Exec(ctx, args), t) + } + }) + } +} + +// getOIDCToken gets an OIDC token from the mock OIDC server. +func getOIDCToken() (string, error) { + issuer := os.Getenv("OIDC_URL") + resp, err := http.Get(issuer + "/token") + if err != nil { + return "", err + } + defer resp.Body.Close() + body, err := io.ReadAll(resp.Body) + if err != nil { + return "", err + } + return string(body), nil +} + +func setLocalEnv(t *testing.T, dir string) error { + // fulcio repo is downloaded to the user's home directory by e2e_test.sh + home, err := os.UserHomeDir() + if err != nil { + return fmt.Errorf("error getting home directory: %w", err) + } + t.Setenv(env.VariableSigstoreCTLogPublicKeyFile.String(), path.Join(home, "fulcio/config/ctfe/pubkey.pem")) + err = downloadAndSetEnv(t, fulcioURL+"/api/v1/rootCert", env.VariableSigstoreRootFile.String(), dir) + if err != nil { + return fmt.Errorf("error setting %s env var: %w", env.VariableSigstoreRootFile.String(), err) + } + err = downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), dir) + if err != nil { + return fmt.Errorf("error setting %s env var: %w", env.VariableSigstoreRekorPublicKey.String(), err) + } + return nil +} + +func downloadAndSetEnv(t *testing.T, url, envVar, dir string) error { + resp, err := http.Get(url) + if err != nil { + return fmt.Errorf("error downloading file: %w", err) + } + defer resp.Body.Close() + f, err := os.CreateTemp(dir, "") + if err != nil { + return fmt.Errorf("error creating temp file: %w", err) + } + defer f.Close() + _, err = io.Copy(f, resp.Body) + if err != nil { + return fmt.Errorf("error writing to file: %w", err) + } + t.Setenv(envVar, f.Name()) + return nil +} diff --git a/test/e2e_test.sh b/test/e2e_test.sh index 7fb9a1310df0..3c60c76da5e0 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -16,6 +16,31 @@ set -ex +echo "setting up OIDC provider" +pushd ./test/fakeoidc +oidcimg=$(ko build main.go --local) +docker network ls | grep fulcio_default || docker network create fulcio_default +docker run -d --rm -p 8080:8080 --network fulcio_default --name fakeoidc $oidcimg +cleanup_oidc() { + echo "cleaning up oidc" + docker stop fakeoidc +} +trap cleanup_oidc EXIT +oidc_ip=$(docker inspect fakeoidc | jq -r '.[0].NetworkSettings.Networks.fulcio_default.IPAddress') +export OIDC_URL="http://${oidc_ip}:8080" +cat < /tmp/fulcio-config.json +{ + "OIDCIssuers": { + "$OIDC_URL": { + "IssuerURL": "$OIDC_URL", + "ClientID": "sigstore", + "Type": "email" + } + } +} +EOF +popd + pushd $HOME echo "downloading service repos" @@ -31,6 +56,7 @@ done echo "starting services" export FULCIO_METRICS_PORT=2113 +export FULCIO_CONFIG=/tmp/fulcio-config.json for repo in rekor fulcio; do pushd $repo docker-compose up -d @@ -51,6 +77,7 @@ for repo in rekor fulcio; do done cleanup_services() { echo "cleaning up" + cleanup_oidc for repo in rekor fulcio; do pushd $HOME/$repo docker-compose down @@ -59,19 +86,16 @@ cleanup_services() { } trap cleanup_services EXIT -curl http://127.0.0.1:3000/api/v1/log/publicKey > rekor.pub -export SIGSTORE_REKOR_PUBLIC_KEY=$(pwd)/rekor.pub - echo echo "running tests" popd -go build -o cosign ./cmd/cosign go test -tags=e2e -v -race ./test/... # Test on a private registry echo "testing sign/verify/clean on private registry" cleanup() { + cleanup_services docker rm -f registry } trap cleanup EXIT @@ -79,22 +103,6 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t export COSIGN_TEST_REPO=localhost:5000 go test -tags=e2e -v ./test/... -run TestSignVerifyClean -# Use the public instance to verify existing images and manifests -unset SIGSTORE_REKOR_PUBLIC_KEY -# Test `cosign dockerfile verify` -./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com -if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi -./cosign dockerfile verify --base-image-only ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com -./cosign dockerfile verify ./test/testdata/fancy_from.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com -test_image="ghcr.io/distroless/alpine-base" ./cosign dockerfile verify ./test/testdata/with_arg.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com -# Image exists, but is unsigned -if (test_image="ubuntu" ./cosign dockerfile verify ./test/testdata/with_arg.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi -./cosign dockerfile verify ./test/testdata/with_lowercase.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com - -# Test `cosign manifest verify` -./cosign manifest verify ./test/testdata/signed_manifest.yaml --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com -if (./cosign manifest verify ./test/testdata/unsigned_manifest.yaml --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi - # Run the built container to make sure it doesn't crash make ko-local img="ko.local/cosign:$(git rev-parse HEAD)" diff --git a/test/e2e_test_pkcs11.sh b/test/e2e_test_pkcs11.sh new file mode 100755 index 000000000000..7ea933513fa0 --- /dev/null +++ b/test/e2e_test_pkcs11.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Copyright 2024 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +# Test pkcs11 token signing +CONTAINER_ID=$(docker run -dit --name softhsm -v $(pwd):/root/cosign -p 2345:2345 vegardit/softhsm2-pkcs11-proxy@sha256:557a65d2a14e3986f2389d36ddce75609cbd8fb7ee6cf08a78adcc8236c2a80e) + +docker exec -i $CONTAINER_ID /bin/bash << 'EOF' + +apk update + +# add make pcsc-lite-libs go command +apk add make build-base go + +cd /root/cosign + +softhsm2-util --init-token --free --label "My Token" --pin 1234 --so-pin 1234 +go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key test/pkcs11_test.go + +EOF + +cleanup_pkcs11() { + docker rm -f $CONTAINER_ID +} + +trap cleanup_pkcs11 EXIT diff --git a/test/fakeoidc/go.mod b/test/fakeoidc/go.mod new file mode 100644 index 000000000000..08534a0bc5da --- /dev/null +++ b/test/fakeoidc/go.mod @@ -0,0 +1,11 @@ +module github.com/sigstore/cosign/test/fakeoidc + +go 1.21.5 + +require gopkg.in/square/go-jose.v2 v2.6.0 + +require ( + github.com/google/go-cmp v0.6.0 // indirect + github.com/stretchr/testify v1.8.4 // indirect + golang.org/x/crypto v0.18.0 // indirect +) diff --git a/test/fakeoidc/go.sum b/test/fakeoidc/go.sum new file mode 100644 index 000000000000..f3ea650903c3 --- /dev/null +++ b/test/fakeoidc/go.sum @@ -0,0 +1,14 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= +gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/fakeoidc/main.go b/test/fakeoidc/main.go new file mode 100644 index 000000000000..3220afb839cd --- /dev/null +++ b/test/fakeoidc/main.go @@ -0,0 +1,118 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Mock OIDC server, based on https://github.com/sigstore/fulcio/blob/4a80ee645c69bac2128b03197e04b4d285c0b81e/pkg/server/grpc_server_test.go#L1626 +package main + +import ( + "crypto/rand" + "crypto/rsa" + "encoding/json" + "fmt" + "log" + "net/http" + "time" + + "gopkg.in/square/go-jose.v2" + "gopkg.in/square/go-jose.v2/jwt" +) + +var ( + signer jose.Signer + jwk jose.JSONWebKey +) + +type config struct { + Issuer string `json:"issuer"` + JWKSURI string `json:"jwks_uri"` +} + +type customClaims struct { + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` +} + +func init() { + pk, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + log.Fatal(err) + } + jwk = jose.JSONWebKey{ + Algorithm: string(jose.RS256), + Key: pk, + } + signer, err = jose.NewSigner(jose.SigningKey{ + Algorithm: jose.RS256, + Key: jwk.Key, + }, nil) + if err != nil { + log.Fatal(err) + } +} + +func token(w http.ResponseWriter, r *http.Request) { + log.Print("handling token") + token, err := jwt.Signed(signer).Claims(jwt.Claims{ + Issuer: fmt.Sprintf("http://%s", r.Host), + IssuedAt: jwt.NewNumericDate(time.Now()), + Expiry: jwt.NewNumericDate(time.Now().Add(30 * time.Minute)), + Subject: "foo@bar.com", + Audience: jwt.Audience{"sigstore"}, + }).Claims(customClaims{ + Email: "foo@bar.com", + EmailVerified: true, + }).CompactSerialize() + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + w.Write([]byte(token)) +} + +func keys(w http.ResponseWriter, r *http.Request) { + log.Print("handling keys") + keys, err := json.Marshal(jose.JSONWebKeySet{ + Keys: []jose.JSONWebKey{ + jwk.Public(), + }, + }) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + w.Header().Add("Content-type", "application/json") + w.Write(keys) +} + +func wellKnown(w http.ResponseWriter, r *http.Request) { + log.Print("handling discovery") + issuer := fmt.Sprintf("http://%s", r.Host) + cfg, err := json.Marshal(config{ + Issuer: issuer, + JWKSURI: issuer + "/keys", + }) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + } + w.Header().Add("Content-type", "application/json") + w.Write(cfg) +} + +func main() { + http.HandleFunc("/token", token) + http.HandleFunc("/keys", keys) + http.HandleFunc("/.well-known/openid-configuration", wellKnown) + if err := http.ListenAndServe(":8080", nil); err != nil { + log.Fatal(err) + } +} diff --git a/test/testdata/README.md b/test/testdata/README.md index 248812e2aa01..0f0c9a99c755 100644 --- a/test/testdata/README.md +++ b/test/testdata/README.md @@ -77,7 +77,7 @@ $ openssl req -new -key leafCA.key -out leafCA.csr $ openssl x509 -req -in leafCA.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial leafca.srl -out leafCA.crt -days 1825 -sha256 -extfile leafConfigFile ``` -11. Generate Certificate chain by concatinating Intermediate certificate and Root certificate +11. Generate Certificate chain by concatenating Intermediate certificate and Root certificate ```shell $ cat intermediateCA.crt rootCA.crt > certChain.crt @@ -172,7 +172,7 @@ $ openssl req -new -key secondleafCA.key -out secondleafCA.csr $ openssl x509 -req -in secondleafCA.csr -CA secondintermediateCA.crt -CAkey secondintermediateCA.key -CAcreateserial -CAserial secondleafca.srl -out secondleafCA.crt -days 1825 -sha256 -extfile leafConfigFile ``` -26. Generate Certificate chain by concatinating second Intermediate certificate and second Root certificate +26. Generate Certificate chain by concatenating second Intermediate certificate and second Root certificate ```shell $ cat secondintermediateCA.crt secondrootCA.crt > secondcertChain.crt diff --git a/test/testdata/fancy_from.Dockerfile b/test/testdata/fancy_from.Dockerfile deleted file mode 100644 index 7025bf411207..000000000000 --- a/test/testdata/fancy_from.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM --platform=linux/amd64 ghcr.io/distroless/alpine-base AS base - -# blah blah diff --git a/test/testdata/signed_manifest.yaml b/test/testdata/signed_manifest.yaml deleted file mode 100644 index d90b17ad3c16..000000000000 --- a/test/testdata/signed_manifest.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Pod -metadata: - name: single-pod -spec: - restartPolicy: Never - containers: - - name: distroless - image: ghcr.io/distroless/alpine-base diff --git a/test/testdata/single_stage.Dockerfile b/test/testdata/single_stage.Dockerfile deleted file mode 100644 index 9206f2cee56f..000000000000 --- a/test/testdata/single_stage.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM ghcr.io/distroless/alpine-base - -# blah blah diff --git a/test/testdata/unsigned_build_stage.Dockerfile b/test/testdata/unsigned_build_stage.Dockerfile deleted file mode 100644 index 1e04890e1989..000000000000 --- a/test/testdata/unsigned_build_stage.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM ghcr.io/distroless/alpine-base - -# blah blah - -# an un(co)signed image -FROM ubuntu - -# blah blah - -FROM ghcr.io/distroless/static diff --git a/test/testdata/unsigned_manifest.yaml b/test/testdata/unsigned_manifest.yaml deleted file mode 100644 index c0a5ac049a22..000000000000 --- a/test/testdata/unsigned_manifest.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Pod -metadata: - name: single-pod -spec: - restartPolicy: Never - containers: - - name: nginx-container - image: nginx \ No newline at end of file diff --git a/test/testdata/with_arg.Dockerfile b/test/testdata/with_arg.Dockerfile deleted file mode 100644 index 580333082500..000000000000 --- a/test/testdata/with_arg.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG test_image - -FROM ${test_image} \ No newline at end of file diff --git a/test/testdata/with_lowercase.Dockerfile b/test/testdata/with_lowercase.Dockerfile deleted file mode 100644 index d1df114231a2..000000000000 --- a/test/testdata/with_lowercase.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http:#www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from ghcr.io/distroless/alpine-base