Adjust methods to work with identityToken.

Looked into signImage and mirrored the identityToken part. Adjusted error messaging to more in line with the other messaging. Adjusted tests to be testing with private key input.
kubernetes-sigs · Jun 24, 2022 · aee7e1c · aee7e1c
1 parent 7479a17
commit aee7e1c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 21 deletions.
diff --git a/sign/sign.go b/sign/sign.go
@@ -169,8 +169,29 @@ func (s *Signer) SignFile(path string) (*SignedObject, error) {
 	}
 	defer resetFn()
 
+	ctx, cancel := s.options.context()
+	defer cancel()
+
+	// If we don't have a key path, we must ensure we can get an OIDC
+	// token or there is no way to sign. Depending on the options set,
+	// we may get the ID token from the cosign providers
+	identityToken := ""
+	if s.options.PrivateKeyPath == "" {
+		tok, err := s.identityToken(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("getting identity token for keyless signing: %w", err)
+		}
+		identityToken = tok
+		if identityToken == "" {
+			return nil, errors.New(
+				"no private key or identity token are available, unable to sign",
+			)
+		}
+	}
+
 	ko := cliOpts.KeyOpts{
 		KeyRef:     s.options.PrivateKeyPath,
+		IDToken:    identityToken,
 		PassFunc:   s.options.PassFunc,
 		FulcioURL:  cliOpts.DefaultFulcioURL,
 		RekorURL:   cliOpts.DefaultRekorURL,
@@ -192,22 +213,19 @@ func (s *Signer) SignFile(path string) (*SignedObject, error) {
 
 	fileSHA, err := s.FileSha256(path)
 	if err != nil {
-		return nil, fmt.Errorf("file retrieve sha256 error: %s: %w", path, err)
+		return nil, fmt.Errorf("file retrieve sha256: %s: %w", path, err)
 	}
 
 	if err := s.impl.SignFileInternal(
 		s.options.ToCosignRootOptions(), ko, regOpts, path, true,
 		s.options.OutputSignaturePath, s.options.OutputCertificatePath,
 	); err != nil {
-		return nil, fmt.Errorf("sign file path: %s: %w", path, err)
+		return nil, fmt.Errorf("sign file: %s: %w", path, err)
 	}
 
-	ctx, cancel := s.options.context()
-	defer cancel()
-
 	err = s.impl.VerifyFileInternal(ctx, ko, s.options.OutputSignaturePath, s.options.OutputCertificatePath, path)
 	if err != nil {
-		return nil, fmt.Errorf("verify signed file: %s: %w", path, err)
+		return nil, fmt.Errorf("verifying signed file: %s: %w", path, err)
 	}
 
 	return &SignedObject{
@@ -287,13 +305,7 @@ func (s *Signer) VerifyFile(path string) (*SignedObject, error) {
 	defer resetFn()
 
 	ko := cliOpts.KeyOpts{
-		KeyRef:     s.options.PrivateKeyPath,
-		PassFunc:   s.options.PassFunc,
-		FulcioURL:  cliOpts.DefaultFulcioURL,
-		RekorURL:   cliOpts.DefaultRekorURL,
-		OIDCIssuer: cliOpts.DefaultOIDCIssuerURL,
-
-		InsecureSkipFulcioVerify: false,
+		RekorURL: cliOpts.DefaultRekorURL,
 	}
 
 	if s.options.OutputCertificatePath == "" {

diff --git a/sign/sign_test.go b/sign/sign_test.go
@@ -205,6 +205,9 @@ func TestSignImage(t *testing.T) {
 func TestSignFile(t *testing.T) {
 	t.Parallel()
 
+	opts := sign.Default()
+	opts.PrivateKeyPath = "/tmp/private.key"
+
 	for _, tc := range []struct {
 		path    string
 		options *sign.Options
@@ -213,7 +216,7 @@ func TestSignFile(t *testing.T) {
 	}{
 		{ // Success
 			path:    "/tmp/test-file",
-			options: sign.Default(),
+			options: opts,
 			prepare: func(mock *signfakes.FakeImpl) {
 				mock.VerifyFileInternalReturns(nil)
 				mock.SignFileInternalReturns(nil)
@@ -229,6 +232,7 @@ func TestSignFile(t *testing.T) {
 		{ // Success custom sig and cert.
 			path: "/tmp/test-file",
 			options: &sign.Options{
+				PrivateKeyPath:        opts.PrivateKeyPath,
 				OutputSignaturePath:   "/tmp/test-file.sig",
 				OutputCertificatePath: "/tmp/test-file.cert",
 			},
@@ -246,29 +250,29 @@ func TestSignFile(t *testing.T) {
 		},
 		{ // File does not exist.
 			path:    "/tmp/test-file-no-file",
-			options: sign.Default(),
+			options: opts,
 			prepare: func(mock *signfakes.FakeImpl) {
 				mock.PayloadBytesReturns(nil, errTest)
 			},
 			assert: func(obj *sign.SignedObject, err error) {
 				require.Nil(t, obj)
-				require.ErrorContains(t, err, "file retrieve sha256 error")
+				require.ErrorContains(t, err, "file retrieve sha256:")
 			},
 		},
 		{ // File does can't sign.
 			path:    "/tmp/test-file",
-			options: sign.Default(),
+			options: opts,
 			prepare: func(mock *signfakes.FakeImpl) {
 				mock.SignFileInternalReturns(errTest)
 			},
 			assert: func(obj *sign.SignedObject, err error) {
 				require.Nil(t, obj)
-				require.ErrorContains(t, err, "sign file path")
+				require.ErrorContains(t, err, "sign file:")
 			},
 		},
 		{ // Default sig and cert file test
 			path:    "/tmp/test-file",
-			options: sign.Default(),
+			options: opts,
 			prepare: func(mock *signfakes.FakeImpl) {
 				mock.VerifyFileInternalReturns(nil)
 				mock.SignFileInternalReturns(nil)
@@ -287,14 +291,14 @@ func TestSignFile(t *testing.T) {
 		},
 		{ // Verify failed.
 			path:    "/tmp/test-file",
-			options: sign.Default(),
+			options: opts,
 			prepare: func(mock *signfakes.FakeImpl) {
 				mock.VerifyFileInternalReturns(errTest)
 			},
 			assert: func(obj *sign.SignedObject, err error) {
 				require.Nil(t, obj)
 				require.NotNil(t, err)
-				require.ErrorContains(t, err, "verify signed file")
+				require.ErrorContains(t, err, "verifying signed file:")
 			},
 		},
 	} {