kubernetes-sigs · k8s-ci-robot · Feb 14, 2022 · Feb 14, 2022 · Feb 14, 2022 · Feb 14, 2022
diff --git a/sign/impl.go b/sign/impl.go
@@ -20,9 +20,12 @@ import (
 	"context"
 	"os"
 
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/pkg/cosign"
 	"sigs.k8s.io/release-utils/env"
 )
 
@@ -34,6 +37,7 @@ type defaultImpl struct{}
 type impl interface {
 	VerifyFileInternal(*Signer, string) (*SignedObject, error)
 	VerifyImageInternal(ctx context.Context, keyPath string, images []string) (*SignedObject, error)
+	IsImageSignedInternal(context.Context, string) (bool, error)
 	SignImageInternal(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOptions,
 		annotations map[string]interface{}, imgs []string, certPath string, upload bool,
 		outputSignature string, outputCertificate string, payloadPath string, force bool,
@@ -68,3 +72,21 @@ func (*defaultImpl) Setenv(key, value string) error {
 func (*defaultImpl) EnvDefault(key, def string) string {
 	return env.Default(key, def)
 }
+
+// IsImageSignedInternal makes a call to the registry to check
+// if there are signatures available for a given reference.
+func (*defaultImpl) IsImageSignedInternal(
+	ctx context.Context, imageRef string,
+) (bool, error) {
+	ref, err := name.ParseReference(imageRef)
+	if err != nil {
+		return false, errors.Wrap(err, "parsing image reference")
+	}
+
+	signatures, err := cosign.FetchSignaturesForReference(ctx, ref)
+	if err != nil {
+		return false, errors.Wrap(err, "fetching signarures")
+	}
+
+	return len(signatures) > 0, nil
+}
diff --git a/sign/impl_test.go b/sign/impl_test.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sign
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsImageSigned(t *testing.T) {
+	signer := New(Default())
+	for _, tc := range []struct {
+		imageRef  string
+		isSigned  bool
+		shouldErr bool
+	}{
+		{
+			// cosign ~1.5.2 signed image
+			"ghcr.io/sigstore/cosign/cosign:f436d7637caaa9073522ae65a8416e38cd69c4f2", true, false,
+		},
+		{
+			// k8s/pause ~feb 13 2022. mot signed
+			"k8s.gcr.io/pause@sha256:a78c2d6208eff9b672de43f880093100050983047b7b0afe0217d3656e1b0d5f", false, true,
+		},
+		{
+			// nonexistent image, must fail
+			"kornotios/supermegafakeimage", false, true,
+		},
+	} {
+		res, err := signer.IsImageSigned(tc.imageRef)
+		require.Equal(t, tc.isSigned, res, fmt.Sprintf("Checking %s for signature", tc.imageRef))
+		if tc.shouldErr {
+			require.Error(t, err)
+		} else {
+			require.NoError(t, err)
+		}
+	}
+}
diff --git a/sign/sign.go b/sign/sign.go
@@ -177,3 +177,13 @@ func (s *Signer) enableExperimental() (resetFn func(), err error) {
 		}
 	}, nil
 }
+
+// IsImageSigned takes an image reference and returns true if there are
+// signatures available for it. It makes no signature verification, only
+// checks to see if more than one signature is available.
+func (s *Signer) IsImageSigned(imageRef string) (bool, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), s.options.Timeout)
+	defer cancel()
+
+	return s.impl.IsImageSignedInternal(ctx, imageRef)
+}
diff --git a/sign/sign_test.go b/sign/sign_test.go
@@ -249,3 +249,48 @@ func TestVerifyFile(t *testing.T) {
 		tc.assert(obj, err)
 	}
 }
+
+func TestIsImageSigned(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		prepare func(*signfakes.FakeImpl)
+		assert  func(bool, error)
+	}{
+		{ // Success, signed
+			prepare: func(mock *signfakes.FakeImpl) {
+				mock.IsImageSignedInternalReturns(true, nil)
+			},
+			assert: func(signed bool, err error) {
+				require.True(t, signed)
+				require.Nil(t, err)
+			},
+		},
+		{ // Success, not signed
+			prepare: func(mock *signfakes.FakeImpl) {
+				mock.IsImageSignedInternalReturns(false, nil)
+			},
+			assert: func(signed bool, err error) {
+				require.False(t, signed)
+				require.Nil(t, err)
+			},
+		},
+		{ // IsImageSignedInternal errors
+			prepare: func(mock *signfakes.FakeImpl) {
+				mock.IsImageSignedInternalReturns(false, errTest)
+			},
+			assert: func(signed bool, err error) {
+				require.Error(t, err)
+			},
+		},
+	} {
+		mock := &signfakes.FakeImpl{}
+		tc.prepare(mock)
+
+		sut := sign.New(sign.Default())
+		sut.SetImpl(mock)
+
+		res, err := sut.IsImageSigned("")
+		tc.assert(res, err)
+	}
+}
diff --git a/sign/signfakes/fake_impl.go b/sign/signfakes/fake_impl.go