Merge in upstream changes

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Dec 7, 2022 · 22e5a0e · 22e5a0e
2 parents 325ef6c + 7813599
commit 22e5a0e
Show file tree

Hide file tree

Showing 24 changed files with 500 additions and 408 deletions.
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -39,7 +39,7 @@ jobs:
       statuses: none
 
     env:
-      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.3-0@sha256:1072190e76d68f455f1bedb7430a633916b6629a722c42246037ac518fdb0ff2
+      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.4-0@sha256:53ee894818ac14377996a6fe7c8fe6156d018a20f82aaf69f2519fc45d897bec
       COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057
 
     steps:

diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go
@@ -79,7 +79,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
 		"url to the Timestamp RFC3161 server, default none")
 
-	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
-		"write everything required to verify the blob to a FILE")
-	_ = cmd.Flags().SetAnnotation("rfc3161-timestamp-bundle", cobra.BashCompFilenameExt, []string{})
+	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
+		"write the RFC3161 timestamp to a file")
+	_ = cmd.Flags().SetAnnotation("rfc3161-timestamp", cobra.BashCompFilenameExt, []string{})
 }
diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go
@@ -164,8 +164,8 @@ func (o *VerifyBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"path to bundle FILE")
 
-	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
-		"path to timestamp bundle FILE")
+	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
+		"path to RFC3161 timestamp FILE")
 }
 
 // VerifyDockerfileOptions is the top level wrapper for the `dockerfile verify` command.

diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go
@@ -273,8 +273,7 @@ func signPolicy() *cobra.Command {
 					return fmt.Errorf("failed to create TSA client: %w", err)
 				}
 				// Here we get the response from the timestamped authority server
-				_, err = tsa.GetTimestampedSignature(signed.Signed, clientTSA)
-				if err != nil {
+				if _, err := tsa.GetTimestampedSignature(signed.Signed, clientTSA); err != nil {
 					return err
 				}
 			}

diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go
@@ -72,19 +72,36 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 
 	signedPayload := cosign.LocalSignedPayload{}
 
+	var rfc3161Timestamp *cbundle.RFC3161Timestamp
 	if ko.TSAServerURL != "" {
+		if ko.RFC3161TimestampPath == "" {
+			return nil, fmt.Errorf("timestamp output path must be set")
+		}
+
 		clientTSA, err := tsaclient.GetTimestampClient(ko.TSAServerURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create TSA client: %w", err)
 		}
-		b64Sig := []byte(base64.StdEncoding.EncodeToString(sig))
 
-		respBytes, err := tsa.GetTimestampedSignature(b64Sig, clientTSA)
+		respBytes, err := tsa.GetTimestampedSignature(sig, clientTSA)
 		if err != nil {
 			return nil, err
 		}
 
-		signedPayload.RFC3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
+		rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
+		// TODO: Consider uploading RFC3161 TS to Rekor
+
+		if rfc3161Timestamp == nil {
+			return nil, fmt.Errorf("rfc3161 timestamp is nil")
+		}
+		ts, err := json.Marshal(rfc3161Timestamp)
+		if err != nil {
+			return nil, err
+		}
+		if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil {
+			return nil, fmt.Errorf("create RFC3161 timestamp file: %w", err)
+		}
+		fmt.Fprintf(os.Stderr, "RFC3161 timestamp written to file %s\n", ko.RFC3161TimestampPath)
 	}
 	if ShouldUploadToTlog(ctx, ko, nil, tlogUpload) {
 		rekorBytes, err = sv.Bytes(ctx)
@@ -103,20 +120,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 		signedPayload.Bundle = cbundle.EntryToBundle(entry)
 	}
 
-	// if bundle is specified, just do that and ignore the rest
-	if ko.RFC3161TimestampPath != "" {
-		signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)
-
-		contents, err := json.Marshal(signedPayload)
-		if err != nil {
-			return nil, err
-		}
-		if err := os.WriteFile(ko.RFC3161TimestampPath, contents, 0600); err != nil {
-			return nil, fmt.Errorf("create rfc3161 timestamp file: %w", err)
-		}
-		fmt.Printf("RF3161 timestamp bundle wrote in the file %s\n", ko.RFC3161TimestampPath)
-	}
-
 	// if bundle is specified, just do that and ignore the rest
 	if ko.BundlePath != "" {
 		signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -301,6 +301,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
 				SCTRef:                       o.CertVerify.SCT,
 				Offline:                      o.CommonVerifyOptions.Offline,
+				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
 			}
 			if err := verifyBlobCmd.Exec(cmd.Context(), args[0]); err != nil {
 				return fmt.Errorf("verifying blob %s: %w", args, err)

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -150,8 +150,16 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 			}
 			co.RekorClient = rekorClient
 		}
+		// This performs an online fetch of the Rekor public keys, but this is needed
+		// for verifying tlog entries (both online and offline).
+		co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
+		if err != nil {
+			return fmt.Errorf("getting Rekor public keys: %w", err)
+		}
 	}
 	if keylessVerification(c.KeyRef, c.Sk) {
+		// This performs an online fetch of the Fulcio roots. This is needed
+		// for verifying keyless certificates (both online and offline).
 		co.RootCerts, err = fulcio.GetRoots()
 		if err != nil {
 			return fmt.Errorf("getting Fulcio roots: %w", err)

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -129,8 +129,16 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 			}
 			co.RekorClient = rekorClient
 		}
+		// This performs an online fetch of the Rekor public keys, but this is needed
+		// for verifying tlog entries (both online and offline).
+		co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
+		if err != nil {
+			return fmt.Errorf("getting Rekor public keys: %w", err)
+		}
 	}
 	if keylessVerification(c.KeyRef, c.Sk) {
+		// This performs an online fetch of the Fulcio roots. This is needed
+		// for verifying keyless certificates (both online and offline).
 		co.RootCerts, err = fulcio.GetRoots()
 		if err != nil {
 			return fmt.Errorf("getting Fulcio roots: %w", err)

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -33,6 +33,7 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/pkg/blob"
 	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/cosign/bundle"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/pkg/cosign/pkcs11key"
 	"github.com/sigstore/cosign/pkg/oci/static"
@@ -73,16 +74,16 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	opts := make([]static.Option, 0)
 
 	// Require a certificate/key OR a local bundle file that has the cert.
-	if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath, c.RFC3161TimestampPath) == 0 {
-		return fmt.Errorf("please provide a cert to verify against via --certificate or a bundle via --bundle or --rfc3161-timestamp-bundle")
+	if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath) == 0 {
+		return fmt.Errorf("provide a key with --key or --sk, a certificate to verify against with --certificate, or a bundle with --bundle")
 	}
 
 	// Key, sk, and cert are mutually exclusive.
 	if options.NOf(c.KeyRef, c.Sk, c.CertRef) > 1 {
 		return &options.KeyParseError{}
 	}
 
-	sig, err := base64signature(c.SigRef, c.BundlePath, c.RFC3161TimestampPath)
+	sig, err := base64signature(c.SigRef, c.BundlePath)
 	if err != nil {
 		return err
 	}
@@ -136,9 +137,17 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 			}
 			co.RekorClient = rekorClient
 		}
+		// This performs an online fetch of the Rekor public keys, but this is needed
+		// for verifying tlog entries (both online and offline).
+		co.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
+		if err != nil {
+			return fmt.Errorf("getting Rekor public keys: %w", err)
+		}
 	}
 	if keylessVerification(c.KeyRef, c.Sk) {
 		// Use default TUF roots if a cert chain is not provided.
+		// This performs an online fetch of the Fulcio roots. This is needed
+		// for verifying keyless certificates (both online and offline).
 		if c.CertChain == "" {
 			co.RootCerts, err = fulcio.GetRoots()
 			if err != nil {
@@ -208,29 +217,15 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		opts = append(opts, static.WithBundle(b.Bundle))
 	}
 	if c.RFC3161TimestampPath != "" {
-		b, err := cosign.FetchLocalSignedPayloadFromPath(c.RFC3161TimestampPath)
+		var rfc3161Timestamp bundle.RFC3161Timestamp
+		ts, err := blob.LoadFileOrURL(c.RFC3161TimestampPath)
 		if err != nil {
 			return err
 		}
-		// Note: RFC3161 timestamp does not set the certificate.
-		// We have to condition on this because sign-blob may not output the signing
-		// key to the bundle when there is no tlog upload.
-		if b.Cert != "" {
-			// b.Cert can either be a certificate or public key
-			certBytes := []byte(b.Cert)
-			if isb64(certBytes) {
-				certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
-			}
-			cert, err = loadCertFromPEM(certBytes)
-			if err != nil {
-				// check if cert is actually a public key
-				co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
-				if err != nil {
-					return fmt.Errorf("loading verifier from rfc3161 timestamp bundle: %w", err)
-				}
-			}
+		if err := json.Unmarshal(ts, &rfc3161Timestamp); err != nil {
+			return err
 		}
-		opts = append(opts, static.WithRFC3161Timestamp(b.RFC3161Timestamp))
+		opts = append(opts, static.WithRFC3161Timestamp(&rfc3161Timestamp))
 	}
 	// Set an SCT if provided via the CLI.
 	if c.SCTRef != "" {
@@ -306,7 +301,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 }
 
 // base64signature returns the base64 encoded signature
-func base64signature(sigRef string, bundlePath, rfc3161TimestampPath string) (string, error) {
+func base64signature(sigRef, bundlePath string) (string, error) {
 	var targetSig []byte
 	var err error
 	switch {
@@ -325,12 +320,6 @@ func base64signature(sigRef string, bundlePath, rfc3161TimestampPath string) (st
 			return "", err
 		}
 		targetSig = []byte(b.Base64Signature)
-	case rfc3161TimestampPath != "":
-		b, err := cosign.FetchLocalSignedPayloadFromPath(rfc3161TimestampPath)
-		if err != nil {
-			return "", err
-		}
-		targetSig = []byte(b.Base64Signature)
 	default:
 		return "", fmt.Errorf("missing flag '--signature'")
 	}