Add experimental TLOG model to cosign #44

priyawadhwa · 2021-03-03T23:39:02Z

We turn on sending logs to the tlog by appending TLOG=1 to cosign sign and cosign verify.
I also had to add a --public-key flag to cosign sign to get this to work.

In practice this looks like:

$ TLOG=1 ./cosign sign -key cosign.key --public-key cosign.pub -a signedBy=priya2 gcr.io/priya-wadhwa/test
Enter password for private key: 
Pushing signature to: gcr.io/priya-wadhwa/test:sha256-1d7b639619bdca2d008eca2d5293e3c43ff84cbee597ff76de3b7a7de3e84956.cosign
Sucessfully appended to transparency log

$ TLOG=1 ./cosign verify -key cosign.pub -a signedBy=priya2 gcr.io/priya-wadhwa/test
{"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"1d7b639619bdca2d008eca2d5293e3c43ff84cbee597ff76de3b7a7de3e84956"},"Type":"cosign container signature"},"Optional":{"signedBy":"priya2"}}
Verified signature, payload and public key exist in transparency log

Copied most of the code for verify from rekor's verify.go

Starts to fix #34, still need to:

integration test
Add TLOG info to README
add in state.json feature

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

dlorenc · 2021-03-04T00:27:52Z

Amazing! I'll take a more detailed look tomorrow :)

priyawadhwa · 2021-03-04T04:52:48Z

Yah I'm not totally sure about it 😅 & I think it probably still needs an integration test!

dlorenc · 2021-03-04T15:52:20Z

Yah I'm not totally sure about it 😅 & I think it probably still needs an integration test!

Yeah I was thinking about this - it should be straightforward to stand up a local rekor using the compose setup from over here: https://github.com/sigstore/rekor/blob/main/docker-compose.yml

Seems like you'd need an actual that grabs the rekor repo and starts up the local rekor with compose. We have a script here: https://github.com/sigstore/rekor/blob/main/tests/e2e-test.sh and here: https://github.com/sigstore/rekor/blob/main/.github/workflows/main.yml

cmd/cli/sign.go

pkg/cosign/tlog/upload.go

…nv var to match rekor project Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Sets up a local rekor server via the provided docker-compose.yaml file in the rekor repo. I tested to make sure this test fails if the local server isn't running, which is the case. Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

priyawadhwa · 2021-03-04T20:26:51Z

Cool, the docker-compose file seems to have worked!

dlorenc · 2021-03-05T00:21:24Z

So cool! I'm gonna merge and play with it :)

Co-authored-by: red-hat-trusted-app-pipeline <123456+red-hat-trusted-app-pipeline[bot]@users.noreply.github.com>

priyawadhwa force-pushed the tlog branch from 75102da to e3ca18c Compare March 3, 2021 23:49

Priya Wadhwa added 4 commits March 3, 2021 15:49

Start adding support for uploading to transparency log after sign

d7d22dd

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Verify log exists in transparency log when TLOG=1

ec33764

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Change func name to Upload to match rekor

7df8755

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

fix int test

091c593

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

priyawadhwa force-pushed the tlog branch from e3ca18c to 091c593 Compare March 3, 2021 23:50

fix lint, use not deprecated hasher

537ec2d

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

priyawadhwa force-pushed the tlog branch from 85e145f to 537ec2d Compare March 3, 2021 23:56

dlorenc reviewed Mar 4, 2021

View reviewed changes

cmd/cli/sign.go Outdated Show resolved Hide resolved

pkg/cosign/tlog/upload.go Outdated Show resolved Hide resolved

Priya Wadhwa added 3 commits March 4, 2021 11:33

use public key from private key for 'cosign sign', use REKOR_SERVER e…

01db43f

…nv var to match rekor project Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

revert test

f207140

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Add integration test for tlog support

59b6db0

Sets up a local rekor server via the provided docker-compose.yaml file in the rekor repo. I tested to make sure this test fails if the local server isn't running, which is the case. Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

priyawadhwa force-pushed the tlog branch from 43161e0 to 59b6db0 Compare March 4, 2021 20:13

dlorenc merged commit 3dbd913 into sigstore:main Mar 5, 2021

tommyd450 pushed a commit to tommyd450/cosign that referenced this pull request Nov 7, 2023

chore(deps): update rhtap references (sigstore#44)

733df92

Co-authored-by: red-hat-trusted-app-pipeline <123456+red-hat-trusted-app-pipeline[bot]@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add experimental TLOG model to cosign #44

Add experimental TLOG model to cosign #44

priyawadhwa commented Mar 3, 2021 •

edited

Loading

dlorenc commented Mar 4, 2021

priyawadhwa commented Mar 4, 2021

dlorenc commented Mar 4, 2021

priyawadhwa commented Mar 4, 2021

dlorenc commented Mar 5, 2021

Add experimental TLOG model to cosign #44

Add experimental TLOG model to cosign #44

Conversation

priyawadhwa commented Mar 3, 2021 • edited Loading

dlorenc commented Mar 4, 2021

priyawadhwa commented Mar 4, 2021

dlorenc commented Mar 4, 2021

priyawadhwa commented Mar 4, 2021

dlorenc commented Mar 5, 2021

priyawadhwa commented Mar 3, 2021 •

edited

Loading