-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #186 from danbev/bundle-example
Add cosign verify-bundle example
- Loading branch information
Showing
7 changed files
with
129 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
artifact.bundle | ||
artifact.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
This example shows how to verify a blob, using a bundle that was created by the | ||
`cosign sign-blob` command. | ||
|
||
### Create the artifact to be signed. | ||
```console | ||
echo something > artifact.txt | ||
``` | ||
|
||
### Sign the artifact.txt file using cosign | ||
``` | ||
COSIGN_EXPERIMENTAL=1 cosign sign-blob --bundle=artifact.bundle artifact.txt | ||
``` | ||
|
||
### Verify using sigstore-rs: | ||
```console | ||
cargo run --example verify-bundle -- \ | ||
--rekor-pub-key ~/.sigstore/root/targets/rekor.pub \ | ||
--bundle artifact.bundle \ | ||
artifact.txt | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
use clap::Parser; | ||
use sigstore::cosign::bundle::SignedArtifactBundle; | ||
use sigstore::crypto::{CosignVerificationKey, SigningScheme}; | ||
use std::fs; | ||
use tracing_subscriber::prelude::*; | ||
use tracing_subscriber::{fmt, EnvFilter}; | ||
|
||
#[derive(Parser, Debug)] | ||
#[clap(author, version, about, long_about = None)] | ||
struct Cli { | ||
/// Path to bundle file | ||
#[clap(short, long)] | ||
bundle: String, | ||
|
||
/// Path to artifact to be verified | ||
blob: String, | ||
|
||
/// File containing Rekor's public key (e.g.: ~/.sigstore/root/targets/rekor.pub) | ||
#[clap(long, required(false))] | ||
rekor_pub_key: String, | ||
|
||
/// Enable verbose mode | ||
#[clap(short, long)] | ||
verbose: bool, | ||
} | ||
|
||
#[tokio::main] | ||
pub async fn main() { | ||
let cli = Cli::parse(); | ||
|
||
// setup logging | ||
let level_filter = if cli.verbose { "debug" } else { "info" }; | ||
let filter_layer = EnvFilter::new(level_filter); | ||
tracing_subscriber::registry() | ||
.with(filter_layer) | ||
.with(fmt::layer().with_writer(std::io::stderr)) | ||
.init(); | ||
|
||
let rekor_pub_pem = | ||
fs::read_to_string(&cli.rekor_pub_key).expect("error reading rekor's public key"); | ||
let rekor_pub_key = | ||
CosignVerificationKey::from_pem(rekor_pub_pem.as_bytes(), &SigningScheme::default()) | ||
.expect("Cannot create Rekor verification key"); | ||
let bundle_json = fs::read_to_string(&cli.bundle).expect("error reading bundle json file"); | ||
let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file"); | ||
|
||
let bundle = SignedArtifactBundle::new_verified(&bundle_json, &rekor_pub_key).unwrap(); | ||
if bundle.verify_blob(&blob).is_ok() { | ||
println!("Verification succeeded"); | ||
} else { | ||
eprintln!("Verification failed"); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
BLOB="artifact.txt" | ||
BUNDLE="artifact.bundle" | ||
|
||
echo -e "\nGenerate the blob to be signed" | ||
echo something > $BLOB | ||
|
||
echo -e "\nSign the artifact.txt file using sign-blob" | ||
COSIGN_EXPERIMENTAL=1 cosign sign-blob --bundle=$BUNDLE $BLOB | ||
|
||
echo -e "\nVerify using cosign. TODO: remove this later" | ||
cosign verify-blob --bundle=$BUNDLE $BLOB | ||
|
||
echo -e "\nRun examples/cosign/verify-bundle" | ||
cargo run --example verify-bundle -- \ | ||
--rekor-pub-key ~/.sigstore/root/targets/rekor.pub \ | ||
--bundle $BUNDLE \ | ||
$BLOB |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters