diff --git a/Cargo.toml b/Cargo.toml index 03d233cba3..60c03ee116 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -78,7 +78,7 @@ cosign-rustls-tls = [ "cosign", "registry-rustls-tls", ] -cosign = ["olpc-cjson"] +cosign = ["olpc-cjson", "serde_with"] cert = [] registry-native-tls = ["oci-distribution/native-tls", "registry"] @@ -136,8 +136,11 @@ rsa = "0.9" scrypt = "0.11" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" -serde_with = { version = "3.9", features = ["base64", "json"], optional = true } -serde_with = { version = "2.3", features = ["base64", "hex" ] } +serde_with = { version = "3.9", features = [ + "base64", + "json", + "hex", +], optional = true } sha2 = { version = "0.10", features = ["oid"] } signature = { version = "2.2" } sigstore_protobuf_specs = { version = "0.3", optional = true } @@ -180,9 +183,6 @@ path = "examples/cosign/verify/main.rs" name = "verify-blob" path = "examples/cosign/verify-blob/main.rs" -[[example]] -name = "verify-bundle" -path = "examples/cosign/verify-bundle/main.rs" [[example]] name = "sign" diff --git a/examples/cosign/verify-bundle/.gitignore b/examples/cosign/verify-bundle/.gitignore deleted file mode 100644 index 4f525aecd1..0000000000 --- a/examples/cosign/verify-bundle/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -artifact.bundle -artifact.txt diff --git a/examples/cosign/verify-bundle/README.md b/examples/cosign/verify-bundle/README.md deleted file mode 100644 index 311230d916..0000000000 --- a/examples/cosign/verify-bundle/README.md +++ /dev/null @@ -1,21 +0,0 @@ -This example shows how to verify a blob, using a bundle that was created by the -`cosign sign-blob` command. - -### Create the artifact to be signed. -```console -cd examples/cosign/verify-bundle -echo something > artifact.txt -``` - -### Sign the artifact.txt file using cosign -``` -cosign sign-blob --bundle=artifact.bundle artifact.txt -``` - -### Verify using sigstore-rs: -```console -cargo run --example verify-bundle -- \ - --rekor-pub-key ~/.sigstore/root/targets/rekor.pub \ - --bundle artifact.bundle \ - artifact.txt -``` diff --git a/examples/cosign/verify-bundle/main.rs b/examples/cosign/verify-bundle/main.rs deleted file mode 100644 index f712cba6e9..0000000000 --- a/examples/cosign/verify-bundle/main.rs +++ /dev/null @@ -1,82 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -use clap::Parser; -use sigstore::cosign::bundle::SignedArtifactBundle; -use sigstore::cosign::ClientBuilder; -use sigstore::cosign::CosignCapabilities; -use sigstore::crypto::{CosignVerificationKey, SigningScheme}; -use std::fs; -use tracing_subscriber::prelude::*; -use tracing_subscriber::{fmt, EnvFilter}; - -#[derive(Parser, Debug)] -#[clap(author, version, about, long_about = None)] -struct Cli { - /// Path to bundle file - #[clap(short, long)] - bundle: String, - - /// Path to artifact to be verified - blob: String, - - /// File containing Rekor's public key (e.g.: ~/.sigstore/root/targets/rekor.pub) - #[clap(long, required(false))] - rekor_pub_key: String, - - /// File containing the Fulcio root cert (e.g.: ~/.sigstore/root/targets/fulcio.crt.pem) - #[clap(long, required(false))] - fulcio_cert: String, - - /// Enable verbose mode - #[clap(short, long)] - verbose: bool, -} - -#[tokio::main] -pub async fn main() { - let cli = Cli::parse(); - - // setup logging - let level_filter = if cli.verbose { "debug" } else { "info" }; - let filter_layer = EnvFilter::new(level_filter); - tracing_subscriber::registry() - .with(filter_layer) - .with(fmt::layer().with_writer(std::io::stderr)) - .init(); - - let rekor_pub_pem = - fs::read_to_string(&cli.rekor_pub_key).expect("error reading rekor's public key"); - let rekor_pub_key = - CosignVerificationKey::from_pem(rekor_pub_pem.as_bytes(), &SigningScheme::default()) - .expect("Cannot create Rekor verification key"); - let fulcio_pem = - fs::read_to_string(&cli.fulcio_cert).expect("error reading fulcio's root cert"); - let bundle_json = fs::read_to_string(&cli.bundle).expect("error reading bundle json file"); - let blob = fs::read(cli.blob.as_str()).expect("error reading blob file"); - - let bundle = SignedArtifactBundle::new_verified(&bundle_json, &rekor_pub_key).unwrap(); - - let cosign_client = ClientBuilder::default() - .with_fulcio_cert(fulcio_pem.as_bytes()) - .with_rekor_pub_key(rekor_pub_pem.as_str()) - .build() - .unwrap(); - - match cosign_client.verify_blob_with_bundle(&blob, &bundle.rekor_bundle) { - Ok(_) => println!("Verification succeeded"), - Err(e) => eprintln!("Verification failed: {}", e), - } -} diff --git a/examples/cosign/verify-bundle/run.sh b/examples/cosign/verify-bundle/run.sh deleted file mode 100755 index 37f037a4b7..0000000000 --- a/examples/cosign/verify-bundle/run.sh +++ /dev/null @@ -1,17 +0,0 @@ -BLOB="artifact.txt" -BUNDLE="artifact.bundle" - -echo -e "\nGenerate the blob to be signed" -echo something > $BLOB - -echo -e "\nSign the artifact.txt file using sign-blob" -COSIGN_EXPERIMENTAL=1 cosign sign-blob --bundle=$BUNDLE $BLOB - -echo -e "\nVerify using cosign. TODO: remove this later" -cosign verify-blob --bundle=$BUNDLE $BLOB - -echo -e "\nRun examples/cosign/verify-bundle" -cargo run --example verify-bundle -- \ - --rekor-pub-key ~/.sigstore/root/targets/rekor.pub \ - --bundle $BUNDLE \ - $BLOB diff --git a/src/rekor/models/log_entry.rs b/src/rekor/models/log_entry.rs index 9b7c6aeef7..5caadd3db2 100644 --- a/src/rekor/models/log_entry.rs +++ b/src/rekor/models/log_entry.rs @@ -106,7 +106,6 @@ pub struct Verification { #[derive(Default, Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] #[serde(rename_all = "camelCase")] pub struct InclusionProof { - pub checkpoint: String, pub hashes: Vec, pub log_index: i64, pub root_hash: String,