From 578cac2c4f4f91b406d96d50a4eb8cd67ca60984 Mon Sep 17 00:00:00 2001 From: Angel Lopez Date: Thu, 22 Aug 2024 13:05:37 -0400 Subject: [PATCH] NVSHAS-9078: add default rekor client for online tlog verification --- main.go | 50 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/main.go b/main.go index a459dc06..61939179 100644 --- a/main.go +++ b/main.go @@ -19,10 +19,13 @@ import ( "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/signature" sig "github.com/sigstore/cosign/v2/pkg/signature" + rekor "github.com/sigstore/rekor/pkg/client" "github.com/sigstore/sigstore/pkg/cryptoutils" sigtuf "github.com/sigstore/sigstore/pkg/tuf" ) +const DEFAULT_REKOR_URL string = "https://rekor.sigstore.dev" + type Configuration struct { ImageDigest string `json:"ImageDigest"` RootsOfTrust []RootOfTrust `json:"RootsOfTrust"` @@ -159,6 +162,10 @@ func generateCosignSignatureObjects(sigData SignatureData) ([]oci.Signature, err return signatures, nil } +func printWarningLine(message string) { + fmt.Printf("\033[33m%s\033[0m\n", message) +} + func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature, proxy Proxy) (satisfiedVerifiers []string, err error) { ctx := context.Background() cosignOptions := cosign.CheckOpts{ClaimVerifier: cosign.SimpleClaimVerifier} @@ -169,22 +176,35 @@ func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature, pr for _, verifier := range rootOfTrust.Verifiers { cosignOptions.SigVerifier = nil cosignOptions.Identities = nil + fmt.Printf(">> checking verifier %s\n", verifier.Name) err = setVerifierCosignOptions(&cosignOptions, verifier, rootOfTrust, ctx) if err != nil { fmt.Printf("ERROR: %s\n", err.Error()) - } else { - for i, signature := range sigs { - fmt.Printf("verifying signature %d\n", i) - _, err := cosign.VerifyImageSignature(ctx, signature, imgDigest, &cosignOptions) - if err != nil { - // the image is not signed by this verifier - fmt.Printf("signature not verified: %s\n", err.Error()) - } else { - fmt.Printf("signature %d satisfies verifier %s\n", i, verifier.Name) - satisfiedVerifiers = append(satisfiedVerifiers, fmt.Sprintf("%s/%s", rootOfTrust.Name, verifier.Name)) - break - } + fmt.Println("could not create valid cosign options for verifier, skipping verifier") + continue + } + + for i, signature := range sigs { + bundle, err := signature.Bundle() + if err != nil { + fmt.Printf("error when retrieving bundle for signature, skipping signature: %s\n", err.Error()) + continue + } + if bundle == nil { + printWarningLine("no bundle found, any tlog verification must happen through network") + } else { + fmt.Printf("signature bundle: %s\n", bundle.Payload.LogID) + } + fmt.Printf("verifying signature %d\n", i) + _, err = cosign.VerifyImageSignature(ctx, signature, imgDigest, &cosignOptions) + if err != nil { + // the image is not signed by this verifier + fmt.Printf("signature not verified: %s\n", err.Error()) + } else { + fmt.Printf("signature %d satisfies verifier %s\n", i, verifier.Name) + satisfiedVerifiers = append(satisfiedVerifiers, fmt.Sprintf("%s/%s", rootOfTrust.Name, verifier.Name)) + break } } } @@ -319,6 +339,12 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier if rootOfTrust.SCTPublicKey == "" { cosignOptions.IgnoreSCT = true } + } else { + rekorClient, err := rekor.GetRekorClient(DEFAULT_REKOR_URL) + if err != nil { + return fmt.Errorf("could not get rekor client for online tlog validation: %s", err.Error()) + } + cosignOptions.RekorClient = rekorClient } if rootOfTrust.RootlessKeypairsOnly { cosignOptions.IgnoreSCT = true