revert to initial keysign bare bones execution

Signed-off-by: Christopher Phillips <[email protected]>

cmd/attest.go

@@ -1,28 +1,30 @@
 package cmd
 
 import (
+	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/internal"
-	"github.com/anchore/syft/internal/bus"
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/internal/ui"
 	"github.com/anchore/syft/syft"
-	"github.com/anchore/syft/syft/event"
 	"github.com/anchore/syft/syft/format"
-	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/pkg/errors"
 	"github.com/pkg/profile"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
+	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"github.com/wagoodman/go-partybus"
+
+	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
 var (
@@ -69,16 +71,20 @@ func attestExec(_ *cobra.Command, args []string) error {
 	// can only be an image for attestation
 	userInput := args[0]
 
+	ko := sign.KeyOpts{
+		KeyRef: appConfig.File,
+	}
+
 	return eventLoop(
-		attestationExecWorker(userInput, writer),
+		attestationExecWorker(userInput, ko),
 		setupSignals(),
 		eventSubscription,
 		stereoscope.Cleanup,
 		ui.Select(isVerbose(), appConfig.Quiet)...,
 	)
 }
 
-func attestationExecWorker(userInput string, writer sbom.Writer) <-chan error {
+func attestationExecWorker(userInput string, ko sign.KeyOpts) <-chan error {
 	errs := make(chan error)
 	go func() {
 		defer close(errs)
@@ -89,54 +95,59 @@ func attestationExecWorker(userInput string, writer sbom.Writer) <-chan error {
 			return
 		}
 
-		// TODO: how to select on user desired format option
+		// TODO: currently forced into only SPDX; allow user to specify
 		bytes, err := syft.Encode(*s, format.SPDXJSONOption)
 		if err != nil {
 			errs <- err
 			return
 		}
 
-		err = generateAttestation(bytes, src)
+		err = generateAttestation(bytes, src, ko)
 		if err != nil {
 			errs <- err
 			return
 		}
-
-		bus.Publish(partybus.Event{
-			Type:  event.Exit,
-			Value: func() error { return writer.Write(*s) },
-		})
 	}()
 	return errs
 }
 
-func generateAttestation(predicate []byte, src *source.Source) error {
+// TODO: context object injection
+func generateAttestation(predicate []byte, src *source.Source, ko sign.KeyOpts) error {
 	predicateType := in_toto.PredicateSPDX
 
 	h, _ := v1.NewHash(src.Image.Metadata.ManifestDigest)
 
-	sv, err := sign.SignerFromKeyOpts()
+	// TODO: inject command context and cert path
+	sv, err := sign.SignerFromKeyOpts(context.Background(), "", ko)
 	if err != nil {
 		return err
 	}
 	defer sv.Close()
+	// TODO: can we include our own types here?
+	wrapped := dsse.WrapSigner(sv, "application/syft.in-toto+json")
 
 	fmt.Fprintln(os.Stderr, "Using generated sbom as payload")
 
 	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
-		Predicate: predicate,
+		Predicate: bytes.NewBuffer(predicate),
 		Type:      predicateType,
 		Digest:    h.Hex,
 	})
 	if err != nil {
 		return err
 	}
 
-	_, err = json.Marshal(sh)
+	payload, err := json.Marshal(sh)
 	if err != nil {
 		return err
 	}
 
+	signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(context.Background()))
+	if err != nil {
+		return errors.Wrap(err, "signing")
+	}
+
+	fmt.Println(string(signedPayload))
 	return nil
 }
 

go.mod

@@ -37,10 +37,12 @@ require (
 	github.com/mitchellh/mapstructure v1.4.3
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/pelletier/go-toml v1.9.4
+	github.com/pkg/errors v0.9.1
 	github.com/pkg/profile v1.5.0
 	github.com/scylladb/go-set v1.0.2
 	github.com/sergi/go-diff v1.2.0
 	github.com/sigstore/cosign v1.5.0
+	github.com/sigstore/sigstore v1.1.1-0.20220115165716-9f61ddc98390
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spdx/tools-golang v0.1.0
 	github.com/spf13/afero v1.8.0

internal/formats/formats.go

@@ -23,7 +23,6 @@ func All() []format.Format {
 		spdx22json.Format(),
 		spdx22tagvalue.Format(),
 		text.Format(),
-		attestation.Format(),
 	}
 }
 

syft/sbom/sbom.go

@@ -31,16 +31,6 @@ type Descriptor struct {
 	Configuration interface{}
 }
 
-func mergeRelationships(cs ...<-chan artifact.Relationship) (relationships []artifact.Relationship) {
-	for _, c := range cs {
-		for n := range c {
-			relationships = append(relationships, n)
-		}
-	}
-
-	return relationships
-}
-
 func AllCoordinates(sbom SBOM) []source.Coordinates {
 	set := source.NewCoordinateSet()
 	for coordinates := range sbom.Artifacts.FileMetadata {