feat: move cosign to be a built in verifier (#1343)

ratify-project · Mar 28, 2024 · dd1b883 · dd1b883
1 parent 75976cc
commit dd1b883
Show file tree

Hide file tree

Showing 13 changed files with 652 additions and 278 deletions.
diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -61,7 +61,6 @@ jobs:
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
-            --build-arg build_cosign=true \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \
             --build-arg build_schemavalidator=true \

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -59,7 +59,6 @@ jobs:
           docker buildx create --use
           docker buildx build -f ./httpserver/Dockerfile \
             --platform linux/amd64,linux/arm64,linux/arm/v7 \
-            --build-arg build_cosign=true \
             --build-arg build_sbom=true \
             --build-arg build_licensechecker=true \
             --build-arg build_schemavalidator=true \

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -36,10 +36,10 @@ builds:
     ignore:
       - goos: windows
         goarch: arm64
-
-  - id: cosign
-    dir: plugins/verifier/cosign
-    binary: cosign
+  
+  - id: vulnerabilityreport
+    dir: plugins/verifier/vulnerabilityreport
+    binary: vulnerabilityreport
     env:
       - CGO_ENABLED=0
     goos:

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -77,16 +77,16 @@
       ],
     },
     {
-      "name": "Debug Cosign Plugin",
+      "name": "Debug SBOM Plugin",
       "type": "go",
       "request": "launch",
       "mode": "auto",
-      "program": "${workspaceFolder}/plugins/verifier/cosign",
+      "program": "${workspaceFolder}/plugins/verifier/sbom",
       "env": {
         "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
         "RATIFY_LOG_LEVEL": "debug",
         "RATIFY_VERIFIER_COMMAND": "VERIFY",
-        "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/cosign-image:signed",
+        "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom",
         "RATIFY_VERIFIER_VERSION": "1.0.0",
       },
       "console": "integratedTerminal"

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -84,16 +84,16 @@ Sample launch json for debugging a plugin:
 {
   "version": "0.2.0",
   "configurations": [{
-    "name": "Debug Cosign Plugin",
+    "name": "Debug SBOM Plugin",
     "type": "go",
     "request": "launch",
     "mode": "auto",
-    "program": "${workspaceFolder}/plugins/verifier/cosign",
+    "program": "${workspaceFolder}/plugins/verifier/sbom",
     "env": {
       "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
       "RATIFY_LOG_LEVEL": "debug",
       "RATIFY_VERIFIER_COMMAND": "VERIFY",
-      "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/cosign-image:signed",
+      "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom",
       "RATIFY_VERIFIER_VERSION": "1.0.0",
     },
     "console": "integratedTerminal"
@@ -107,15 +107,15 @@ Sample JSON stdin
 ```json
 {
   "config": {
-    "artifactTypes":"application/vnd.dev.cosign.artifact.sig.v1+json",
-    "key":"/home/akashsinghal/ratify/.staging/cosign/cosign.pub",
-    "name":"cosign"
+    "artifactTypes":"application/spdx+json",
+    "name":"sbom",
+    "disallowedLicenses":["AGPL"],
+    "disallowedPackages":[{"name":"log4j-core","versionInfo":"2.13.0"}]
   },
   "storeConfig": {
     "version":"1.0.0",
     "pluginBinDirs":null,
     "store": {
-      "cosignEnabled":true,
       "name":"oras",
       "useHttp":true
     }
@@ -124,7 +124,7 @@ Sample JSON stdin
     "mediaType":"application/vnd.oci.image.manifest.v1+json",
     "digest":"sha256:...",
     "size":558,
-    "artifactType":"application/vnd.dev.cosign.artifact.sig.v1+json"
+    "artifactType":"application/spdx+json"
   }
 }
 ```
@@ -144,7 +144,7 @@ Follow the steps below to build and deploy a Ratify image with your private chan
 export REGISTRY=yourregistry
 docker buildx create --use
 
-docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_cosign=true --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true --build-arg build_vulnerabilityreport=true -t ${REGISTRY}/deislabs/ratify:yourtag .
+docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true --build-arg build_vulnerabilityreport=true -t ${REGISTRY}/deislabs/ratify:yourtag .
 docker build --progress=plain --build-arg KUBE_VERSION="1.27.7" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
 ```
 

diff --git a/Makefile b/Makefile
@@ -75,7 +75,6 @@ build-cli: fmt vet
 
 .PHONY: build-plugins
 build-plugins:
-	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/cosign/... -o ./bin/plugins/ ./plugins/verifier/cosign
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/licensechecker/... -o ./bin/plugins/ ./plugins/verifier/licensechecker
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/sample/... -o ./bin/plugins/ ./plugins/verifier/sample
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/referrerstore/sample/... -o ./bin/plugins/referrerstore/ ./plugins/referrerstore/sample
@@ -530,7 +529,6 @@ e2e-deploy-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-cosign-se
 
 e2e-build-local-ratify-image:
 	docker build --progress=plain --no-cache \
-	--build-arg build_cosign=true \
 	--build-arg build_sbom=true \
 	--build-arg build_licensechecker=true \
 	--build-arg build_schemavalidator=true \

diff --git a/cmd/ratify/main.go b/cmd/ratify/main.go
@@ -24,6 +24,7 @@ import (
 	_ "github.com/deislabs/ratify/pkg/policyprovider/configpolicy" // register configpolicy policy provider
 	_ "github.com/deislabs/ratify/pkg/policyprovider/regopolicy"   // register regopolicy policy provider
 	_ "github.com/deislabs/ratify/pkg/referrerstore/oras"          // register oras referrer store
+	_ "github.com/deislabs/ratify/pkg/verifier/cosign"             // register cosign verifier
 	_ "github.com/deislabs/ratify/pkg/verifier/notation"           // register notation verifier
 )
 

diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile
@@ -23,7 +23,6 @@ ARG TARGETVARIANT=""
 ARG LDFLAGS
 ARG GOPROXY
 ARG build_sbom
-ARG build_cosign
 ARG build_licensechecker
 ARG build_schemavalidator
 ARG build_vulnerabilityreport
@@ -41,7 +40,6 @@ COPY . .
 RUN go build -ldflags "${LDFLAGS}" -o /app/out/ /app/cmd/ratify
 RUN mkdir /app/out/plugins
 RUN if [ "$build_sbom" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/sbom; fi
-RUN if [ "$build_cosign" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/cosign; fi
 RUN if [ "$build_licensechecker" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/licensechecker; fi
 RUN if [ "$build_schemavalidator" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/schemavalidator; fi
 RUN if [ "$build_vulnerabilityreport" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/vulnerabilityreport; fi