add Attachment to SignedEntity (#857)

Signed-off-by: Jake Sanders <[email protected]>
sigstore · Oct 17, 2021 · c9bf33a · c9bf33a
1 parent 7991c87
commit c9bf33a
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 3 deletions.
diff --git a/pkg/oci/interface.go b/pkg/oci/interface.go
@@ -23,4 +23,7 @@ type SignedEntity interface {
 	// Attestations returns the set of attestations currently associated with this
 	// entity, or the empty equivalent if none are found.
 	Attestations() (Signatures, error)
+
+	// Attachment returns a named entity associated with this entity, or error if not found.
+	Attachment(name string) (File, error)
 }
diff --git a/pkg/oci/mutate/mutate.go b/pkg/oci/mutate/mutate.go
@@ -16,6 +16,7 @@
 package mutate
 
 import (
+	"errors"
 	"fmt"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -77,6 +78,11 @@ func (i *indexWrapper) Attestations() (oci.Signatures, error) {
 	return empty.Signatures(), nil
 }
 
+// Attachment implements oci.SignedImage
+func (*indexWrapper) Attachment(name string) (oci.File, error) {
+	return nil, errors.New("unimplemented")
+}
+
 // SignedImage implements oci.SignedImageIndex
 func (i *indexWrapper) SignedImage(h v1.Hash) (oci.SignedImage, error) {
 	for _, add := range i.addendum {
@@ -208,6 +214,11 @@ func (si *signedImage) Attestations() (oci.Signatures, error) {
 	return AppendSignatures(base, si.att)
 }
 
+// Attachment implements oci.SignedImage
+func (si *signedImage) Attachment(attName string) (oci.File, error) {
+	return nil, errors.New("unimplemented")
+}
+
 // AttachSignatureToImageIndex attaches the provided signature to the provided image index.
 func AttachSignatureToImageIndex(sii oci.SignedImageIndex, sig oci.Signature, opts ...SignOption) (oci.SignedImageIndex, error) {
 	return &signedImageIndex{
@@ -272,3 +283,8 @@ func (sii *signedImageIndex) Attestations() (oci.Signatures, error) {
 	}
 	return AppendSignatures(base, sii.att)
 }
+
+// Attachment implements oci.SignedImageIndex
+func (sii *signedImageIndex) Attachment(attName string) (oci.File, error) {
+	return nil, errors.New("unimplemented")
+}
diff --git a/pkg/oci/remote/image.go b/pkg/oci/remote/image.go
@@ -50,3 +50,8 @@ func (i *image) Signatures() (oci.Signatures, error) {
 func (i *image) Attestations() (oci.Signatures, error) {
 	return attestations(i, i.opt)
 }
+
+// Attestations implements oci.SignedImage
+func (i *image) Attachment(name string) (oci.File, error) {
+	return attachment(i, name, i.opt)
+}
diff --git a/pkg/oci/remote/index.go b/pkg/oci/remote/index.go
@@ -57,6 +57,11 @@ func (i *index) Attestations() (oci.Signatures, error) {
 	return attestations(i, i.opt)
 }
 
+// Attestations implements oci.SignedImage
+func (i *index) Attachment(name string) (oci.File, error) {
+	return attachment(i, name, i.opt)
+}
+
 // SignedImage implements oci.SignedImageIndex
 func (i *index) SignedImage(h v1.Hash) (oci.SignedImage, error) {
 	img, err := i.Image(h)

diff --git a/pkg/oci/remote/remote.go b/pkg/oci/remote/remote.go
@@ -77,8 +77,8 @@ func SignedEntity(ref name.Reference, options ...Option) (oci.SignedEntity, erro
 	}
 }
 
-// normalize turns image digests into tags with an optional suffix:
-// sha256:d34db33f -> sha256-d34db33f.suffix
+// normalize turns image digests into tags with optional prefix & suffix:
+// sha256:d34db33f -> [prefix]sha256-d34db33f[.suffix]
 func normalize(h v1.Hash, prefix string, suffix string) string {
 	if suffix == "" {
 		return fmt.Sprint(prefix, h.Algorithm, "-", h.Hex)
@@ -135,11 +135,24 @@ func signatures(digestable digestable, o *options) (oci.Signatures, error) {
 	return Signatures(o.TargetRepository.Tag(normalize(h, o.TagPrefix, o.SignatureSuffix)), o.OriginalOptions...)
 }
 
-// attestations is a shared implementation of the oci.Signed* Signatures method.
+// attestations is a shared implementation of the oci.Signed* Attestations method.
 func attestations(digestable digestable, o *options) (oci.Signatures, error) {
 	h, err := digestable.Digest()
 	if err != nil {
 		return nil, err
 	}
 	return Signatures(o.TargetRepository.Tag(normalize(h, o.TagPrefix, o.AttestationSuffix)), o.OriginalOptions...)
 }
+
+// attachment is a shared implementation of the oci.Signed* Attachment method.
+func attachment(digestable digestable, attName string, o *options) (oci.File, error) {
+	h, err := digestable.Digest()
+	if err != nil {
+		return nil, err
+	}
+	img, err := SignedImage(o.TargetRepository.Tag(normalize(h, o.TagPrefix, attName)), o.OriginalOptions...)
+	if err != nil {
+		return nil, err
+	}
+	return oci.File(img), nil
+}
diff --git a/pkg/oci/signed/image.go b/pkg/oci/signed/image.go
@@ -16,6 +16,8 @@
 package signed
 
 import (
+	"errors"
+
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 
 	"github.com/sigstore/cosign/pkg/oci"
@@ -44,3 +46,8 @@ func (*image) Signatures() (oci.Signatures, error) {
 func (*image) Attestations() (oci.Signatures, error) {
 	return empty.Signatures(), nil
 }
+
+// Attestations implements oci.SignedImage
+func (*image) Attachment(name string) (oci.File, error) {
+	return nil, errors.New("unimplemented")
+}
diff --git a/pkg/oci/signed/index.go b/pkg/oci/signed/index.go
@@ -16,6 +16,8 @@
 package signed
 
 import (
+	"errors"
+
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 
 	"github.com/sigstore/cosign/pkg/oci"
@@ -65,3 +67,8 @@ func (*index) Signatures() (oci.Signatures, error) {
 func (*index) Attestations() (oci.Signatures, error) {
 	return empty.Signatures(), nil
 }
+
+// Attestations implements oci.SignedImage
+func (*index) Attachment(name string) (oci.File, error) {
+	return nil, errors.New("unimplemented")
+}