From 29ac2ad18ab05537caa8e184921006bce163a168 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Tue, 21 Sep 2021 19:56:15 -0700 Subject: [PATCH] Make `UploadSignature` take an `oci.Signature`. Now that we have `static.NewSignature`, this shifts the construction out of `UploadSignature` and removes the elements passed via `UploadOpts` to simply be a part of the `NewSignature` call on the caller's side. With this `UploadSignature` is starting to look pretty lean! Signed-off-by: Matt Moore --- cmd/cosign/cli/attach/sig.go | 8 +++++++- cmd/cosign/cli/attest.go | 29 +++++++++++++++++------------ cmd/cosign/cli/sign/sign.go | 29 ++++++++++++++++++----------- pkg/cosign/remote/remote.go | 30 +++--------------------------- 4 files changed, 45 insertions(+), 51 deletions(-) diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index 9ae2e3fc143..5029da1ac22 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -29,6 +29,7 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/options" ociremote "github.com/sigstore/cosign/internal/oci/remote" + "github.com/sigstore/cosign/internal/oci/static" cremote "github.com/sigstore/cosign/pkg/cosign/remote" "github.com/sigstore/cosign/pkg/image" sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" @@ -99,7 +100,12 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOpts, sigRef, pay return err } - return cremote.UploadSignature(sigBytes, payload, dstRef, cremote.UploadOpts{RemoteOpts: remoteOpts}) + sig, err := static.NewSignature(payload, base64.StdEncoding.EncodeToString(sigBytes)) + if err != nil { + return err + } + + return cremote.UploadSignature(sig, dstRef, cremote.UploadOpts{RemoteOpts: remoteOpts}) } type SignatureArgType uint8 diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 628ed84640f..bc108e6ee62 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -34,6 +34,7 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/sign" ociremote "github.com/sigstore/cosign/internal/oci/remote" + "github.com/sigstore/cosign/internal/oci/static" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/attestation" cremote "github.com/sigstore/cosign/pkg/cosign/remote" @@ -176,22 +177,19 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt if err != nil { return err } - sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) + signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { return errors.Wrap(err, "signing") } if !upload { - fmt.Println(base64.StdEncoding.EncodeToString(sig)) + fmt.Println(base64.StdEncoding.EncodeToString(signedPayload)) return nil } - uo := cremote.UploadOpts{ - Cert: sv.Cert, - Chain: sv.Chain, - DupeDetector: sv, - RemoteOpts: remoteOpts, - MediaType: types.DssePayloadType, + opts := []static.Option{static.WithMediaType(types.DssePayloadType)} + if sv.Cert != nil { + opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain)) } uploadTLog, err := sign.ShouldUploadToTlog(ref, force, ko.RekorURL) @@ -216,14 +214,13 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt if err != nil { return err } - entry, err := cosign.TLogUploadInTotoAttestation(rekorClient, sig, rekorBytes) + entry, err := cosign.TLogUploadInTotoAttestation(rekorClient, signedPayload, rekorBytes) if err != nil { return err } fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex) - uo.Bundle = sign.Bundle(entry) - uo.AdditionalAnnotations = sign.ParseAnnotations(entry) + opts = append(opts, static.WithBundle(sign.Bundle(entry))) } attRef, err := ociremote.AttestationTag(ref, ociremote.WithRemoteOptions(remoteOpts...)) @@ -231,8 +228,16 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt return err } + sig, err := static.NewSignature(signedPayload, "", opts...) + if err != nil { + return err + } + fmt.Fprintln(os.Stderr, "Pushing attestation to:", attRef.String()) // An attestation represents both the signature and payload. So store the entire thing // in the payload field since they can get large - return cremote.UploadSignature([]byte{}, sig, attRef, uo) + return cremote.UploadSignature(sig, attRef, cremote.UploadOpts{ + DupeDetector: sv, + RemoteOpts: remoteOpts, + }) } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 4985f4a3a79..c1392a0988c 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -42,6 +42,7 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/internal/oci" ociremote "github.com/sigstore/cosign/internal/oci/remote" + "github.com/sigstore/cosign/internal/oci/static" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/pivkey" cremote "github.com/sigstore/cosign/pkg/cosign/remote" @@ -296,21 +297,20 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOpts, anno } } - sig, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) + signature, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { return errors.Wrap(err, "signing") } + b64sig := base64.StdEncoding.EncodeToString(signature) if !upload { - fmt.Println(base64.StdEncoding.EncodeToString(sig)) + fmt.Println(b64sig) continue } - uo := cremote.UploadOpts{ - Cert: sv.Cert, - Chain: sv.Chain, - DupeDetector: sv, - RemoteOpts: remoteOpts, + opts := []static.Option{} + if sv.Cert != nil { + opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain)) } // Check if the image is public (no auth in Get) @@ -335,14 +335,13 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOpts, anno if err != nil { return err } - entry, err := cosign.TLogUpload(rekorClient, sig, payload, rekorBytes) + entry, err := cosign.TLogUpload(rekorClient, signature, payload, rekorBytes) if err != nil { return err } fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex) - uo.Bundle = Bundle(entry) - uo.AdditionalAnnotations = ParseAnnotations(entry) + opts = append(opts, static.WithBundle(Bundle(entry))) } sigRef, err := ociremote.SignatureTag(img, ociremote.WithRemoteOptions(remoteOpts...)) @@ -350,8 +349,16 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOpts, anno return err } + sig, err := static.NewSignature(payload, b64sig, opts...) + if err != nil { + return err + } + fmt.Fprintln(os.Stderr, "Pushing signature to:", sigRef.String()) - if err := cremote.UploadSignature(sig, payload, sigRef, uo); err != nil { + if err := cremote.UploadSignature(sig, sigRef, cremote.UploadOpts{ + DupeDetector: sv, + RemoteOpts: remoteOpts, + }); err != nil { return errors.Wrap(err, "uploading") } } diff --git a/pkg/cosign/remote/remote.go b/pkg/cosign/remote/remote.go index 6c145ef8e51..a3785916710 100644 --- a/pkg/cosign/remote/remote.go +++ b/pkg/cosign/remote/remote.go @@ -25,7 +25,6 @@ import ( "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - "github.com/google/go-containerregistry/pkg/v1/types" "github.com/pkg/errors" "github.com/sigstore/cosign/internal/oci" @@ -127,34 +126,11 @@ LayerLoop: } type UploadOpts struct { - Cert []byte - Chain []byte - DupeDetector signature.Verifier - Bundle *oci.Bundle - AdditionalAnnotations map[string]string - RemoteOpts []remote.Option - MediaType string + DupeDetector signature.Verifier + RemoteOpts []remote.Option } -func UploadSignature(signature, payload []byte, dst name.Reference, opts UploadOpts) error { - b64sig := base64.StdEncoding.EncodeToString(signature) - var options []static.Option - // Preserve the default - if opts.MediaType != "" { - options = append(options, static.WithMediaType(types.MediaType(opts.MediaType))) - } - if opts.Cert != nil { - options = append(options, static.WithCertChain(opts.Cert, opts.Chain)) - } - if opts.Bundle != nil { - options = append(options, static.WithBundle(opts.Bundle)) - } - - l, err := static.NewSignature(payload, b64sig, options...) - if err != nil { - return err - } - +func UploadSignature(l oci.Signature, dst name.Reference, opts UploadOpts) error { base, err := SignatureImage(dst, opts.RemoteOpts...) if err != nil { return err