sigstore · dekkagaijin · Sep 22, 2021 · Sep 22, 2021
diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go
@@ -29,6 +29,7 @@ import (
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	ociremote "github.com/sigstore/cosign/internal/oci/remote"
+	"github.com/sigstore/cosign/internal/oci/static"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
 	"github.com/sigstore/cosign/pkg/image"
 	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
@@ -99,7 +100,12 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOpts, sigRef, pay
 		return err
 	}
 
-	return cremote.UploadSignature(sigBytes, payload, dstRef, cremote.UploadOpts{RemoteOpts: remoteOpts})
+	sig, err := static.NewSignature(payload, base64.StdEncoding.EncodeToString(sigBytes))
+	if err != nil {
+		return err
+	}
+
+	return cremote.UploadSignature(sig, dstRef, cremote.UploadOpts{RemoteOpts: remoteOpts})
 }
 
 type SignatureArgType uint8

diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go
@@ -34,6 +34,7 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
 	ociremote "github.com/sigstore/cosign/internal/oci/remote"
+	"github.com/sigstore/cosign/internal/oci/static"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
@@ -176,22 +177,19 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	if err != nil {
 		return err
 	}
-	sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
+	signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
 	if err != nil {
 		return errors.Wrap(err, "signing")
 	}
 
 	if !upload {
-		fmt.Println(base64.StdEncoding.EncodeToString(sig))
+		fmt.Println(base64.StdEncoding.EncodeToString(signedPayload))
 		return nil
 	}
 
-	uo := cremote.UploadOpts{
-		Cert:         sv.Cert,
-		Chain:        sv.Chain,
-		DupeDetector: sv,
-		RemoteOpts:   remoteOpts,
-		MediaType:    types.DssePayloadType,
+	opts := []static.Option{static.WithMediaType(types.DssePayloadType)}
+	if sv.Cert != nil {
+		opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
 	}
 
 	uploadTLog, err := sign.ShouldUploadToTlog(ref, force, ko.RekorURL)
@@ -216,23 +214,30 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 		if err != nil {
 			return err
 		}
-		entry, err := cosign.TLogUploadInTotoAttestation(rekorClient, sig, rekorBytes)
+		entry, err := cosign.TLogUploadInTotoAttestation(rekorClient, signedPayload, rekorBytes)
 		if err != nil {
 			return err
 		}
 		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
 
-		uo.Bundle = sign.Bundle(entry)
-		uo.AdditionalAnnotations = sign.ParseAnnotations(entry)
+		opts = append(opts, static.WithBundle(sign.Bundle(entry)))
 	}
 
 	attRef, err := ociremote.AttestationTag(ref, ociremote.WithRemoteOptions(remoteOpts...))
 	if err != nil {
 		return err
 	}
 
+	sig, err := static.NewSignature(signedPayload, "", opts...)
+	if err != nil {
+		return err
+	}
+
 	fmt.Fprintln(os.Stderr, "Pushing attestation to:", attRef.String())
 	// An attestation represents both the signature and payload. So store the entire thing
 	// in the payload field since they can get large
-	return cremote.UploadSignature([]byte{}, sig, attRef, uo)
+	return cremote.UploadSignature(sig, attRef, cremote.UploadOpts{
+		DupeDetector: sv,
+		RemoteOpts:   remoteOpts,
+	})
 }
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -42,6 +42,7 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/internal/oci"
 	ociremote "github.com/sigstore/cosign/internal/oci/remote"
+	"github.com/sigstore/cosign/internal/oci/static"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
@@ -296,21 +297,20 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOpts, anno
 			}
 		}
 
-		sig, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
+		signature, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
 		if err != nil {
 			return errors.Wrap(err, "signing")
 		}
+		b64sig := base64.StdEncoding.EncodeToString(signature)
 
 		if !upload {
-			fmt.Println(base64.StdEncoding.EncodeToString(sig))
+			fmt.Println(b64sig)
 			continue
 		}
 
-		uo := cremote.UploadOpts{
-			Cert:         sv.Cert,
-			Chain:        sv.Chain,
-			DupeDetector: sv,
-			RemoteOpts:   remoteOpts,
+		opts := []static.Option{}
+		if sv.Cert != nil {
+			opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
 		}
 
 		// Check if the image is public (no auth in Get)
@@ -335,23 +335,30 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOpts, anno
 			if err != nil {
 				return err
 			}
-			entry, err := cosign.TLogUpload(rekorClient, sig, payload, rekorBytes)
+			entry, err := cosign.TLogUpload(rekorClient, signature, payload, rekorBytes)
 			if err != nil {
 				return err
 			}
 			fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
 
-			uo.Bundle = Bundle(entry)
-			uo.AdditionalAnnotations = ParseAnnotations(entry)
+			opts = append(opts, static.WithBundle(Bundle(entry)))
 		}
 
 		sigRef, err := ociremote.SignatureTag(img, ociremote.WithRemoteOptions(remoteOpts...))
 		if err != nil {
 			return err
 		}
 
+		sig, err := static.NewSignature(payload, b64sig, opts...)
+		if err != nil {
+			return err
+		}
+
 		fmt.Fprintln(os.Stderr, "Pushing signature to:", sigRef.String())
-		if err := cremote.UploadSignature(sig, payload, sigRef, uo); err != nil {
+		if err := cremote.UploadSignature(sig, sigRef, cremote.UploadOpts{
+			DupeDetector: sv,
+			RemoteOpts:   remoteOpts,
+		}); err != nil {
 			return errors.Wrap(err, "uploading")
 		}
 	}

diff --git a/pkg/cosign/remote/remote.go b/pkg/cosign/remote/remote.go
@@ -25,7 +25,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
-	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/pkg/errors"
 
 	"github.com/sigstore/cosign/internal/oci"
@@ -127,34 +126,11 @@ LayerLoop:
 }
 
 type UploadOpts struct {
-	Cert                  []byte
-	Chain                 []byte
-	DupeDetector          signature.Verifier
-	Bundle                *oci.Bundle
-	AdditionalAnnotations map[string]string
-	RemoteOpts            []remote.Option
-	MediaType             string
+	DupeDetector signature.Verifier
+	RemoteOpts   []remote.Option
 }
 
-func UploadSignature(signature, payload []byte, dst name.Reference, opts UploadOpts) error {
-	b64sig := base64.StdEncoding.EncodeToString(signature)
-	var options []static.Option
-	// Preserve the default
-	if opts.MediaType != "" {
-		options = append(options, static.WithMediaType(types.MediaType(opts.MediaType)))
-	}
-	if opts.Cert != nil {
-		options = append(options, static.WithCertChain(opts.Cert, opts.Chain))
-	}
-	if opts.Bundle != nil {
-		options = append(options, static.WithBundle(opts.Bundle))
-	}
-
-	l, err := static.NewSignature(payload, b64sig, options...)
-	if err != nil {
-		return err
-	}
-
+func UploadSignature(l oci.Signature, dst name.Reference, opts UploadOpts) error {
 	base, err := SignatureImage(dst, opts.RemoteOpts...)
 	if err != nil {
 		return err