Skip to content

Commit

Permalink
add tentative support for passing digest
Browse files Browse the repository at this point in the history 
Signed-off-by: Bob Callaway <[email protected]>
  • Loading branch information
@bobcallaway
bobcallaway committed Dec 14, 2024
1 parent 87d7063 commit 2678134
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 13 deletions.
35 changes: 28 additions & 7 deletions cmd/cosign/cli/verify/verify_blob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,9 @@ import (
"io/fs"
"os"
"path/filepath"
"strings"

v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/v2/internal/ui"
Expand Down Expand Up @@ -122,11 +124,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
return err
}

blobBytes, err := payloadBytes(blobRef)
if err != nil {
return err
}

co := &cosign.CheckOpts{
CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: c.CertGithubWorkflowSHA,
Expand Down Expand Up @@ -300,12 +297,36 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
}
}

var hash *v1.Hash
var blobBytes []byte
if _, err := os.Stat(blobRef); err != nil {
if hexAlg, hexDigest, ok := strings.Cut(blobRef, ":"); !ok {
return err
} else {
hash = &v1.Hash{
Algorithm: hexAlg,
Hex: hexDigest,
}
}
} else {
blobBytes, err = payloadBytes(blobRef)
if err != nil {
return err
}
}

signature, err := static.NewSignature(blobBytes, sig, opts...)
if err != nil {
return err
}
if _, err = cosign.VerifyBlobSignature(ctx, signature, co); err != nil {
return err
if hash == nil {
if _, err = cosign.VerifyBlobSignature(ctx, signature, co); err != nil {
return err
}
} else {
if _, err = cosign.VerifyImageSignature(ctx, signature, *hash, co); err != nil {
return err
}
}

ui.Infof(ctx, "Verified OK")
Expand Down
29 changes: 23 additions & 6 deletions cmd/cosign/cli/verify/verify_bundle.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,11 @@ import (
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"encoding/json"
"fmt"
"os"
"strings"
"time"

"github.com/secure-systems-lab/go-securesystemslib/dsse"
Expand Down Expand Up @@ -167,19 +170,33 @@ func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, s
verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsUnsafe())
}

// Perform verification
payload, err := payloadBytes(artifactRef)
if err != nil {
return nil, err
// Check if artifactRef is a digest or a file path
var artifactOpt verify.ArtifactPolicyOption
if _, err := os.Stat(artifactRef); err != nil {
if hexAlg, hexDigest, ok := strings.Cut(artifactRef, ":"); !ok {
return nil, err
} else {

Check failure on line 178 in cmd/cosign/cli/verify/verify_bundle.go

View workflow job for this annotation

GitHub Actions / lint 

indent-error-flow: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary) (revive)
digestBytes, err := hex.DecodeString(hexDigest)
if err != nil {
return nil, err
}
artifactOpt = verify.WithArtifactDigest(hexAlg, digestBytes)
}
} else {
// Perform verification
payload, err := payloadBytes(artifactRef)
if err != nil {
return nil, err
}
artifactOpt = verify.WithArtifact(bytes.NewBuffer(payload))
}
buf := bytes.NewBuffer(payload)

sev, err := verify.NewSignedEntityVerifier(trustedmaterial, verifierConfig...)
if err != nil {
return nil, err
}

return sev.Verify(bundle, verify.NewPolicy(verify.WithArtifact(buf), identityPolicies...))
return sev.Verify(bundle, verify.NewPolicy(artifactOpt, identityPolicies...))
}

func AssembleNewBundle(ctx context.Context, sigBytes, signedTimestamp []byte, envelope *dsse.Envelope, artifactRef string, cert *x509.Certificate, ignoreTlog bool, sigVerifier signature.Verifier, pkOpts []signature.PublicKeyOption, rekorClient *client.Rekor) (*sgbundle.Bundle, error) {
Expand Down
10 changes: 10 additions & 0 deletions cmd/cosign/cli/verify/verify_bundle_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ import (
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"encoding/pem"
"fmt"
"os"
"path/filepath"
"testing"
Expand All @@ -36,6 +38,7 @@ func TestVerifyBundleWithKey(t *testing.T) {
ctx := context.Background()
artifact := "hello world"
digest := sha256.Sum256([]byte(artifact))
hexDigest := hex.EncodeToString(digest[:])

privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
checkErr(t, err)
Expand Down Expand Up @@ -88,6 +91,13 @@ func TestVerifyBundleWithKey(t *testing.T) {
if result == nil {
t.Fatal("invalid verification result")
}

result2, err := verifyNewBundle(ctx, bundlePath, trustedRootPath, publicKeyPath, "", "", "", "", "", "", "", "", "", "", fmt.Sprintf("sha256:%s", hexDigest), false, true, false, true)
checkErr(t, err)

if result2 == nil {
t.Fatal("invalid verification result")
}
}

func checkErr(t *testing.T, err error) {
Expand Down

0 comments on commit 2678134

Please sign in to comment.