Upgrade to cosign v2 and be more clear on the deprecation of sget:// (

#2023) ## Description This updates Zarf to cosign v2 and is more clear about sget deprecations. ## Related Issue Fixes #2019 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
zarf-dev · Sep 21, 2023 · c854f33 · c854f33
1 parent 68cd54b
commit c854f33
Show file tree

Hide file tree

Showing 8 changed files with 400 additions and 215 deletions.
diff --git a/adr/0014-oci-publish.md b/adr/0014-oci-publish.md
@@ -53,7 +53,7 @@ For an example of this in action, please see the corresponding [tutorial](../doc
 
 Backwards compatibility was an important considering when making these changes. We had to implement logic to make sure a new version of the Zarf binary could still operate with older versions of Zarf packages.
 
-At the moment we are testing the backwards compatibility by virtue of maintaining the `./src/test/e2e/27_cosign_deploy_test.go` where we are deploying an old Zarf package via `sget`.
+At the moment we are testing the backwards compatibility by virtue of maintaining the `./src/test/e2e/27_cosign_deploy_test.go` where we are deploying an old Zarf package via `sget` (which itself is now deprecated).
 
 One thing we may want to look at more in the future is how we can get more intricate tests around the backwards compatibility.
 

diff --git a/docs/0-zarf-overview.md b/docs/0-zarf-overview.md
@@ -189,7 +189,7 @@ zarf init
 
 
 # You are ready to deploy any Zarf Package, try out our Retro Arcade!!
-zarf package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m)
+zarf package deploy oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0-$(uname -m) --key=https://zarf.dev/cosign.pub
 ```
 
 :::note
@@ -227,7 +227,7 @@ zarf init
 
 
 # You are ready to deploy any Zarf Package, try out our Retro Arcade!!
-zarf package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m)
+zarf package deploy oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0-$(uname -m) --key=https://zarf.dev/cosign.pub
 ```
 
 </TabItem>

diff --git a/docs/4-deploy-a-zarf-package/index.md b/docs/4-deploy-a-zarf-package/index.md
@@ -59,6 +59,6 @@ $ zarf connect [service name]
 
 :::note
 
-You can also specify a package locally, or via oci or sget such as `zarf package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m)`
+You can also specify a package locally, or via oci such as `zarf package deploy oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0-$(uname -m) --key=https://zarf.dev/cosign.pub`
 
 :::
diff --git a/docs/5-zarf-tutorials/3-deploy-a-retro-arcade.md b/docs/5-zarf-tutorials/3-deploy-a-retro-arcade.md
@@ -21,9 +21,7 @@ Before beginning this tutorial you will need the following:
 
 ## Deploying the Arcade
 
-<!-- TODO: (@WSTARR) This should point to an OCI version of this at some point. -->
-
-1. The `dos-games` package is easily deployable via `sget://` by running `zarf package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m)`.
+1. The `dos-games` package is easily deployable via `oci://` by running `zarf package deploy oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0-$(uname -m) --key=https://zarf.dev/cosign.pub`.
 
 :::tip
 

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/src/cmd/tools/zarf.go b/src/cmd/tools/zarf.go
@@ -23,7 +23,7 @@ import (
 	"github.com/defenseunicorns/zarf/src/pkg/packager"
 	"github.com/defenseunicorns/zarf/src/pkg/pki"
 	"github.com/defenseunicorns/zarf/src/types"
-	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/spf13/cobra"
 )
 

diff --git a/src/pkg/utils/sget.go b/src/pkg/utils/sget.go
@@ -20,13 +20,13 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 
-	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/cmd/cosign/cli/verify"
-	"github.com/sigstore/cosign/pkg/cosign"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
-	sigs "github.com/sigstore/cosign/pkg/signature"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
+	sigs "github.com/sigstore/cosign/v2/pkg/signature"
 
 	// Register the provider-specific plugins
 	_ "github.com/sigstore/sigstore/pkg/signature/kms/aws"
@@ -105,6 +105,10 @@ func Sget(ctx context.Context, image, key string, out io.Writer) error {
 		return fmt.Errorf("getting Fulcio intermediates: %w", err)
 	}
 
+	co.IgnoreTlog = true
+	co.IgnoreSCT = true
+	co.Offline = true
+
 	verifyMsg := fmt.Sprintf("%s cosign verified: ", image)
 
 	sp, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co)
@@ -175,22 +179,16 @@ func Sget(ctx context.Context, image, key string, out io.Writer) error {
 }
 
 // CosignVerifyBlob verifies the zarf.yaml.sig was signed with the key provided by the flag
-func CosignVerifyBlob(blobPath string, sigPath string, keyPath string) error {
-	ctx := context.TODO()
+func CosignVerifyBlob(blobRef string, sigRef string, keyPath string) error {
 	keyOptions := options.KeyOpts{KeyRef: keyPath}
-	certRef := ""
-	certEmail := ""
-	certIdentity := ""
-	certOidcIssuer := ""
-	certChain := ""
-	certGithubWorkflowTrigger := ""
-	certGithubWorkflowSha := ""
-	certGithubWorkflowName := ""
-	certGithubWorkflowRepository := ""
-	certGithubWorkflowRef := ""
-	enforceSCT := false
-
-	err := verify.VerifyBlobCmd(ctx, keyOptions, certRef, certEmail, certIdentity, certOidcIssuer, certChain, sigPath, blobPath, certGithubWorkflowTrigger, certGithubWorkflowSha, certGithubWorkflowName, certGithubWorkflowRepository, certGithubWorkflowRef, enforceSCT)
+	cmd := &verify.VerifyBlobCmd{
+		KeyOpts:    keyOptions,
+		SigRef:     sigRef,
+		IgnoreSCT:  true,
+		Offline:    true,
+		IgnoreTlog: true,
+	}
+	err := cmd.Exec(context.TODO(), blobRef)
 	if err == nil {
 		message.Successf("Package signature validated!")
 	}
@@ -202,25 +200,19 @@ func CosignVerifyBlob(blobPath string, sigPath string, keyPath string) error {
 func CosignSignBlob(blobPath string, outputSigPath string, keyPath string, passwordFunc func(bool) ([]byte, error)) ([]byte, error) {
 	rootOptions := &options.RootOptions{Verbose: false, Timeout: options.DefaultTimeout}
 
-	regOptions := options.RegistryOptions{
-		AllowInsecure:      true,
-		KubernetesKeychain: false,
-		RefOpts:            options.ReferenceOptions{TagPrefix: ""},
-		Keychain:           nil,
-	}
-
 	keyOptions := options.KeyOpts{KeyRef: keyPath,
 		PassFunc: passwordFunc}
 	b64 := true
 	outputCertificate := ""
+	tlogUpload := false
 
 	sig, err := sign.SignBlobCmd(rootOptions,
 		keyOptions,
-		regOptions,
 		blobPath,
 		b64,
 		outputSigPath,
-		outputCertificate)
+		outputCertificate,
+		tlogUpload)
 
 	return sig, err
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,6 +59,6 @@ $ zarf connect [service name] @@
     :::note
-    You can also specify a package locally, or via oci or sget such as `zarf package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m)`
+    You can also specify a package locally, or via oci such as `zarf package deploy oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0-$(uname -m) --key=https://zarf.dev/cosign.pub`
     :::