Bump sigstore/sigstore, cosign, in-toto-golang (tektoncd#739)

* Bump sigstore/sigstore, sigstore/cosign, in-toto-golang Bumps s/s to 1.6 Bumps cosign to v2 (needed due to conflicting dependencies due to a breaking change in intoto) Bumps intoto to latest commit to pull in in-toto/in-toto-golang@2d81ebf * Fix e2e test. Increases timeout for failed pipeline run test. Cosign v2 introduces retries for transparency log writing, which I think is pushing us past the 1 minute threshold. * Use in-toto-golang v0.7.1
PuneetPunamiya · Apr 6, 2023 · 50a40c0 · 50a40c0
1 parent db763c3
commit 50a40c0
Show file tree

Hide file tree

Showing 3,055 changed files with 89,754 additions and 564,948 deletions.
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -26,7 +26,7 @@ import (
 	// We link this here to give downstreams greater choice/control over
 	// which providers they pull in, by linking their own variants in their
 	// own binary entrypoint.
-	_ "github.com/sigstore/cosign/pkg/providers/all"
+	_ "github.com/sigstore/cosign/v2/pkg/providers/all"
 
 	// Register the provider-specific plugins
 	_ "github.com/sigstore/sigstore/pkg/signature/kms/aws"

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/chains/rekor.go b/pkg/chains/rekor.go
@@ -15,9 +15,10 @@ package chains
 
 import (
 	"context"
+	"crypto/sha256"
 
 	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	rc "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
@@ -50,7 +51,12 @@ func (r *rekor) UploadTlog(ctx context.Context, signer signing.Signer, signature
 	if _, ok := formats.IntotoAttestationSet[config.PayloadType(payloadFormat)]; ok {
 		return cosign.TLogUploadInTotoAttestation(ctx, r.c, signature, pkoc)
 	}
-	return cosign.TLogUpload(ctx, r.c, signature, rawPayload, pkoc)
+
+	h := sha256.New()
+	if _, err := h.Write(rawPayload); err != nil {
+		return nil, errors.Wrap(err, "error checksuming payload")
+	}
+	return cosign.TLogUpload(ctx, r.c, signature, h, pkoc)
 }
 
 // return the cert if we have it, otherwise return public key

diff --git a/pkg/chains/signing.go b/pkg/chains/signing.go
@@ -194,6 +194,7 @@ func (o *ObjectSigner) Sign(ctx context.Context, tektonObj objects.TektonObject)
 
 				entry, err := rekorClient.UploadTlog(ctx, signer, signature, rawPayload, signer.Cert(), string(payloadFormat))
 				if err != nil {
+					logger.Warnf("error uploading entry to tlog: %v", err)
 					merr = multierror.Append(merr, err)
 				} else {
 					logger.Infof("Uploaded entry to %s with index %d", cfg.Transparency.URL, *entry.LogIndex)
@@ -205,6 +206,7 @@ func (o *ObjectSigner) Sign(ctx context.Context, tektonObj objects.TektonObject)
 		}
 		if merr.ErrorOrNil() != nil {
 			if err := HandleRetry(ctx, tektonObj, o.Pipelineclientset, extraAnnotations); err != nil {
+				logger.Warnf("error handling retry: %v", err)
 				merr = multierror.Append(merr, err)
 			}
 			return merr

diff --git a/pkg/chains/signing/wrap.go b/pkg/chains/signing/wrap.go
@@ -67,7 +67,7 @@ type sslAdapter struct {
 	pk      crypto.PublicKey
 }
 
-func (w *sslAdapter) Sign(data []byte) ([]byte, error) {
+func (w *sslAdapter) Sign(ctx context.Context, data []byte) ([]byte, error) {
 	sig, err := w.wrapped.SignMessage(bytes.NewReader(data))
 	return sig, err
 }
@@ -80,7 +80,7 @@ func (w *sslAdapter) Public() crypto.PublicKey {
 	return w.pk
 }
 
-func (w *sslAdapter) Verify(data, sig []byte) error {
+func (w *sslAdapter) Verify(_ context.Context, data, sig []byte) error {
 	panic("unimplemented")
 }
 
@@ -101,7 +101,7 @@ func (w *sslSigner) PublicKey(opts ...signature.PublicKeyOption) (crypto.PublicK
 }
 
 func (w *sslSigner) Sign(ctx context.Context, payload []byte) ([]byte, []byte, error) {
-	env, err := w.wrapper.SignPayload(in_toto.PayloadType, payload)
+	env, err := w.wrapper.SignPayload(ctx, in_toto.PayloadType, payload)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -117,7 +117,7 @@ func (w *sslSigner) SignMessage(payload io.Reader, opts ...signature.SignOption)
 	if err != nil {
 		return nil, err
 	}
-	env, err := w.wrapper.SignPayload(in_toto.PayloadType, m)
+	env, err := w.wrapper.SignPayload(context.TODO(), in_toto.PayloadType, m)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/chains/signing/x509/fsprovider.go b/pkg/chains/signing/x509/fsprovider.go
@@ -19,8 +19,8 @@ import (
 	"context"
 	"os"
 
-	"github.com/sigstore/cosign/pkg/providers"
-	"github.com/sigstore/cosign/pkg/providers/filesystem"
+	"github.com/sigstore/cosign/v2/pkg/providers"
+	"github.com/sigstore/cosign/v2/pkg/providers/filesystem"
 )
 
 const (

diff --git a/pkg/chains/signing/x509/x509.go b/pkg/chains/signing/x509/x509.go
@@ -28,10 +28,10 @@ import (
 	"path/filepath"
 
 	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
-	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/pkg/cosign"
-	"github.com/sigstore/cosign/pkg/providers"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/providers"
 
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/tuf"
@@ -110,17 +110,25 @@ func fulcioSigner(ctx context.Context, cfg config.X509Signer, logger *zap.Sugare
 	}
 
 	logger.Info("Signing with fulcio ...")
+	priv, err := cosign.GeneratePrivateKey()
+	if err != nil {
+		return nil, fmt.Errorf("error generating keypair: %w", err)
+	}
+	signer, err := signature.LoadECDSASignerVerifier(priv, crypto.SHA256)
+	if err != nil {
+		return nil, fmt.Errorf("error loading sigstore signer: %w", err)
+	}
 	k, err := fulcio.NewSigner(ctx, options.KeyOpts{
 		FulcioURL:    cfg.FulcioAddr,
 		IDToken:      tok,
 		OIDCIssuer:   cfg.FulcioOIDCIssuer,
 		OIDCClientID: defaultOIDCClientID,
-	})
+	}, signer)
 	if err != nil {
 		return nil, errors.Wrap(err, "new signer")
 	}
 	return &Signer{
-		SignerVerifier: k.ECDSASignerVerifier,
+		SignerVerifier: signer,
 		cert:           string(k.Cert),
 		chain:          string(k.Chain),
 		logger:         logger,

diff --git a/pkg/chains/signing/x509/x509_test.go b/pkg/chains/signing/x509/x509_test.go
@@ -25,7 +25,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/sigstore/cosign/pkg/providers"
+	"github.com/sigstore/cosign/v2/pkg/providers"
 	"github.com/tektoncd/chains/pkg/config"
 	logtesting "knative.dev/pkg/logging/testing"
 )

diff --git a/pkg/chains/storage/grafeas/grafeas.go b/pkg/chains/storage/grafeas/grafeas.go
@@ -24,7 +24,7 @@ import (
 	pb "github.com/grafeas/grafeas/proto/v1/grafeas_go_proto"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/pkg/types"
+	"github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/tektoncd/chains/pkg/chains/formats"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
 	"github.com/tektoncd/chains/pkg/chains/objects"

diff --git a/pkg/chains/storage/oci/oci.go b/pkg/chains/storage/oci/oci.go
@@ -29,11 +29,11 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/pkg/oci"
-	"github.com/sigstore/cosign/pkg/oci/mutate"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
-	"github.com/sigstore/cosign/pkg/oci/static"
-	"github.com/sigstore/cosign/pkg/types"
+	"github.com/sigstore/cosign/v2/pkg/oci"
+	"github.com/sigstore/cosign/v2/pkg/oci/mutate"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/static"
+	"github.com/sigstore/cosign/v2/pkg/types"
 	"github.com/tektoncd/chains/pkg/artifacts"
 	"github.com/tektoncd/chains/pkg/chains/formats/simple"
 	"github.com/tektoncd/chains/pkg/config"

diff --git a/test/clients.go b/test/clients.go
@@ -39,7 +39,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/tektoncd/pipeline/pkg/names"
 

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -569,7 +569,7 @@ func TestRetryFailed(t *testing.T) {
 			obj := tekton.CreateObject(t, ctx, c.PipelineClient, test.getObject(ns))
 
 			// Give it a minute to complete.
-			if got := waitForCondition(ctx, t, c.PipelineClient, obj, failed, time.Minute); got == nil {
+			if got := waitForCondition(ctx, t, c.PipelineClient, obj, failed, 2*time.Minute); got == nil {
 				t.Fatal("expected failure; object never failed")
 			}
 		})

diff --git a/test/examples_test.go b/test/examples_test.go
@@ -175,7 +175,7 @@ func runInTotoFormatterTests(ctx context.Context, t *testing.T, ns string, c *cl
 				t.Fatal(err)
 			}
 
-			if _, err := ev.Verify(&env); err != nil {
+			if _, err := ev.Verify(ctx, &env); err != nil {
 				t.Fatal(err)
 			}
 		})
@@ -186,7 +186,7 @@ type verifier struct {
 	pub *ecdsa.PublicKey
 }
 
-func (v *verifier) Verify(data, sig []byte) error {
+func (v *verifier) Verify(_ context.Context, data, sig []byte) error {
 	h := sha256.Sum256(data)
 	if ecdsa.VerifyASN1(v.pub, h[:], sig) {
 		return nil

diff --git a/vendor/bitbucket.org/creachadair/shell/LICENSE b/vendor/bitbucket.org/creachadair/shell/LICENSE
diff --git a/vendor/bitbucket.org/creachadair/shell/README.md b/vendor/bitbucket.org/creachadair/shell/README.md
diff --git a/vendor/bitbucket.org/creachadair/shell/bitbucket-pipelines.yml b/vendor/bitbucket.org/creachadair/shell/bitbucket-pipelines.yml