Skip to content

Commit

Permalink
Replace --rekor-url with --ignore-tlog
Browse files Browse the repository at this point in the history
Similar to `--ignore-sct`

Signed-off-by: Zach Steindler <[email protected]>
  • Loading branch information
steiza committed Sep 12, 2024
1 parent 06284e2 commit b3262d7
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 40 deletions.
9 changes: 5 additions & 4 deletions cmd/cosign/cli/options/trustedroot.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ type TrustedRootCreateOptions struct {
CARoots string
CertChain string
IgnoreSCT bool
IgnoreTlog bool
Out string
RekorURL string
TSACertChainPath string
}

Expand Down Expand Up @@ -58,12 +58,13 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
"when set, do not include key for verifying certificate transparency "+
"log. Set this if you signed with a key instead of using Fulcio.")

cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
"when set, do not include key for verifying transparency. Set this if "+
"you did not sign with Rekor.")

cmd.Flags().StringVar(&o.Out, "out", "",
"path to output trusted root")

cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "",
"address of rekor STL server")

cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-certificate-chain", "",
"path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+
"Optionally may contain intermediate CA certificates")
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/trustedroot.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,8 @@ func trustedRootCreate() *cobra.Command {
CARoots: o.CARoots,
CertChain: o.CertChain,
IgnoreSCT: o.IgnoreSCT,
IgnoreTlog: o.IgnoreTlog,
Out: o.Out,
RekorURL: o.RekorURL,
TSACertChainPath: o.TSACertChainPath,
}

Expand Down
49 changes: 15 additions & 34 deletions cmd/cosign/cli/trustedroot/trustedroot.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,14 @@ package trustedroot
import (
"context"
"crypto"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
"os"

"github.com/sigstore/sigstore-go/pkg/root"

"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/v2/pkg/cosign"
)

Expand All @@ -38,8 +34,8 @@ type CreateCmd struct {
CARoots string
CertChain string
IgnoreSCT bool
IgnoreTlog bool
Out string
RekorURL string
TSACertChainPath string
}

Expand Down Expand Up @@ -96,47 +92,32 @@ func (c *CreateCmd) Exec(ctx context.Context) error {
return err
}
ctLogs[id] = &root.TransparencyLog{
ID: idBytes,
HashFunc: crypto.SHA256,
ID: idBytes,
PublicKey: key.PubKey,
SignatureHashFunc: crypto.SHA256,
}
}
}

if c.RekorURL != "" {
rekorClient, err := rekor.NewClient(c.RekorURL)
if err != nil {
return fmt.Errorf("creating Rekor client: %w", err)
}

rekorPubKey, err := rekorClient.Pubkey.GetPublicKey(nil)
if err != nil {
return err
}

block, _ := pem.Decode([]byte(rekorPubKey.Payload))
if block == nil {
return errors.New("failed to decode public key of server")
}

pub, err := x509.ParsePKIXPublicKey(block.Bytes)
if !c.IgnoreTlog {
tlogPubKeys, err := cosign.GetRekorPubs(ctx)
if err != nil {
return err
}

keyHash := sha256.Sum256(block.Bytes)
keyID := base64.StdEncoding.EncodeToString(keyHash[:])

rekorTransparencyLog := root.TransparencyLog{
BaseURL: c.RekorURL,
HashFunc: crypto.SHA256,
ID: keyHash[:],
PublicKey: pub,
SignatureHashFunc: crypto.SHA256,
for id, key := range tlogPubKeys.Keys {
idBytes, err := hex.DecodeString(id)
if err != nil {
return err
}
rekorTransparencyLogs[id] = &root.TransparencyLog{
HashFunc: crypto.SHA256,
ID: idBytes,
PublicKey: key.PubKey,
SignatureHashFunc: crypto.SHA256,
}
}

rekorTransparencyLogs[keyID] = &rekorTransparencyLog
}

if c.TSACertChainPath != "" {
Expand Down
2 changes: 1 addition & 1 deletion doc/cosign_trusted-root_create.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit b3262d7

Please sign in to comment.