From b9831ca1c98e24d9dd09774d181abbb4a135a140 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Tue, 15 Aug 2023 07:43:30 -0400 Subject: [PATCH] switch to uploading DSSE types to rekor instead of intoto (#3113) * switch to uploading DSSE types to rekor instead of intoto Signed-off-by: Bob Callaway * bump scaffolding version for e2e test Signed-off-by: Bob Callaway --------- Signed-off-by: Bob Callaway --- cmd/cosign/cli/attest/attest.go | 2 +- cmd/cosign/cli/attest/attest_blob.go | 2 +- pkg/cosign/tlog.go | 14 +++++++++----- pkg/cosign/tlog_test.go | 1 + pkg/cosign/verify_test.go | 4 ++-- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 7645bec4d48..82c17677137 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -197,7 +197,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { } if shouldUpload { bundle, err := uploadToTlog(ctx, sv, c.RekorURL, func(r *client.Rekor, b []byte) (*models.LogEntryAnon, error) { - return cosign.TLogUploadInTotoAttestation(ctx, r, signedPayload, b) + return cosign.TLogUploadDSSEEnvelope(ctx, r, signedPayload, b) }) if err != nil { return err diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index a023308004f..8b28a655703 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -182,7 +182,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error if err != nil { return err } - entry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, sig, rekorBytes) + entry, err := cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, sig, rekorBytes) if err != nil { return err } diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index 87579dacf6f..827311993c2 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -370,7 +370,7 @@ func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, entryUUID stri return nil, errors.New("empty response") } -func proposedEntry(b64Sig string, payload, pubKey []byte) ([]models.ProposedEntry, error) { +func proposedEntries(b64Sig string, payload, pubKey []byte) ([]models.ProposedEntry, error) { var proposedEntry []models.ProposedEntry signature, err := base64.StdEncoding.DecodeString(b64Sig) if err != nil { @@ -380,11 +380,15 @@ func proposedEntry(b64Sig string, payload, pubKey []byte) ([]models.ProposedEntr // The fact that there's no signature (or empty rather), implies // that this is an Attestation that we're verifying. if len(signature) == 0 { - e, err := intotoEntry(context.Background(), payload, pubKey) + intotoEntry, err := intotoEntry(context.Background(), payload, pubKey) if err != nil { return nil, err } - proposedEntry = []models.ProposedEntry{e} + dsseEntry, err := dsseEntry(context.Background(), payload, pubKey) + if err != nil { + return nil, err + } + proposedEntry = []models.ProposedEntry{dsseEntry, intotoEntry} } else { sha256CheckSum := sha256.New() if _, err := sha256CheckSum.Write(payload); err != nil { @@ -404,12 +408,12 @@ func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) ([]models.LogEntryAnon, error) { searchParams := entries.NewSearchLogQueryParamsWithContext(ctx) searchLogQuery := models.SearchLogQuery{} - proposedEntry, err := proposedEntry(b64Sig, payload, pubKey) + proposedEntries, err := proposedEntries(b64Sig, payload, pubKey) if err != nil { return nil, err } - searchLogQuery.SetEntries(proposedEntry) + searchLogQuery.SetEntries(proposedEntries) searchParams.SetEntry(&searchLogQuery) resp, err := rekorClient.Entries.SearchLogQuery(searchParams) diff --git a/pkg/cosign/tlog_test.go b/pkg/cosign/tlog_test.go index 1034aa1cc75..08a9d6bca54 100644 --- a/pkg/cosign/tlog_test.go +++ b/pkg/cosign/tlog_test.go @@ -36,6 +36,7 @@ var ( ) func TestGetRekorPubKeys(t *testing.T) { + t.Setenv("TUF_ROOT", t.TempDir()) keys, err := GetRekorPubs(context.Background()) if err != nil { t.Fatalf("Unexpected error calling GetRekorPubs, expected nil: %v", err) diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 57fb224985c..bf08413b831 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -256,7 +256,7 @@ func TestVerifyImageSignatureWithNoChain(t *testing.T) { signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) // Create a fake bundle - pe, _ := proposedEntry(base64.StdEncoding.EncodeToString(signature), payload, pemLeaf) + pe, _ := proposedEntries(base64.StdEncoding.EncodeToString(signature), payload, pemLeaf) entry, _ := rtypes.UnmarshalEntry(pe[0]) leaf, _ := entry.Canonicalize(ctx) rekorBundle := CreateTestBundle(ctx, t, sv, leaf) @@ -299,7 +299,7 @@ func TestVerifyImageSignatureWithInvalidPublicKeyType(t *testing.T) { signature, _ := privKey.Sign(rand.Reader, h[:], crypto.SHA256) // Create a fake bundle - pe, _ := proposedEntry(base64.StdEncoding.EncodeToString(signature), payload, pemLeaf) + pe, _ := proposedEntries(base64.StdEncoding.EncodeToString(signature), payload, pemLeaf) entry, _ := rtypes.UnmarshalEntry(pe[0]) leaf, _ := entry.Canonicalize(ctx) rekorBundle := CreateTestBundle(ctx, t, sv, leaf)