Rework cosign.Verify to specify what's verified. (sigstore#782)

Previously, this was always `Signatures()`, but which sense of "signature" was nebulous (e.g. `.sig`, `.att`).

With this change, the interface here changes to take and accessor so folks explicitly specify which one they want, and I exposed `Verify{Signatures,Attestations}` methods with identical function signatures to what we exposed previously.

After this change, the only usage of `ociremote.WithSignatureSuffix` is some logic that deals with SBOMs, which it abusing things a bit, and the whole "attachment" thing is one of the next things I'm going to look at adding some abstraction for.

Related: sigstore#666
Signed-off-by: Matt Moore <mattomata@gmail.com>

cmd/cosign/cli/verify/verify.go

@@ -171,7 +171,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 			return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img)
 		}
 
-		verified, bundleVerified, err := cosign.Verify(ctx, ref, co)
+		verified, bundleVerified, err := cosign.VerifySignatures(ctx, ref, co)
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/verify/verify_attestation.go

@@ -28,7 +28,6 @@ import (
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	sigs "github.com/sigstore/cosign/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
@@ -123,7 +122,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 	}
 
 	co := &cosign.CheckOpts{
-		RegistryClientOpts: append(c.ClientOpts(ctx), ociremote.WithSignatureSuffix(cosign.AttestationTagSuffix)),
+		RegistryClientOpts: c.ClientOpts(ctx),
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
@@ -163,9 +162,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 			return err
 		}
 
-		// TODO(mattmoor): Add some sort of configuration to have this
-		// use Attestations() in place of Signatures().
-		verified, bundleVerified, err := cosign.Verify(ctx, ref, co)
+		verified, bundleVerified, err := cosign.VerifyAttestations(ctx, ref, co)
 		if err != nil {
 			return err
 		}

copasetic/main.go

@@ -193,7 +193,7 @@ func main() {
 				RegistryClientOpts: regOpts.ClientOpts(bctx.Context),
 				RekorURL:           *rekorURL,
 			}
-			sps, _, err := cosign.Verify(bctx.Context, ref, co)
+			sps, _, err := cosign.VerifySignatures(bctx.Context, ref, co)
 			if err != nil {
 				return nil, err
 			}

pkg/cosign/kubernetes/webhook/validation.go

@@ -60,7 +60,7 @@ func validSignatures(ctx context.Context, img string, key *ecdsa.PublicKey) ([]o
 		return nil, err
 	}
 
-	sigs, _, err := cosign.Verify(ctx, ref, &cosign.CheckOpts{
+	sigs, _, err := cosign.VerifySignatures(ctx, ref, &cosign.CheckOpts{
 		RootCerts:     fulcioroots.Get(),
 		SigVerifier:   ecdsaVerifier,
 		ClaimVerifier: cosign.SimpleClaimVerifier,

pkg/cosign/verify.go

@@ -65,9 +65,29 @@ type CheckOpts struct {
 	CertEmail string
 }
 
-// Verify does all the main cosign checks in a loop, returning validated payloads.
-// If there were no payloads, we return an error.
-func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {
+// VerifySignatures does all the main cosign checks in a loop, returning the verified signatures.
+// If there were no valid signatures, we return an error.
+func VerifySignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {
+	return Verify(ctx, signedImgRef, SignaturesAccessor, co)
+}
+
+// VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations.
+// If there were no valid attestations, we return an error.
+func VerifyAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {
+	return Verify(ctx, signedImgRef, AttestationsAccessor, co)
+}
+
+// Accessor is used by Verify to extract the signatures to be verified.
+type Accessor func(oci.SignedEntity) (oci.Signatures, error)
+
+var (
+	AttestationsAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Attestations() }
+	SignaturesAccessor   Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Signatures() }
+)
+
+// Verify does all the main cosign checks in a loop, returning the verified signatures.
+// If there were no valid signatures, we return an error.
+func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {
 	// Enforce this up front.
 	if co.RootCerts == nil && co.SigVerifier == nil {
 		return nil, false, errors.New("one of verifier or root certs is required")
@@ -95,7 +115,7 @@ func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (ch
 	// TODO(mattmoor): We could implement recursive verification if we just wrapped
 	// most of the logic below here in a call to mutate.Map
 
-	sigs, err := se.Signatures()
+	sigs, err := accessor(se)
 	if err != nil {
 		return nil, false, err
 	}

pkg/sget/sget.go

@@ -85,7 +85,7 @@ func (sg *SecureGet) Do(ctx context.Context) error {
 	if co.SigVerifier != nil || options.EnableExperimental() {
 		co.RootCerts = fulcio.GetRoots()
 
-		sp, bundleVerified, err := cosign.Verify(ctx, ref, co)
+		sp, bundleVerified, err := cosign.VerifySignatures(ctx, ref, co)
 		if err != nil {
 			return err
 		}