diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 9edb85dc31..35e8afe88d 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -171,7 +171,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) { return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img) } - verified, bundleVerified, err := cosign.Verify(ctx, ref, co) + verified, bundleVerified, err := cosign.VerifySignatures(ctx, ref, co) if err != nil { return err } diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 41dfa2c2bb..aacb42f4a9 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -28,7 +28,6 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/pivkey" - ociremote "github.com/sigstore/cosign/pkg/oci/remote" sigs "github.com/sigstore/cosign/pkg/signature" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" @@ -123,7 +122,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err } co := &cosign.CheckOpts{ - RegistryClientOpts: append(c.ClientOpts(ctx), ociremote.WithSignatureSuffix(cosign.AttestationTagSuffix)), + RegistryClientOpts: c.ClientOpts(ctx), } if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier @@ -163,9 +162,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err return err } - // TODO(mattmoor): Add some sort of configuration to have this - // use Attestations() in place of Signatures(). - verified, bundleVerified, err := cosign.Verify(ctx, ref, co) + verified, bundleVerified, err := cosign.VerifyAttestations(ctx, ref, co) if err != nil { return err } diff --git a/copasetic/main.go b/copasetic/main.go index b91ca8f40d..79c7691edf 100644 --- a/copasetic/main.go +++ b/copasetic/main.go @@ -193,7 +193,7 @@ func main() { RegistryClientOpts: regOpts.ClientOpts(bctx.Context), RekorURL: *rekorURL, } - sps, _, err := cosign.Verify(bctx.Context, ref, co) + sps, _, err := cosign.VerifySignatures(bctx.Context, ref, co) if err != nil { return nil, err } diff --git a/pkg/cosign/kubernetes/webhook/validation.go b/pkg/cosign/kubernetes/webhook/validation.go index d508b7a68a..7419f06006 100644 --- a/pkg/cosign/kubernetes/webhook/validation.go +++ b/pkg/cosign/kubernetes/webhook/validation.go @@ -60,7 +60,7 @@ func validSignatures(ctx context.Context, img string, key *ecdsa.PublicKey) ([]o return nil, err } - sigs, _, err := cosign.Verify(ctx, ref, &cosign.CheckOpts{ + sigs, _, err := cosign.VerifySignatures(ctx, ref, &cosign.CheckOpts{ RootCerts: fulcioroots.Get(), SigVerifier: ecdsaVerifier, ClaimVerifier: cosign.SimpleClaimVerifier, diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index b20b7daed0..2aa18ddb0e 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -65,9 +65,29 @@ type CheckOpts struct { CertEmail string } -// Verify does all the main cosign checks in a loop, returning validated payloads. -// If there were no payloads, we return an error. -func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { +// VerifySignatures does all the main cosign checks in a loop, returning the verified signatures. +// If there were no valid signatures, we return an error. +func VerifySignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { + return Verify(ctx, signedImgRef, SignaturesAccessor, co) +} + +// VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. +// If there were no valid attestations, we return an error. +func VerifyAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { + return Verify(ctx, signedImgRef, AttestationsAccessor, co) +} + +// Accessor is used by Verify to extract the signatures to be verified. +type Accessor func(oci.SignedEntity) (oci.Signatures, error) + +var ( + AttestationsAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Attestations() } + SignaturesAccessor Accessor = func(se oci.SignedEntity) (oci.Signatures, error) { return se.Signatures() } +) + +// Verify does all the main cosign checks in a loop, returning the verified signatures. +// If there were no valid signatures, we return an error. +func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { // Enforce this up front. if co.RootCerts == nil && co.SigVerifier == nil { return nil, false, errors.New("one of verifier or root certs is required") @@ -95,7 +115,7 @@ func Verify(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (ch // TODO(mattmoor): We could implement recursive verification if we just wrapped // most of the logic below here in a call to mutate.Map - sigs, err := se.Signatures() + sigs, err := accessor(se) if err != nil { return nil, false, err } diff --git a/pkg/sget/sget.go b/pkg/sget/sget.go index 7facb7a6ab..33bb04265a 100644 --- a/pkg/sget/sget.go +++ b/pkg/sget/sget.go @@ -85,7 +85,7 @@ func (sg *SecureGet) Do(ctx context.Context) error { if co.SigVerifier != nil || options.EnableExperimental() { co.RootCerts = fulcio.GetRoots() - sp, bundleVerified, err := cosign.Verify(ctx, ref, co) + sp, bundleVerified, err := cosign.VerifySignatures(ctx, ref, co) if err != nil { return err }