Merge branch 'main' of github.com:sigstore/cosign into flags

Signed-off-by: kpk47 <kkris@google.com>
sigstore · Nov 7, 2022 · 12cae1c · 12cae1c
2 parents 8cc212f + 1c04ce6
commit 12cae1c
Show file tree

Hide file tree

Showing 17 changed files with 307 additions and 84 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -71,7 +71,7 @@ jobs:
         env:
           # See #2091 for the issue describing this temp workaround.
           GODEBUG: x509sha1=1
-        run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
+        run: go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
       - name: Upload Coverage Report
         uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         with:
@@ -81,7 +81,7 @@ jobs:
           # See #2091 for the issue describing this temp workaround.
           GODEBUG: x509sha1=1
         if: ${{ runner.os == 'Linux' }}
-        run: go test -race $(go list ./... | grep -v third_party/)
+        run: go test -tags=sct -race $(go list ./... | grep -v third_party/)
 
   e2e-tests:
     name: Run e2e tests

diff --git a/cmd/cosign/cli/dockerfile.go b/cmd/cosign/cli/dockerfile.go
@@ -98,7 +98,8 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
 					CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 					CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
 					CertChain:                    o.CertVerify.CertChain,
-					EnforceSCT:                   o.CertVerify.EnforceSCT,
+					IgnoreSCT:                    o.CertVerify.IgnoreSCT,
+					SCTRef:                       o.CertVerify.SCT,
 					Sk:                           o.SecurityKey.Use,
 					Slot:                         o.SecurityKey.Slot,
 					Output:                       o.Output,

diff --git a/cmd/cosign/cli/manifest.go b/cmd/cosign/cli/manifest.go
@@ -93,7 +93,8 @@ against the transparency log.`,
 					CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 					CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
 					CertChain:                    o.CertVerify.CertChain,
-					EnforceSCT:                   o.CertVerify.EnforceSCT,
+					IgnoreSCT:                    o.CertVerify.IgnoreSCT,
+					SCTRef:                       o.CertVerify.SCT,
 					Sk:                           o.SecurityKey.Use,
 					Slot:                         o.SecurityKey.Slot,
 					Output:                       o.Output,

diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -29,7 +29,8 @@ type CertVerifyOptions struct {
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
 	CertChain                    string
-	EnforceSCT                   bool
+	SCT                          string
+	IgnoreSCT                    bool
 }
 
 var _ Interface = (*RekorOptions)(nil)
@@ -70,7 +71,10 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 			"signing certificate and end with the root certificate")
 	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
 
-	cmd.Flags().BoolVar(&o.EnforceSCT, "enforce-sct", false,
-		"whether to enforce that a certificate contain an embedded SCT, a proof of "+
+	cmd.Flags().StringVar(&o.SCT, "sct", "",
+		"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+
+			"If a certificate contains an SCT, verification will check both the detached and embedded SCTs.")
+	cmd.Flags().BoolVar(&o.IgnoreSCT, "insecure-ignore-sct", false,
+		"when set, verification will not check that a certificate contains an embedded SCT, a proof of "+
 			"inclusion in a certificate transparency log")
 }
diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -105,7 +105,8 @@ against the transparency log.`,
 				CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 				CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
 				CertChain:                    o.CertVerify.CertChain,
-				EnforceSCT:                   o.CertVerify.EnforceSCT,
+				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
+				SCTRef:                       o.CertVerify.SCT,
 				Sk:                           o.SecurityKey.Use,
 				Slot:                         o.SecurityKey.Slot,
 				Output:                       o.Output,
@@ -193,7 +194,8 @@ against the transparency log.`,
 				CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,
 				CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 				CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
-				EnforceSCT:                   o.CertVerify.EnforceSCT,
+				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
+				SCTRef:                       o.CertVerify.SCT,
 				KeyRef:                       o.Key,
 				Sk:                           o.SecurityKey.Use,
 				Slot:                         o.SecurityKey.Slot,
@@ -283,7 +285,8 @@ The blob may be specified as a path to a file or - for stdin.`,
 				CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,
 				CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 				CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
-				EnforceSCT:                   o.CertVerify.EnforceSCT,
+				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
+				SCTRef:                       o.CertVerify.SCT,
 			}
 			if err := verifyBlobCmd.Exec(cmd.Context(), args[0]); err != nil {
 				return fmt.Errorf("verifying blob %s: %w", args, err)

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -26,6 +26,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/google/go-containerregistry/pkg/name"
 
@@ -60,7 +61,8 @@ type VerifyCommand struct {
 	CertGithubWorkflowRef        string
 	CertChain                    string
 	CertOidcProvider             string
-	EnforceSCT                   bool
+	IgnoreSCT                    bool
+	SCTRef                       string
 	Sk                           bool
 	Slot                         string
 	Output                       string
@@ -108,7 +110,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
-		EnforceSCT:                   c.EnforceSCT,
+		IgnoreSCT:                    c.IgnoreSCT,
 		SignatureRef:                 c.SignatureRef,
 		Identities:                   []cosign.Identity{{Issuer: c.CertOidcIssuer, Subject: c.CertIdentity}},
 	}
@@ -188,6 +190,13 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 				return err
 			}
 		}
+		if c.SCTRef != "" {
+			sct, err := os.ReadFile(filepath.Clean(c.SCTRef))
+			if err != nil {
+				return fmt.Errorf("reading sct from file: %w", err)
+			}
+			co.SCT = sct
+		}
 	}
 	co.SigVerifier = pubKey
 

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -53,7 +53,8 @@ type VerifyAttestationCommand struct {
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
 	CertChain                    string
-	EnforceSCT                   bool
+	IgnoreSCT                    bool
+	SCTRef                       string
 	Sk                           bool
 	Slot                         string
 	Output                       string
@@ -90,7 +91,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
-		EnforceSCT:                   c.EnforceSCT,
+		IgnoreSCT:                    c.IgnoreSCT,
 		Identities:                   []cosign.Identity{{Issuer: c.CertOidcIssuer, Subject: c.CertIdentity}},
 	}
 	if c.CheckClaims {
@@ -166,6 +167,13 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				return fmt.Errorf("creating certificate verifier: %w", err)
 			}
 		}
+		if c.SCTRef != "" {
+			sct, err := os.ReadFile(filepath.Clean(c.SCTRef))
+			if err != nil {
+				return fmt.Errorf("reading sct from file: %w", err)
+			}
+			co.SCT = sct
+		}
 	}
 
 	// NB: There are only 2 kinds of verification right now:

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -28,6 +28,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -78,7 +79,8 @@ type VerifyBlobCmd struct {
 	CertGithubWorkflowName       string
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
-	EnforceSCT                   bool
+	IgnoreSCT                    bool
+	SCTRef                       string
 }
 
 // nolint
@@ -110,7 +112,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
-		EnforceSCT:                   c.EnforceSCT,
+		IgnoreSCT:                    c.IgnoreSCT,
 		Identities:                   []cosign.Identity{{Issuer: c.CertOIDCIssuer, Subject: c.CertIdentity}},
 	}
 	if options.EnableExperimental() {
@@ -184,6 +186,13 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 				return fmt.Errorf("verifying certRef with certChain: %w", err)
 			}
 		}
+		if c.SCTRef != "" {
+			sct, err := os.ReadFile(filepath.Clean(c.SCTRef))
+			if err != nil {
+				return fmt.Errorf("reading sct from file: %w", err)
+			}
+			co.SCT = sct
+		}
 	case c.BundlePath != "":
 		b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath)
 		if err != nil {

diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -545,6 +545,7 @@ func TestVerifyBlob(t *testing.T) {
 			co := &cosign.CheckOpts{
 				SigVerifier: tt.sigVerifier,
 				RootCerts:   rootPool,
+				IgnoreSCT:   true,
 				Identities:  []cosign.Identity{{Issuer: issuer, Subject: identity}},
 			}
 			// if expermental is enabled, add RekorClient to co.
@@ -722,7 +723,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
 			CertIdentity:   identity,
 			CertOIDCIssuer: issuer,
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		if err := cmd.Exec(context.Background(), blobPath); err != nil {
 			t.Fatal(err)
@@ -757,8 +758,8 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 
 		// Verify command
 		cmd := VerifyBlobCmd{
-			KeyOpts:    options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT: false,
+			KeyOpts:   options.KeyOpts{BundlePath: bundlePath},
+			IgnoreSCT: true,
 		}
 		if err := cmd.Exec(context.Background(), blobPath); err == nil {
 			t.Fatal("expecting err due to mismatched signatures, got nil")
@@ -787,8 +788,8 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 
 		// Verify command
 		cmd := VerifyBlobCmd{
-			KeyOpts:    options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT: false,
+			KeyOpts:   options.KeyOpts{BundlePath: bundlePath},
+			IgnoreSCT: true,
 		}
 
 		if err := cmd.Exec(context.Background(), blobPath); err == nil {
@@ -824,7 +825,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		if err := cmd.Exec(context.Background(), blobPath); err != nil {
 			t.Fatal(err)
@@ -859,7 +860,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "unable to verify SET") {
@@ -895,7 +896,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertIdentity:   "invalid@example.com",
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "none of the expected identities matched what was in the certificate") {
@@ -931,7 +932,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "none of the expected identities matched what was in the certificate") {
@@ -968,7 +969,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err != nil {
@@ -1003,7 +1004,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      os.Getenv("SIGSTORE_ROOT_FILE"),
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err != nil {
@@ -1049,7 +1050,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			CertChain:      tmpChainFile.Name(),
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "verifying certificate from bundle with chain: x509: certificate signed by unknown authority") {
@@ -1092,7 +1093,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "certificate signed by unknown authority") {
@@ -1128,7 +1129,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT:     false,
+			IgnoreSCT:      true,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "certificate signed by unknown authority") {

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md