read tsa bundle from signatures

Signed-off-by: Hector Fernandez <hector@chainguard.dev>
sigstore · Nov 15, 2022 · c5d7f72 · c5d7f72
1 parent f46701b
commit c5d7f72
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 1 deletion.
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -235,7 +235,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 		s = ifulcio.NewSigner(s, sv.Cert, sv.Chain)
 	}
 
-	// TODO: For the moment you can only use the timestamped service OR the transparency log
+	// TODO: For the moment you can only use the timestamped service OR the transparency log.
 	if ko.TSAServerURL != "" {
 		clientTSA, err := tsaclient.GetTimestampClient(ko.TSAServerURL)
 		if err != nil {

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -43,6 +43,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
+	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
 )
 
 // VerifyCommand verifies a signature on a supplied container image
@@ -121,6 +122,19 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
 	}
 
+	if c.TSAServerURL != "" {
+		co.TSAClient, err = tsaclient.GetTimestampClient(c.TSAServerURL)
+		if err != nil {
+			return fmt.Errorf("failed to create TSA client: %w", err)
+		}
+		if c.TSACertChainPath != "" {
+			_, err := os.Stat(c.TSACertChainPath)
+			if err != nil {
+				return fmt.Errorf("unable to open timestamp certificate chain file: %w", err)
+			}
+		}
+	}
+
 	if keylessVerification(c.KeyRef, c.Sk) {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)

diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go
@@ -35,6 +35,7 @@ type SignedPayload struct {
 	Cert            *x509.Certificate
 	Chain           []*x509.Certificate
 	Bundle          *bundle.RekorBundle
+	TSABundle       *bundle.TSABundle
 }
 
 type LocalSignedPayload struct {
@@ -101,6 +102,12 @@ func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts .
 			if err != nil {
 				return err
 			}
+
+			signatures[i].TSABundle, err = sig.TSABundle()
+			if err != nil {
+				return err
+			}
+
 			signatures[i].Bundle, err = sig.Bundle()
 			return err
 		})

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -67,6 +67,9 @@ import (
 	"github.com/sigstore/cosign/pkg/sget"
 	sigs "github.com/sigstore/cosign/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
+	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
+	"github.com/sigstore/timestamp-authority/pkg/server"
+	"github.com/spf13/viper"
 )
 
 const (