sigstore · asraa · Jun 10, 2021 · Jun 10, 2021
@@ -37,7 +37,7 @@ func loadKey(keyPath string, pf cosign.PassFunc) (signature.ECDSASignerVerifier,
 	return cosign.LoadECDSAPrivateKey(kb, pass)
 }
 
-func signerFromKeyRef(ctx context.Context, keyRef string, pf cosign.PassFunc) (signature.Signer, error) {
+func SignerFromKeyRef(ctx context.Context, keyRef string, pf cosign.PassFunc) (signature.Signer, error) {
 	return signerVerifierFromKeyRef(ctx, keyRef, pf)
 }
 

@@ -81,7 +81,7 @@ func TestSignerFromPrivateKeyFileRef(t *testing.T) {
 		t.Run(tc.desc, func(t *testing.T) {
 			testFile, _ := generateKeyFile(t, tmpDir, tc.writePw)
 
-			signer, err := signerFromKeyRef(ctx, testFile, tc.readPw)
+			signer, err := SignerFromKeyRef(ctx, testFile, tc.readPw)
 			if err != nil {
 				if tc.expectErr {
 					// Task failed successfully

@@ -98,7 +98,7 @@ func GetPublicKey(ctx context.Context, opts Pkopts, writer NamedWriter, pf cosig
 	var k signature.PublicKeyProvider
 	switch {
 	case opts.KeyRef != "":
-		s, err := signerFromKeyRef(ctx, opts.KeyRef, pf)
+		s, err := SignerFromKeyRef(ctx, opts.KeyRef, pf)
 		if err != nil {
 			return err
 		}

@@ -104,7 +104,7 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, payloadPath string, b64 bool,
 	var signer signature.Signer
 	switch {
 	case ko.KeyRef != "":
-		k, err := signerFromKeyRef(ctx, ko.KeyRef, pf)
+		k, err := SignerFromKeyRef(ctx, ko.KeyRef, pf)
 		if err != nil {
 			return nil, errors.Wrap(err, "loading key")
 		}

@@ -0,0 +1,126 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/sigstore/cosign/cmd/cosign/cli"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+// Init-repo flags:
+// --add-<role>-key: path to the public key to add from role
+// --<role>-threshold: set a signing threshold for a role (requires root re-signing)
+// --root-key: root key reference (private key, kms, sk) used to sign the role metadata
+
+// Path to public key file, URL, KMS URI
+type keysFlag []string
+
+func (f *keysFlag) Set(value string) error {
+	if _, err := os.Stat(filepath.Clean(value)); os.IsNotExist(err) {
+		return err
+	}
+	*f = append(*f, value)
+	return nil
+}
+
+func (f *keysFlag) String() string {
+	return strings.Join(*f, ",")
+}
+
+func InitRepo() *ffcli.Command {
+	var (
+		flagset          = flag.NewFlagSet("cosign tuf init-repo", flag.ExitOnError)
+		rootThreshold    = flagset.Int("root-threshold", 0, "root key threshold")
+		addRootKeys      = keysFlag{}
+		addTargetsKeys   = keysFlag{}
+		addTimestampKeys = keysFlag{}
+		signRoot         = keysFlag{}
+	)
+
+	// Specify public keys
+	flagset.Var(&addRootKeys, "add-root-key", "path to a root public key to add")
+	flagset.Var(&addTargetsKeys, "add-targets-key", "path to a targets (and snapshot) public key to add. if not provided, a key will be generated")
+	flagset.Var(&addTimestampKeys, "add-timestamp-key", "path to a timestamp public key to add. if not provided, a key will be generated")
+
+	// Specify private keys that may sign metadata (key must be added first)
+	flagset.Var(&signRoot, "sign-root", "key reference to a private key used to sign the root metadata")
+
+	return &ffcli.Command{
+		Name:       "init-repo",
+		ShortUsage: "cosign tuf init-repo <repo>",
+		ShortHelp:  "init-repo initializes TUF in a repository",
+		FlagSet:    flagset,
+		Exec: func(ctx context.Context, args []string) error {
+			signers, err := getSigners(ctx, signRoot)
+			if err != nil {
+				return err
+			}
+
+			var repoOpts = tuf.RepoOpts{
+				Keys: map[string][]string{
+					"root.json":      addRootKeys,
+					"targets.json":   addTargetsKeys,
+					"snapshot.json":  addTargetsKeys,
+					"timestamp.json": addTimestampKeys},
+				Thresholds: map[string]int{"root.json": *rootThreshold},
+				Signers:    map[string][]signature.Signer{"root.json": signers},
+			}
+			return InitRepoCmd(ctx, args[0], repoOpts)
+		},
+	}
+}
+
+func getSigners(ctx context.Context, keyRefs []string) ([]signature.Signer, error) {
+	var signers []signature.Signer
+	for _, key := range keyRefs {
+		fmt.Printf("Getting signer for %s... \n", key)
+		k, err := cli.SignerFromKeyRef(ctx, key, cli.GetPass)
+		if err != nil {
+			return nil, err
+		}
+		signers = append(signers, k)
+	}
+	return signers, nil
+}
+
+func InitRepoCmd(ctx context.Context, repo string, opts tuf.RepoOpts) error {
+	// Initialize a new TUF repository with an in-memory store.
+	store, err := tuf.NewStore()
+	if err != nil {
+		return err
+	}
+
+	verified, err := tuf.UpdateRepo(ctx, store, opts, false)
+	if err != nil {
+		return err
+	}
+
+	// Maybe upload finalized meta if complete, otherwise write staged JSON.
+	if err := tuf.UploadStoreToRegistry(*store, repo, verified); err != nil {
+		return err
+	}
+
+	// TODO: Print root keys to distribute
+	return nil
+}
@@ -0,0 +1,75 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"context"
+	"flag"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+// Sign and snapshot new targets.
+// cosign tuf sign-and-snapshot [OPTIONS] <REPO>
+
+// --remove: Removes the specified image(s) from targets (TODO)
+// --target: Specify a target image
+// --sign-targets: key reference to target key for re-signing
+
+type targetsFlag []string
+
+func (f *targetsFlag) Set(value string) error {
+	*f = append(*f, value)
+	return nil
+}
+
+func (f *targetsFlag) String() string {
+	return strings.Join(*f, ",")
+}
+
+func SignAndSnapshot() *ffcli.Command {
+	var (
+		flagset     = flag.NewFlagSet("cosign tuf sign-and-snapshot", flag.ExitOnError)
+		signTargets = keysFlag{}
+		targets     = targetsFlag{}
+	)
+
+	// Specify private keys that may sign if initializing from the same device (key must be added first)
+	flagset.Var(&signTargets, "sign-targets", "key reference to a private key used to sign the targets (and snapshot) metadata")
+	flagset.Var(&targets, "target", "reference to container image to sign and snapshot")
+
+	return &ffcli.Command{
+		Name:       "sign-and-snapshot",
+		ShortUsage: "cosign tuf sign-and-snapshot <repo>",
+		ShortHelp:  "sign-and-snapshot configures and snapshots new targets",
+		FlagSet:    flagset,
+		Exec: func(ctx context.Context, args []string) error {
+			signers, err := getSigners(ctx, signTargets)
+			if err != nil {
+				return err
+			}
+
+			var repoOpts = tuf.RepoOpts{
+				Signers: map[string][]signature.Signer{"targets.json": signers, "snapshot.json": signers},
+				Targets: targets,
+			}
+			// TODO: Maybe infer the repo from the targets?
+			return UpdateCmd(ctx, args[0], repoOpts)
+		},
+	}
+}
@@ -0,0 +1,58 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"context"
+	"flag"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+// Timestamp the metadata. Metadata must otherwise be complete
+// cosign tuf timestamp [OPTIONS] <REPO>
+
+// --sign-timestamp: key reference to timestamp key for re-signing
+
+func Timestamp() *ffcli.Command {
+	var (
+		flagset       = flag.NewFlagSet("cosign tuf timestamp", flag.ExitOnError)
+		signTimestamp = keysFlag{}
+	)
+
+	// Specify private keys that may sign if initializing from the same device (key must be added first)
+	flagset.Var(&signTimestamp, "sign-timestamp", "key reference to a private key used to sign the targets (and snapshot) metadata")
+
+	return &ffcli.Command{
+		Name:       "timestamp",
+		ShortUsage: "cosign tuf timestamp <repo>",
+		ShortHelp:  "timestamp resigns the timestamp",
+		FlagSet:    flagset,
+		Exec: func(ctx context.Context, args []string) error {
+			signers, err := getSigners(ctx, signTimestamp)
+			if err != nil {
+				return err
+			}
+
+			var repoOpts = tuf.RepoOpts{
+				Signers: map[string][]signature.Signer{"timestamp.json": signers},
+			}
+			// TODO: Maybe infer the repo from the targets?
+			return UpdateCmd(ctx, args[0], repoOpts)
+		},
+	}
+}
@@ -0,0 +1,40 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+	"context"
+	"flag"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+func Tuf() *ffcli.Command {
+	var (
+		flagset = flag.NewFlagSet("cosign tuf", flag.ExitOnError)
+		// force   = flagset.Bool("f", false, "skip warnings and confirmations")
+	)
+
+	return &ffcli.Command{
+		Name:        "tuf",
+		ShortUsage:  "cosign tuf",
+		ShortHelp:   "tuf contains commands to manage a TUF repository",
+		FlagSet:     flagset,
+		Subcommands: []*ffcli.Command{InitRepo(), Update(), SignAndSnapshot(), Timestamp(), Verify()},
+		Exec: func(ctx context.Context, args []string) error {
+			return flag.ErrHelp
+		},
+	}
+}