Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cosign init to initialize the SigStore root metadata #520

Merged
merged 7 commits into from
Aug 9, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
verify TUF root
Signed-off-by: Asra Ali <asraa@google.com>
  • Loading branch information
asraa committed Aug 3, 2021
commit eca41649deb35e6d40606bdb2ea2b497b5aa72c7
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,8 @@
*.libfuzzer
*fuzz.a

# Root metadata
*.sigstore/root/

bin*
dist/
57 changes: 57 additions & 0 deletions .sigstore/keys.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
[
{
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "04cbc5cab2684160323c25cd06c3307178a6b1d1c9b949328453ae473c5ba7527e35b13f298b41633382241f3fd8526c262d43b45adee5c618fa0642c82b8a9803"
}
},
{
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "04a71aacd835dc170ba6db3fa33a1a33dee751d4f8b0217b805b9bd3242921ee93672fdcfd840576c5bb0dc0ed815edf394c1ee48c2b5e02485e59bfc512f3adc7"
}
},
{
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "04117b33dd265715bf23315e368faa499728db8d1f0a377070a1c7b1aba2cc21be6ab1628e42f2cdd7a35479f2dce07b303a8ba646c55569a8d2a504ba7e86e447"
}
},
{
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "04cc1cd53a61c23e88cc54b488dfae168a257c34fac3e88811c55962b24cffbfecb724447999c54670e365883716302e49da57c79a33cd3e16f81fbc66f0bcdf48"
}
},
{
"keytype": "ecdsa-sha2-nistp256",
"scheme": "ecdsa-sha2-nistp256",
"keyid_hash_algorithms": [
"sha256",
"sha512"
],
"keyval": {
"public": "048a78a44ac01099890d787e5e62afc29c8ccb69a70ec6549a6b04033b0a8acbfb42ab1ab9c713d225cdb52b858886cf46c8e90a7f3b9e6371882f370c259e1c5b"
}
}
]
24 changes: 22 additions & 2 deletions cmd/cosign/cli/fulcio/fulcio.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
package fulcio

import (
"bytes"
"context"
"crypto"
"crypto/ecdsa"
Expand All @@ -27,6 +28,7 @@ import (
"fmt"
"io/ioutil"
"os"
"strings"

"github.com/go-openapi/runtime"
httptransport "github.com/go-openapi/runtime/client"
Expand All @@ -35,6 +37,7 @@ import (
"golang.org/x/term"

"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/cosign/tuf"
fulcioClient "github.com/sigstore/fulcio/pkg/generated/client"
"github.com/sigstore/fulcio/pkg/generated/client/operations"
"github.com/sigstore/fulcio/pkg/generated/models"
Expand All @@ -53,6 +56,8 @@ const (
//go:embed fulcio.pem
var rootPem string

var fulcioTargetStr = `fulcio.crt.pem`

type oidcConnector interface {
OIDConnect(string, string, string) (*oauthflow.OIDCIDToken, error)
}
Expand Down Expand Up @@ -192,8 +197,23 @@ func init() {
if !cp.AppendCertsFromPEM(raw) {
panic("error creating root cert pool")
}
} else if !cp.AppendCertsFromPEM([]byte(rootPem)) {
panic("error creating root cert pool")
} else {
// First try retrieving from TUF root. Requires running `cosign init`
// Otherwise use rootPem.
ctx := context.Background()
buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}}
err := tuf.GetTarget(ctx, fulcioTargetStr, &buf)
if err != nil {
if !cp.AppendCertsFromPEM([]byte(rootPem)) {
panic("error creating root cert pool")
}
} else {
// TODO: Remove this when re-signing the next Fulcio certificate.
replaced := strings.ReplaceAll(buf.String(), "\n ", "\n")
if !cp.AppendCertsFromPEM([]byte(replaced)) {
panic("error creating root cert pool")
}
}
}
Roots = cp
}
72 changes: 72 additions & 0 deletions cmd/cosign/cli/init.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cli

import (
"context"
"flag"

"github.com/peterbourgon/ff/v3/ffcli"
ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
)

func Init() *ffcli.Command {
var (
flagset = flag.NewFlagSet("cosign init", flag.ExitOnError)
// mirrorURL = flagset.String("mirror", tuf.TufRemoteStore, "GCS bucket to a SigStore TUF repository.")
// outPath = flagset.String("out", "", "path to write the resulting trusted SigStore TUF repository.")
)
return &ffcli.Command{
Name: "init",
ShortUsage: "cosign init -mirror <url> -out <file>",
ShortHelp: `Initializes SigStore root to retrieve trusted certificate and key targets for verification.`,
LongHelp: `Initializes SigStore root to retrieve trusted certificate and key targets for verification.

The following options are used by default:
- Initial root keys are pulled from .sigstore/keys. If it does not exist, uses root keys provided in the release.
- SigStore current TUF repository is pulled from the GCS mirror at .
- Resulting trusted metadata is written to .sigstore/root.

To provide an out-of-band trusted root.json, copy the file into a directory named .sigstore/root/.

The resulting updated TUF repository will be written to .sigstore/root/.

Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates
with Fulcio root CA) are pulled form the trusted metadata.

EXAMPLES
# initialize root with distributed root keys, default mirror, and default out path.
cosign init

# initialize with an out-of-band root key file.
cosign init

# initialize with an out-of-band root key file and custom repository mirror.
cosign init-mirror <>
`,
FlagSet: flagset,
Exec: func(ctx context.Context, args []string) error {
// Update the rootKey file if provided.

// Update the default local store.

// Update the mirror for remote store.

// Initialize or update the SigStore TUF repository in .sigstore/root.
return ctuf.Init(context.Background())
},
}
}
2 changes: 2 additions & 0 deletions cmd/cosign/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ func main() {
cli.Copy(),
cli.Clean(),
cli.Triangulate(),
// Init
cli.Init(),
// Version
cli.Version()},
Exec: func(context.Context, []string) error {
Expand Down
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/sigstore/cosign
go 1.16

require (
cloud.google.com/go/storage v1.16.0 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.14 // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20210303052042-6bc126869bf4
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
cloud.google.com/go/storage v1.15.0/go.mod h1:mjjQMoxxyGH7Jr8K5qrx6N2O0AHsczI61sMNn03GIZI=
cloud.google.com/go/storage v1.16.0 h1:1UwAux2OZP4310YXg5ohqBEpV16Y93uZG4+qOX7K2Kg=
cloud.google.com/go/storage v1.16.0/go.mod h1:ieKBmUyzcftN5tbxwnXClMKH00CfcQ+xL6NN0r5QfmE=
code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUrR6JDY=
contrib.go.opencensus.io/exporter/aws v0.0.0-20181029163544-2befc13012d0/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA=
Expand Down Expand Up @@ -825,6 +826,7 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o=
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
Expand Down Expand Up @@ -1210,7 +1212,9 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 h1:iGnD/q9160NWqKZZ5vY4p0dMiYMRknzctfSkqA4nBDw=
github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613/go.mod h1:g6AnIpDSYMcphz193otpSIzN+11Rs+AAIIC6rm1enug=
github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
github.com/theupdateframework/go-tuf v0.0.0-20210630170422-22a94818d17b/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw=
Expand Down
Loading