feat: add support outputting rekor response on signing (#3248)

* feat: add support outputting rekor response on signing Signed-off-by: Vishal Choudhary <[email protected]> * feat: use local signed payload Signed-off-by: Vishal Choudhary <[email protected]> * feat: add test Signed-off-by: Vishal Choudhary <[email protected]> * feat: test fix Signed-off-by: Vishal Choudhary <[email protected]> * fix: fetchLocalSignedPayload Signed-off-by: Vishal Choudhary <[email protected]> * feat: update bundle output logic Signed-off-by: Vishal Choudhary <[email protected]> * feat: remove experimental flag Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]>
sigstore · Oct 17, 2023 · d20a33e · d20a33e
1 parent dd69c62
commit d20a33e
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -20,6 +20,8 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -306,6 +308,22 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 		ui.Infof(ctx, "Certificate wrote in the file %s", signOpts.OutputCertificate)
 	}
 
+	if ko.BundlePath != "" {
+		signedPayload, err := fetchLocalSignedPayload(ociSig)
+		if err != nil {
+			return fmt.Errorf("failed to fetch signed payload: %w", err)
+		}
+
+		contents, err := json.Marshal(signedPayload)
+		if err != nil {
+			return fmt.Errorf("failed to marshal signed payload: %w", err)
+		}
+		if err := os.WriteFile(ko.BundlePath, contents, 0600); err != nil {
+			return fmt.Errorf("create bundle file: %w", err)
+		}
+		ui.Infof(ctx, "Wrote bundle to file %s", ko.BundlePath)
+	}
+
 	if !signOpts.Upload {
 		return nil
 	}
@@ -591,3 +609,32 @@ func (c *SignerVerifier) Bytes(ctx context.Context) ([]byte, error) {
 	}
 	return pemBytes, nil
 }
+
+func fetchLocalSignedPayload(sig oci.Signature) (*cosign.LocalSignedPayload, error) {
+	signedPayload := &cosign.LocalSignedPayload{}
+	var err error
+
+	signedPayload.Base64Signature, err = sig.Base64Signature()
+	if err != nil {
+		return nil, err
+	}
+
+	sigCert, err := sig.Cert()
+	if err != nil {
+		return nil, err
+	}
+	if sigCert != nil {
+		signedPayload.Cert = base64.StdEncoding.EncodeToString(sigCert.Raw)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		signedPayload.Cert = ""
+	}
+
+	signedPayload.Bundle, err = sig.Bundle()
+	if err != nil {
+		return nil, err
+	}
+	return signedPayload, nil
+}
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -951,6 +951,48 @@ func TestRekorBundle(t *testing.T) {
 	must(verify(pubKeyPath, imgName, true, nil, ""), t)
 }
 
+func TestRekorOutput(t *testing.T) {
+	repo, stop := reg(t)
+	defer stop()
+	td := t.TempDir()
+
+	imgName := path.Join(repo, "cosign-e2e")
+	bundlePath := filepath.Join(td, "bundle.sig")
+
+	_, _, cleanup := mkimage(t, imgName)
+	defer cleanup()
+
+	_, privKeyPath, pubKeyPath := keypair(t, td)
+
+	ko := options.KeyOpts{
+		KeyRef:     privKeyPath,
+		PassFunc:   passFunc,
+		RekorURL:   rekorURL,
+		BundlePath: bundlePath,
+	}
+	so := options.SignOptions{
+		Upload: true,
+	}
+
+	// Sign the image
+	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+	// Make sure verify works
+	must(verify(pubKeyPath, imgName, true, nil, ""), t)
+
+	if file, err := os.ReadFile(bundlePath); err != nil {
+		t.Fatal(err)
+	} else {
+		var localCosignPayload cosign.LocalSignedPayload
+		if err := json.Unmarshal(file, &localCosignPayload); err != nil {
+			t.Fatal(err)
+		}
+	}
+	// Make sure offline verification works with bundling
+	// use rekor prod since we have hardcoded the public key
+	os.Setenv(serverEnv, "notreal")
+	must(verify(pubKeyPath, imgName, true, nil, ""), t)
+}
+
 func TestFulcioBundle(t *testing.T) {
 	repo, stop := reg(t)
 	defer stop()