Merge in master

Signed-off-by: Priya Wadhwa <[email protected]>

.github/workflows/github-oidc.yaml

@@ -28,7 +28,7 @@ jobs:
       contents: read
     env:
       COSIGN_EXPERIMENTAL: "true"
-      GIT_HASH: $GITHUB_SHA
+      GIT_HASH: ${{ github.sha }}
       GIT_VERSION: latest
       GITHUB_RUN_ID: ${{ github.run_id }}
       GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}

CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## v1.3.1
+
+* BREAKING [cosign/pkg]: `cosign.Verify` has been removed in favor of explicit `cosign.VerifyImageSignatures` and `cosign.VerifyImageAttestations`
+ (https://github.com/sigstore/cosign/pull/1026)
+
+### Enhancements
+
+* Add ability for verify-blob to find signing cert in transparency log (https://github.com/sigstore/cosign/pull/991)
+* root policy: add optional issuer to maintainer keys (https://github.com/sigstore/cosign/pull/999)
+* PKCS11 signing support (https://github.com/sigstore/cosign/pull/985)
+* Included timeout option for uploading to Rekor (https://github.com/sigstore/cosign/pull/1001)
+
+### Bug Fixes
+
+* Bump sigstore/sigstore to pickup a fix for azure kms (https://github.com/sigstore/cosign/pull/1011 / https://github.com/sigstore/cosign/pull/1028)
+
+### Contributors
+
+* Asra Ali (@asraa)
+* Batuhan Apaydın (@developer-guy)
+* Carlos Panato (@cpanato)
+* Dan Lorenc (@dlorenc)
+* Dennis Leon (@DennisDenuto)
+* Erkan Zileli (@erkanzileli)
+* Furkan Türkal (@Dentrax)
+* garantir-km (@garantir-km)
+* Jake Sanders (@dekkagaijin)
+* Naveen (@naveensrinivasan)
+
 ## v1.3.0
 
 * BREAKING: `verify-manifest` is now `manifest verify` (https://github.com/sigstore/cosign/pull/712)

Makefile

@@ -20,6 +20,8 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+GOFILES ?= $(shell find . -type f -name '*.go' -not -path "./vendor/*")
+
 # Set version variables for LDFLAGS
 PROJECT_ID ?= projectsigstore
 RUNTIME_IMAGE ?= gcr.io/distroless/static
@@ -55,6 +57,28 @@ export KO_DOCKER_REPO=$(KO_PREFIX)
 .PHONY: all lint test clean cosign cross
 all: cosign
 
+log-%:
+	@grep -h -E '^$*:.*?## .*$$' $(MAKEFILE_LIST) | \
+		awk \
+			'BEGIN { \
+				FS = ":.*?## " \
+			}; \
+			{ \
+				printf "\033[36m==> %s\033[0m\n", $$2 \
+			}'
+
+.PHONY: checkfmt
+checkfmt: SHELL := /usr/bin/env bash
+checkfmt: ## Check formatting of all go files
+	@ $(MAKE) --no-print-directory log-$@
+ 	$(shell test -z "$(shell gofmt -l $(GOFILES) | tee /dev/stderr)")
+ 	$(shell test -z "$(shell goimports -l $(GOFILES) | tee /dev/stderr)")
+
+.PHONY: fmt
+fmt: ## Format all go files
+	@ $(MAKE) --no-print-directory log-$@
+	goimports -w $(GOFILES)
+
 cosign: $(SRCS)
 	CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign
 

README.md

@@ -24,72 +24,18 @@ Click [here](https://join.slack.com/t/sigstore/shared_invite/zt-mhs55zh0-XmY3bcf
 
 ## Installation
 
-If you have Go 1.16+, you can directly install by running:
+For Homebrew, Arch, Nix, GitHub Action, and Kubernetes installs see the [installation docs](https://docs.sigstore.dev/cosign/installation).
 
-    $ go install github.com/sigstore/cosign/cmd/cosign@latest
+For Linux and macOS binaries see the [GitHub release assets](https://github.com/sigstore/cosign/releases/latest).
 
-and the resulting binary will be placed at `$GOPATH/bin/cosign` (or `$GOBIN/cosign`, if set).
+## Developer Installation
 
-### GitHub Action
+If you have Go 1.16+, you can setup a development environment:
 
-`cosign` can easily be installed in your GitHub actions using [`sigstore/cosign-installer`](https://github.com/marketplace/actions/install-cosign):
-
-```yaml
-uses: sigstore/cosign-installer@main
-with:
-  cosign-release: 'v1.0.0' # optional
-```
-
-### Kubernetes webhook
-
-`cosign` can be installed on your Kubernetes cluster in a form of a [`cosigned webhook`](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned).
-By installing a webhook, you can automatically validate that all the container
-images have been signed. The webhook also resolves the image tags to ensure the
-image being ran is not different from when it was admitted.
-
-### Container Images
-
-Signed release images are available at `gcr.io/projectsigstore/cosign`.
-They are tagged with the release name (e.g. `gcr.io/projectsigstore/cosign:v1.0.0`).
-They can be found with `crane ls`:
-
-```shell
-$ crane ls gcr.io/projectsigstore/cosign
-sha256-7e9a6ca62c3b502a125754fbeb4cde2d37d4261a9c905359585bfc0a63ff17f4.sig
-v0.4.0
-...
-```
-
-CI Built containers are published for every commit at `gcr.io/projectsigstore/cosign/ci/cosign`.
-They are tagged with the commit.
-They can be found with `crane ls`:
-
-```shell
-$ crane ls gcr.io/projectsigstore/cosign/ci/cosign
-749f896
-749f896bb378aca5cb45c5154fc0cb43f6728d48
-```
-
-Further details and installation instructions for `crane` available here: https://github.com/google/go-containerregistry/tree/main/cmd/crane
-
-### Releases
-
-Releases are published in this repository under the [Releases page](https://github.com/sigstore/cosign/releases), and hosted in the GCS bucket `cosign-releases`.
-They can be viewed with `gsutil`:
-
-```shell
-$ gsutil ls gs://cosign-releases/v1.0.0
-gs://cosign-releases/v1.0.0/cosign-darwin-amd64
-gs://cosign-releases/v1.0.0/cosign-darwin-amd64.sig
-gs://cosign-releases/v1.0.0/cosign-darwin-arm64
-gs://cosign-releases/v1.0.0/cosign-darwin-arm64.sig
-gs://cosign-releases/v1.0.0/cosign-linux-amd64
-gs://cosign-releases/v1.0.0/cosign-linux-amd64.sig
-gs://cosign-releases/v1.0.0/cosign-windows-amd64.exe
-gs://cosign-releases/v1.0.0/cosign-windows-amd64.exe.sig
-gs://cosign-releases/v1.0.0/cosign_checksums.txt
-gs://cosign-releases/v1.0.0/release-cosign.pub
-```
+    $ git clone https://github.com/sigstore/cosign
+    $ cd cosign
+    $ go install ./cmd/cosign
+    $ $(go env GOPATH)/bin/cosign
 
 ## Quick Start
 

cmd/cosign/cli/attest.go

@@ -31,7 +31,7 @@ func Attest() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "attest",
 		Short: "Attest the supplied container image.",
-		Example: `  cosign attest --key <key path>|<kms uri> [--predicate <path>] [--a key=value] [--upload=true|false] [--f] [--r] <image uri>
+		Example: `  cosign attest --key <key path>|<kms uri> [--predicate <path>] [--a key=value] [--no-upload=true|false] [--f] [--r] <image uri>
 
   # attach an attestation to a container image Google sign-in (experimental)
   COSIGN_EXPERIMENTAL=1 cosign attest --timeout 90s --predicate <FILE> --type <TYPE> <IMAGE>
@@ -71,7 +71,7 @@ func Attest() *cobra.Command {
 			}
 			for _, img := range args {
 				if err := attest.AttestCmd(cmd.Context(), ko, o.Registry, img, o.Cert, o.NoUpload,
-					o.Predicate.Path, o.Force, o.Predicate.Type, o.Timeout); err != nil {
+					o.Predicate.Path, o.Force, o.Predicate.Type, o.Replace, o.Timeout); err != nil {
 					return errors.Wrapf(err, "signing %s", img)
 				}
 			}

cmd/cosign/cli/attest/attest.go

@@ -45,7 +45,7 @@ import (
 
 //nolint
 func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string,
-	noUpload bool, predicatePath string, force bool, predicateType string, timeout time.Duration) error {
+	noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
 	// A key file or token is required unless we're in experimental mode!
 	if options.EnableExperimental() {
 		if options.NOf(ko.KeyRef, ko.Sk) > 1 {
@@ -148,8 +148,17 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 		return err
 	}
 
+	signOpts := []mutate.SignOption{
+		mutate.WithDupeDetector(dd),
+	}
+
+	if replace {
+		ro := cremote.NewReplaceOp(predicateURI)
+		signOpts = append(signOpts, mutate.WithReplaceOp(ro))
+	}
+
 	// Attach the attestation to the entity.
-	newSE, err := mutate.AttachAttestationToEntity(se, sig, mutate.WithDupeDetector(dd))
+	newSE, err := mutate.AttachAttestationToEntity(se, sig, signOpts...)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/options/attest.go

@@ -28,6 +28,7 @@ type AttestOptions struct {
 	NoUpload  bool
 	Force     bool
 	Recursive bool
+	Replace   bool
 	Timeout   time.Duration
 
 	Rekor       RekorOptions
@@ -64,6 +65,9 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&o.Recursive, "recursive", "r", false,
 		"if a multi-arch image is specified, additionally sign each discrete image")
 
+	cmd.Flags().BoolVarP(&o.Replace, "replace", "", false,
+		"")
+
 	cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
 		"HTTP Timeout defaults to 30 seconds")
 }

cmd/cosign/cli/sign/sign.go

@@ -340,9 +340,9 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, ko KeyOpts) (*CertS
 		// user.
 		pkcs11Key, ok := k.(*pkcs11key.Key)
 		if ok {
-			certFromPKCS11, err := pkcs11Key.Certificate()
+			certFromPKCS11, _ := pkcs11Key.Certificate()
 			var pemBytes []byte
-			if err != nil {
+			if certFromPKCS11 == nil {
 				fmt.Fprintln(os.Stderr, "warning: no x509 certificate retrieved from the PKCS11 token")
 			} else {
 				pemBytes, err = cryptoutils.MarshalCertificateToPEM(certFromPKCS11)

cmd/cosign/cli/verify/verify.go

@@ -120,7 +120,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 			return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img)
 		}
 
-		verified, bundleVerified, err := cosign.VerifySignatures(ctx, ref, co)
+		verified, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co)
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/verify/verify_attestation.go

@@ -107,7 +107,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 			return err
 		}
 
-		verified, bundleVerified, err := cosign.VerifyAttestations(ctx, ref, co)
+		verified, bundleVerified, err := cosign.VerifyImageAttestations(ctx, ref, co)
 		if err != nil {
 			return err
 		}
@@ -172,7 +172,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				if err := json.Unmarshal(decodedPayload, &cosignStatement); err != nil {
 					return fmt.Errorf("unmarshal CosignStatement: %w", err)
 				}
-				payload, err = json.Marshal(cosignStatement.Predicate)
+				payload, err = json.Marshal(cosignStatement)
 				if err != nil {
 					return fmt.Errorf("error when generating CosignStatement: %w", err)
 				}
@@ -181,7 +181,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				if err := json.Unmarshal(decodedPayload, &linkStatement); err != nil {
 					return fmt.Errorf("unmarshal LinkStatement: %w", err)
 				}
-				payload, err = json.Marshal(linkStatement.Predicate)
+				payload, err = json.Marshal(linkStatement)
 				if err != nil {
 					return fmt.Errorf("error when generating LinkStatement: %w", err)
 				}
@@ -190,7 +190,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				if err := json.Unmarshal(decodedPayload, &slsaProvenanceStatement); err != nil {
 					return fmt.Errorf("unmarshal ProvenanceStatement: %w", err)
 				}
-				payload, err = json.Marshal(slsaProvenanceStatement.Predicate)
+				payload, err = json.Marshal(slsaProvenanceStatement)
 				if err != nil {
 					return fmt.Errorf("error when generating ProvenanceStatement: %w", err)
 				}
@@ -199,20 +199,26 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				if err := json.Unmarshal(decodedPayload, &spdxStatement); err != nil {
 					return fmt.Errorf("unmarshal SPDXStatement: %w", err)
 				}
-				payload, err = json.Marshal(spdxStatement.Predicate)
+				payload, err = json.Marshal(spdxStatement)
 				if err != nil {
 					return fmt.Errorf("error when generating SPDXStatement: %w", err)
 				}
 			}
 
 			if len(cuePolicies) > 0 {
 				fmt.Fprintf(os.Stderr, "will be validating against CUE policies: %v\n", cuePolicies)
-				validationErrors = append(validationErrors, cue.ValidateJSON(payload, cuePolicies))
+				cueValidationErr := cue.ValidateJSON(payload, cuePolicies)
+				if cueValidationErr != nil {
+					validationErrors = append(validationErrors, cueValidationErr)
+				}
 			}
 
 			if len(regoPolicies) > 0 {
 				fmt.Fprintf(os.Stderr, "will be validating against Rego policies: %v\n", regoPolicies)
-				validationErrors = append(validationErrors, rego.ValidateJSON(payload, regoPolicies)...)
+				regoValidationErrs := rego.ValidateJSON(payload, regoPolicies)
+				if len(regoValidationErrs) > 0 {
+					validationErrors = append(validationErrors, regoValidationErrs...)
+				}
 			}
 		}
 

cmd/cosign/cli/verify/verify_blob.go

@@ -62,6 +62,9 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, sigRef, blobRe
 	}
 
 	var b64sig string
+	if sigRef == "" {
+		return fmt.Errorf("missing flag '--signature'")
+	}
 	targetSig, err := blob.LoadFileOrURL(sigRef)
 	if err != nil {
 		if !os.IsNotExist(err) {

go.mod

@@ -13,12 +13,13 @@ require (
 	github.com/go-piv/piv-go v1.9.0
 	github.com/google/certificate-transparency-go v1.1.2-0.20210728111105-5f7e9ba4be3d
 	github.com/google/go-cmp v0.5.6
-	github.com/google/go-containerregistry v0.6.1-0.20210922191434-34b7f00d7a60
+	github.com/google/go-containerregistry v0.6.1-0.20211111182346-7a6ee45528a9
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211102215614-dd49079bb93d
 	github.com/google/go-github/v39 v39.2.0
 	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c
 	github.com/in-toto/in-toto-golang v0.3.3
 	github.com/manifoldco/promptui v0.9.0
+	github.com/miekg/pkcs11 v1.0.3
 	github.com/open-policy-agent/opa v0.34.1
 	github.com/pkg/errors v0.9.1
 	github.com/secure-systems-lab/go-securesystemslib v0.1.0
@@ -41,12 +42,9 @@ require (
 
 require (
 	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/miekg/pkcs11 v1.0.3
 	github.com/onsi/gomega v1.16.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/urfave/cli v1.22.5 // indirect