From 870e03f6707f3a348494fd518c9daa7d7dc92b1d Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Thu, 13 Jan 2022 22:54:06 +0000 Subject: [PATCH] Add TUF timestamp to attestation bundle This follows #1294 in adding the TUF timestamp to the annotations layer for attestations, when either uploading to Rekor or signing with a Fulcio cert. Ref #1273 Signed-off-by: Hayden Blauzvern --- cmd/cosign/cli/attest/attest.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 712d8a35294..6fee22583ef 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -35,6 +35,7 @@ import ( "github.com/sigstore/cosign/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/pkg/cosign/bundle" cremote "github.com/sigstore/cosign/pkg/cosign/remote" + "github.com/sigstore/cosign/pkg/cosign/tuf" "github.com/sigstore/cosign/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/static" @@ -159,6 +160,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)} if sv.Cert != nil { opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain)) + timestamp, err := tuf.GetTimestamp(ctx) + if err != nil { + return errors.Wrap(err, "reading tuf timestamp") + } + opts = append(opts, static.WithTimestamp(timestamp)) } // Check whether we should be uploading to the transparency log @@ -170,6 +176,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt return err } opts = append(opts, static.WithBundle(bundle)) + timestamp, err := tuf.GetTimestamp(ctx) + if err != nil { + return errors.Wrap(err, "reading tuf timestamp") + } + opts = append(opts, static.WithTimestamp(timestamp)) } sig, err := static.NewAttestation(signedPayload, opts...)