-
Notifications
You must be signed in to change notification settings - Fork 818
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add cosign functions for signature checking
- Loading branch information
1 parent
2ce37bd
commit c357f12
Showing
10 changed files
with
2,726 additions
and
278 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package opaprocessor | ||
|
||
import ( | ||
"context" | ||
"github.com/google/go-containerregistry/pkg/name" | ||
"github.com/kubescape/go-logger" | ||
"github.com/kubescape/go-logger/helpers" | ||
"github.com/sigstore/cosign/pkg/cosign" | ||
) | ||
|
||
|
||
func has_signature(img string) bool { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong. |
||
ref, err := name.ParseReference(img) | ||
if err != nil { | ||
logger.L().Error("parsing reference", helpers.Error(err)) | ||
return false | ||
} | ||
sins, err := cosign.FetchSignaturesForReference(context.Background(), ref) | ||
|
||
if err != nil { | ||
logger.L().Error("verifying signature", helpers.Error(err)) | ||
return false | ||
|
||
} | ||
|
||
return len(sins) > 0 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package opaprocessor | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func Test_has_signature(t *testing.T) { | ||
|
||
tests := []struct { | ||
name string | ||
img string | ||
want bool | ||
}{ | ||
{ | ||
name: "valid signature", | ||
img: "quay.io/kubescape/gateway", | ||
want: true, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
assert.Equal(t, tt.want, has_signature(tt.img), tt.name) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
package opaprocessor | ||
|
||
import ( | ||
"context" | ||
"crypto" | ||
"fmt" | ||
|
||
"github.com/google/go-containerregistry/pkg/name" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/options" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/sign" | ||
"github.com/sigstore/cosign/pkg/cosign" | ||
"github.com/sigstore/cosign/pkg/cosign/pkcs11key" | ||
ociremote "github.com/sigstore/cosign/pkg/oci/remote" | ||
sigs "github.com/sigstore/cosign/pkg/signature" | ||
) | ||
|
||
// VerifyCommand verifies a signature on a supplied container image | ||
// nolint | ||
type VerifyCommand struct { | ||
options.RegistryOptions | ||
CheckClaims bool | ||
KeyRef string | ||
CertRef string | ||
CertEmail string | ||
CertIdentity string | ||
CertOidcIssuer string | ||
CertGithubWorkflowTrigger string | ||
CertGithubWorkflowSha string | ||
CertGithubWorkflowName string | ||
CertGithubWorkflowRepository string | ||
CertGithubWorkflowRef string | ||
CertChain string | ||
CertOidcProvider string | ||
EnforceSCT bool | ||
Sk bool | ||
Slot string | ||
Output string | ||
RekorURL string | ||
Attachment string | ||
Annotations sigs.AnnotationsMap | ||
SignatureRef string | ||
HashAlgorithm crypto.Hash | ||
LocalImage bool | ||
} | ||
|
||
// Exec runs the verification command | ||
func verify(img string, key string) (bool, error) { | ||
|
||
co := &cosign.CheckOpts{} | ||
var ociremoteOpts []ociremote.Option | ||
attachment := "" | ||
|
||
pubKey, err := sigs.LoadPublicKeyRaw([]byte(key), crypto.SHA256) | ||
if err != nil { | ||
return false, fmt.Errorf("loading public key: %w", err) | ||
} | ||
pkcs11Key, ok := pubKey.(*pkcs11key.Key) | ||
if ok { | ||
defer pkcs11Key.Close() | ||
} | ||
co.SigVerifier = pubKey | ||
ref, err := name.ParseReference(img) | ||
if err != nil { | ||
return false, fmt.Errorf("parsing reference: %w", err) | ||
} | ||
ref, err = sign.GetAttachedImageRef(ref, attachment, ociremoteOpts...) | ||
if err != nil { | ||
return false, fmt.Errorf("resolving attachment type %s for image %s: %w", attachment, img, err) | ||
} | ||
|
||
_, _, err = cosign.VerifyImageSignatures(context.TODO(), ref, co) | ||
if err != nil { | ||
return false, fmt.Errorf("verifying signature: %w", err) | ||
} | ||
|
||
return true, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
package opaprocessor | ||
|
||
import ( | ||
"fmt" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func Test_verify(t *testing.T) { | ||
type args struct { | ||
img string | ||
key string | ||
} | ||
tests := []struct { | ||
name string | ||
args args | ||
want bool | ||
wantErr assert.ErrorAssertionFunc | ||
}{ | ||
{ | ||
"valid signature", | ||
args{ | ||
img: "hisu/cosign-tests:signed", | ||
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGnMCUU0jGe6r4mPsPuyTXf61PE4e\nNwB/31SvUMmnoyd/1UxSqd+MRPXPU6pcub4k6E9G9SprVCuf6Sydcbyiqw==\n-----END PUBLIC KEY-----", | ||
}, | ||
true, | ||
assert.NoError, | ||
}, | ||
{ | ||
"no signature", | ||
args{ | ||
img: "hisu/cosign-tests:unsigned", | ||
key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGnMCUU0jGe6r4mPsPuyTXf61PE4e\nNwB/31SvUMmnoyd/1UxSqd+MRPXPU6pcub4k6E9G9SprVCuf6Sydcbyiqw==\n-----END PUBLIC KEY-----", | ||
}, | ||
false, | ||
assert.Error, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
got, err := verify(tt.args.img, tt.args.key) | ||
if !tt.wantErr(t, err, fmt.Sprintf("verify(%v, %v)", tt.args.img, tt.args.key)) { | ||
return | ||
} | ||
assert.Equalf(t, tt.want, got, "verify(%v, %v)", tt.args.img, tt.args.key) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Hi @spacecodedream can you be more specific with your question? What do you want to achieve?