Add TUF timestamp to attestation bundle (#1316)

This follows #1294 in adding the TUF timestamp to the annotations layer for attestations, when either uploading to Rekor or signing with a Fulcio cert. Ref #1273 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Jan 14, 2022 · 244c07a · 244c07a
1 parent 46cf94b
commit 244c07a
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go
@@ -35,6 +35,7 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/sigstore/cosign/pkg/oci/static"
@@ -159,6 +160,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)}
 	if sv.Cert != nil {
 		opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
+		timestamp, err := tuf.GetTimestamp(ctx)
+		if err != nil {
+			return errors.Wrap(err, "reading tuf timestamp")
+		}
+		opts = append(opts, static.WithTimestamp(timestamp))
 	}
 
 	// Check whether we should be uploading to the transparency log
@@ -170,6 +176,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 			return err
 		}
 		opts = append(opts, static.WithBundle(bundle))
+		timestamp, err := tuf.GetTimestamp(ctx)
+		if err != nil {
+			return errors.Wrap(err, "reading tuf timestamp")
+		}
+		opts = append(opts, static.WithTimestamp(timestamp))
 	}
 
 	sig, err := static.NewAttestation(signedPayload, opts...)