feat: add support for downloading signature from remote

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
sigstore · Sep 7, 2021 · 64126df · 64126df
1 parent cb0c46a
commit 64126df
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 56 deletions.
diff --git a/cmd/cosign/cli/init.go b/cmd/cosign/cli/init.go
@@ -19,41 +19,13 @@ import (
 	"context"
 	_ "embed" // To enable the `go:embed` directive.
 	"flag"
-	"io/ioutil"
-	"net/http"
-	"path/filepath"
-	"strings"
-
 	"github.com/peterbourgon/ff/v3/ffcli"
 	ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
 )
 
 //go:embed 1.root.json
 var initialRoot string
 
-func loadFileOrURL(fileRef string) ([]byte, error) {
-	var raw []byte
-	var err error
-	if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") {
-		// #nosec G107
-		resp, err := http.Get(fileRef)
-		if err != nil {
-			return nil, err
-		}
-		defer resp.Body.Close()
-		raw, err = ioutil.ReadAll(resp.Body)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		raw, err = ioutil.ReadFile(filepath.Clean(fileRef))
-		if err != nil {
-			return nil, err
-		}
-	}
-	return raw, nil
-}
-
 func Init() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign init", flag.ExitOnError)

diff --git a/cmd/cosign/cli/util.go b/cmd/cosign/cli/util.go
@@ -17,7 +17,7 @@ package cli
 import (
 	"context"
 	"crypto"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -53,28 +53,39 @@ func TargetRepositoryForImage(img name.Reference) (name.Repository, error) {
 	return name.NewRepository(wantRepo)
 }
 
-func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) {
-	// The key could be plaintext, in a file, at a URL, or in KMS.
-	if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil {
-		// KMS specified
-		return kmsKey, nil
-	}
-
+func loadFileOrURL(fileRef string) ([]byte, error) {
 	var raw []byte
-
-	if strings.HasPrefix(keyRef, "http://") || strings.HasPrefix(keyRef, "https://") {
-		// key-url specified
+	var err error
+	if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") {
 		// #nosec G107
-		resp, err := http.Get(keyRef)
+		resp, err := http.Get(fileRef)
 		if err != nil {
 			return nil, err
 		}
 		defer resp.Body.Close()
-		raw, err = ioutil.ReadAll(resp.Body)
+		raw, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		raw, err = os.ReadFile(filepath.Clean(fileRef))
 		if err != nil {
 			return nil, err
 		}
-	} else if raw, err = ioutil.ReadFile(filepath.Clean(keyRef)); err != nil {
+	}
+	return raw, nil
+}
+
+func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) {
+	// The key could be plaintext, in a file, at a URL, or in KMS.
+	if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil {
+		// KMS specified
+		return kmsKey, nil
+	}
+
+	raw, err := loadFileOrURL(keyRef)
+
+	if err != nil {
 		return nil, err
 	}
 

diff --git a/cmd/cosign/cli/verify_blob.go b/cmd/cosign/cli/verify_blob.go
@@ -25,13 +25,12 @@ import (
 	"encoding/base64"
 	"flag"
 	"fmt"
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/pkg/errors"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"github.com/pkg/errors"
-
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
@@ -165,18 +164,17 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str
 		} else {
 			return err
 		}
+	}
+
+	targetSig, err := loadFileOrURL(sigRef)
+	if err != nil {
+		return err
+	}
+
+	if isb64(targetSig) {
+		b64sig = string(targetSig)
 	} else {
-		b, err := ioutil.ReadFile(filepath.Clean(sigRef))
-		if err != nil {
-			return err
-		}
-		// If in a file, it could be raw or base64-encoded.
-		// We want them to be encoded eventually, but not double encoded!
-		if isb64(b) {
-			b64sig = string(b)
-		} else {
-			b64sig = base64.StdEncoding.EncodeToString(b)
-		}
+		b64sig = base64.StdEncoding.EncodeToString(targetSig)
 	}
 
 	var blobBytes []byte