Skip to content

Commit

Permalink
add --private-infrastructure flag
Browse files Browse the repository at this point in the history
This commit adds the --private-infrastructure command line flag for
verification commands. This flag is an alias for --insecure-ignore-tlog
with the exception that it also silences the warning message the later
flag prints. This flag is intended for users who do not rely on a public
transparency log and have their own private infrastructure dedicated to
verification.

Signed-off-by: dylrich <dylan.richardson@mongodb.com>
  • Loading branch information
drichmdb committed Nov 17, 2023
1 parent f57aa2c commit 723dac3
Show file tree
Hide file tree
Showing 10 changed files with 37 additions and 5 deletions.
6 changes: 5 additions & 1 deletion cmd/cosign/cli/options/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ type CommonVerifyOptions struct {
MaxWorkers int
// This is added to CommonVerifyOptions to provide a path to support
// it for other verify options.
ExperimentalOCI11 bool
ExperimentalOCI11 bool
PrivateInfrastructure bool
}

func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
Expand All @@ -43,6 +44,9 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
"ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
"cannot be publicly verified when not included in a log")

cmd.Flags().BoolVar(&o.PrivateInfrastructure, "private-infrastructure", false,
"an alias for --insecure-ignore-tlog")

cmd.Flags().BoolVar(&o.ExperimentalOCI11, "experimental-oci11", false,
"set to true to enable experimental OCI 1.1 behaviour")

Expand Down
24 changes: 20 additions & 4 deletions cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ against the transparency log.`,
Args: cobra.MinimumNArgs(1),
PersistentPreRun: options.BindViper,
RunE: func(cmd *cobra.Command, args []string) error {
if o.CommonVerifyOptions.PrivateInfrastructure {
o.CommonVerifyOptions.IgnoreTlog = true
}

annotations, err := o.AnnotationsMap()
if err != nil {
return err
Expand Down Expand Up @@ -140,7 +144,7 @@ against the transparency log.`,

ctx := cmd.Context()

if o.CommonVerifyOptions.IgnoreTlog {
if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "signature"))
}

Expand Down Expand Up @@ -201,6 +205,10 @@ against the transparency log.`,
Args: cobra.MinimumNArgs(1),
PersistentPreRun: options.BindViper,
RunE: func(cmd *cobra.Command, args []string) error {
if o.CommonVerifyOptions.PrivateInfrastructure {
o.CommonVerifyOptions.IgnoreTlog = true
}

v := &verify.VerifyAttestationCommand{
RegistryOptions: o.Registry,
CheckClaims: o.CheckClaims,
Expand Down Expand Up @@ -235,7 +243,7 @@ against the transparency log.`,

ctx := cmd.Context()

if o.CommonVerifyOptions.IgnoreTlog {
if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "attestation"))
}

Expand Down Expand Up @@ -298,6 +306,10 @@ The blob may be specified as a path to a file or - for stdin.`,
Args: cobra.ExactArgs(1),
PersistentPreRun: options.BindViper,
RunE: func(cmd *cobra.Command, args []string) error {
if o.CommonVerifyOptions.PrivateInfrastructure {
o.CommonVerifyOptions.IgnoreTlog = true
}

ko := options.KeyOpts{
KeyRef: o.Key,
Sk: o.SecurityKey.Use,
Expand Down Expand Up @@ -326,7 +338,7 @@ The blob may be specified as a path to a file or - for stdin.`,

ctx := cmd.Context()

if o.CommonVerifyOptions.IgnoreTlog {
if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob"))
}

Expand Down Expand Up @@ -359,6 +371,10 @@ The blob may be specified as a path to a file.`,
Args: cobra.MaximumNArgs(1),
PersistentPreRun: options.BindViper,
RunE: func(cmd *cobra.Command, args []string) error {
if o.CommonVerifyOptions.PrivateInfrastructure {
o.CommonVerifyOptions.IgnoreTlog = true
}

ko := options.KeyOpts{
KeyRef: o.Key,
Sk: o.SecurityKey.Use,
Expand Down Expand Up @@ -397,7 +413,7 @@ The blob may be specified as a path to a file.`,

ctx := cmd.Context()

if o.CommonVerifyOptions.IgnoreTlog {
if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob attestation"))
}

Expand Down
1 change: 1 addition & 0 deletions doc/cosign_dockerfile_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_manifest_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-blob-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions test/e2e_signblob_tsa_mtls.sh
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@ $COSIGN_CLI verify-blob --bundle cosign.bundle \
--rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
--insecure-ignore-tlog=true --key import-cosign.pub $BLOB

$COSIGN_CLI verify-blob --bundle cosign.bundle \
--certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
--rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
--private-infrastructure --key import-cosign.pub $BLOB

# cleanup
rm -fr blob.sig ca-key.pem cacert.pem cert.pem cosign.bundle import-cosign.key \
import-cosign.pub key.pem timestamp.txt timestamp-chain.pem \
Expand Down
1 change: 1 addition & 0 deletions test/e2e_test_secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@ cat /dev/urandom | head -n 10 | base64 > randomblob
dgst=$(./cosign upload blob -f randomblob ${blobimg})
./cosign sign --key ${signing_key} --tlog-upload=false ${dgst}
./cosign verify --key ${verification_key} --insecure-ignore-tlog=true ${dgst} # For sanity
./cosign verify --key ${verification_key} --private-infrastructure ${dgst}

# clean up a bit
crane delete $blobimg || true
Expand Down

0 comments on commit 723dac3

Please sign in to comment.