feat: add support for downloading signature from remote (#629)

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com> Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com> Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com>
sigstore · Sep 7, 2021 · 8d550b3 · 8d550b3
1 parent cb0c46a
commit 8d550b3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 47 deletions.
diff --git a/cmd/cosign/cli/init.go b/cmd/cosign/cli/init.go
@@ -19,10 +19,6 @@ import (
 	"context"
 	_ "embed" // To enable the `go:embed` directive.
 	"flag"
-	"io/ioutil"
-	"net/http"
-	"path/filepath"
-	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	ctuf "github.com/sigstore/cosign/pkg/cosign/tuf"
@@ -31,29 +27,6 @@ import (
 //go:embed 1.root.json
 var initialRoot string
 
-func loadFileOrURL(fileRef string) ([]byte, error) {
-	var raw []byte
-	var err error
-	if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") {
-		// #nosec G107
-		resp, err := http.Get(fileRef)
-		if err != nil {
-			return nil, err
-		}
-		defer resp.Body.Close()
-		raw, err = ioutil.ReadAll(resp.Body)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		raw, err = ioutil.ReadFile(filepath.Clean(fileRef))
-		if err != nil {
-			return nil, err
-		}
-	}
-	return raw, nil
-}
-
 func Init() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign init", flag.ExitOnError)

diff --git a/cmd/cosign/cli/util.go b/cmd/cosign/cli/util.go
@@ -17,7 +17,7 @@ package cli
 import (
 	"context"
 	"crypto"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -53,28 +53,39 @@ func TargetRepositoryForImage(img name.Reference) (name.Repository, error) {
 	return name.NewRepository(wantRepo)
 }
 
-func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) {
-	// The key could be plaintext, in a file, at a URL, or in KMS.
-	if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil {
-		// KMS specified
-		return kmsKey, nil
-	}
-
+func loadFileOrURL(fileRef string) ([]byte, error) {
 	var raw []byte
-
-	if strings.HasPrefix(keyRef, "http://") || strings.HasPrefix(keyRef, "https://") {
-		// key-url specified
+	var err error
+	if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") {
 		// #nosec G107
-		resp, err := http.Get(keyRef)
+		resp, err := http.Get(fileRef)
 		if err != nil {
 			return nil, err
 		}
 		defer resp.Body.Close()
-		raw, err = ioutil.ReadAll(resp.Body)
+		raw, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		raw, err = os.ReadFile(filepath.Clean(fileRef))
 		if err != nil {
 			return nil, err
 		}
-	} else if raw, err = ioutil.ReadFile(filepath.Clean(keyRef)); err != nil {
+	}
+	return raw, nil
+}
+
+func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) {
+	// The key could be plaintext, in a file, at a URL, or in KMS.
+	if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil {
+		// KMS specified
+		return kmsKey, nil
+	}
+
+	raw, err := loadFileOrURL(keyRef)
+
+	if err != nil {
 		return nil, err
 	}
 

diff --git a/cmd/cosign/cli/verify_blob.go b/cmd/cosign/cli/verify_blob.go
@@ -166,17 +166,17 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str
 			return err
 		}
 	} else {
-		b, err := ioutil.ReadFile(filepath.Clean(sigRef))
+		targetSig, err := loadFileOrURL(sigRef)
 		if err != nil {
 			return err
 		}
-		// If in a file, it could be raw or base64-encoded.
-		// We want them to be encoded eventually, but not double encoded!
-		if isb64(b) {
-			b64sig = string(b)
+
+		if isb64(targetSig) {
+			b64sig = string(targetSig)
 		} else {
-			b64sig = base64.StdEncoding.EncodeToString(b)
+			b64sig = base64.StdEncoding.EncodeToString(targetSig)
 		}
+
 	}
 
 	var blobBytes []byte