select signing flows based on input variables

Signed-off-by: Jake Sanders <jsand@google.com>
sigstore · Nov 29, 2021 · df3a2e6 · df3a2e6
1 parent 5a975d8
commit df3a2e6
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 35 deletions.
diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go
@@ -41,7 +41,6 @@ import (
 	"github.com/sigstore/cosign/pkg/types"
 	rekPkgClient "github.com/sigstore/rekor/pkg/client"
 	"github.com/sigstore/rekor/pkg/generated/client"
-	rekGenClient "github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
@@ -63,7 +62,7 @@ func bundle(entry *models.LogEntryAnon) *oci.Bundle {
 	}
 }
 
-type tlogUploadFn func(*rekGenClient.Rekor, []byte) (*models.LogEntryAnon, error)
+type tlogUploadFn func(*client.Rekor, []byte) (*models.LogEntryAnon, error)
 
 func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string, upload tlogUploadFn) (*oci.Bundle, error) {
 	var rekorBytes []byte
@@ -77,6 +76,7 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string,
 		}
 		rekorBytes = pemBytes
 	}
+
 	rekorClient, err := rekPkgClient.GetRekorClient(rekorURL)
 	if err != nil {
 		return nil, err

diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -52,7 +52,6 @@ import (
 	fulcPkgClient "github.com/sigstore/fulcio/pkg/client"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
-	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
 )
 
@@ -201,12 +200,6 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 		}
 	}
 
-	signature, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
-	if err != nil {
-		return errors.Wrap(err, "signing")
-	}
-	b64sig := base64.StdEncoding.EncodeToString(signature)
-
 	out := os.Stdout
 	if output != "" {
 		out, err = os.Create(output)
@@ -215,13 +208,6 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 		}
 		defer out.Close()
 	}
-	if _, err := out.Write([]byte(b64sig)); err != nil {
-		return errors.Wrap(err, "write signature to file")
-	}
-
-	if !upload {
-		return nil
-	}
 
 	req := &icos.SigningRequest{
 		SignaturePayload: payload,
@@ -237,8 +223,11 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 		Chain: sv.Chain,
 		Inner: s,
 	}
-	s = &icos.RekorSignerWrapper{
-		Inner: s,
+	if ShouldUploadToTlog(ctx, digest, force, ko.RekorURL) {
+		s = &icos.RekorSignerWrapper{
+			Inner:    s,
+			RekorURL: ko.RekorURL,
+		}
 	}
 	s = &icos.OCISignatureBuilder{
 		Inner: s,
@@ -247,14 +236,25 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 		DD:    dd,
 		Inner: s,
 	}
-	s = &icos.RemoteSignerWrapper{
-		SignatureRepo: digest.Repository,
-		RegOpts:       regOpts,
+	if upload {
+		s = &icos.RemoteSignerWrapper{
+			SignatureRepo: digest.Repository,
+			RegOpts:       regOpts,
 
-		Inner: s,
+			Inner: s,
+		}
+	}
+
+	results, err := s.Sign(ctx, req)
+	if err != nil {
+		return err
 	}
-	_, err = s.Sign(ctx, req)
-	return err
+
+	b64sig := base64.StdEncoding.EncodeToString(results.Signature)
+	if _, err := out.Write([]byte(b64sig)); err != nil {
+		return errors.Wrap(err, "write signature to file")
+	}
+	return nil
 }
 
 func signerFromSecurityKey(keySlot string) (*SignerVerifier, error) {

diff --git a/internal/pkg/cosign/sign.go b/internal/pkg/cosign/sign.go
@@ -51,14 +51,6 @@ type Signer interface {
 	Sign(context.Context, *SigningRequest) (*SigningResults, error)
 }
 
-// type NoOpSigner struct{}
-
-// func (NoOpSigner) Sign(_ context.Context, req *SigningRequest) (*SigningResults, error) {
-// 	return &SigningResults{
-// 		SignedEntity: req.SignedEntity,
-// 	}, nil
-// }
-
 type PayloadSigner struct {
 	PayloadSigner         signature.Signer
 	PayloadSignerOpts     []signature.SignOption
@@ -100,6 +92,8 @@ func (fs *FulcioSignerWrapper) Sign(ctx context.Context, req *SigningRequest) (*
 		return nil, err
 	}
 
+	// TODO(dekkagaijin): move the fulcio SignerVerififer logic here
+
 	results.Cert = fs.Cert
 	results.Chain = fs.Chain
 

diff --git a/internal/pkg/cosign/tlog.go b/internal/pkg/cosign/tlog.go
@@ -44,8 +44,7 @@ func bundle(entry *models.LogEntryAnon) *oci.Bundle {
 
 type tlogUploadFn func(*rekGenClient.Rekor, []byte) (*models.LogEntryAnon, error)
 
-func uploadToTlog(ctx context.Context, rekorBytes []byte, rekorURL string, upload tlogUploadFn) (*oci.Bundle, error) {
-
+func uploadToTlog(rekorBytes []byte, rekorURL string, upload tlogUploadFn) (*oci.Bundle, error) {
 	rekorClient, err := rekPkgClient.GetRekorClient(rekorURL)
 	if err != nil {
 		return nil, err
@@ -79,7 +78,7 @@ func (rs *RekorSignerWrapper) Sign(ctx context.Context, req *SigningRequest) (*S
 		}
 	}
 
-	bundle, err := uploadToTlog(ctx, rekorBytes, rs.RekorURL, func(r *rekGenClient.Rekor, b []byte) (*models.LogEntryAnon, error) {
+	bundle, err := uploadToTlog(rekorBytes, rs.RekorURL, func(r *rekGenClient.Rekor, b []byte) (*models.LogEntryAnon, error) {
 		return cosignv1.TLogUpload(ctx, r, results.Signature, results.SignedPayload, b)
 	})
 	if err != nil {