tsaclient is unnecessary for verifying (#2468)

Signed-off-by: Hector Fernandez <hector@chainguard.dev>

Signed-off-by: Hector Fernandez <hector@chainguard.dev>

cmd/cosign/cli/options/verify.go

@@ -22,17 +22,13 @@ import (
 type CommonVerifyOptions struct {
 	Offline          bool // Force offline verification
 	TSACertChainPath string
-	TSAServerURL     string
 	SkipTlogVerify   bool
 }
 
 func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVar(&o.Offline, "offline", false,
 		"only allow offline verification")
 
-	cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
-		"url to a timestamp RFC3161 server, default none")
-
 	cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-cert-chain", "",
 		"path to certificate chain PEM file for the Timestamp Authority")
 

cmd/cosign/cli/verify.go

@@ -119,7 +119,6 @@ against the transparency log.`,
 				SignatureRef:                 o.SignatureRef,
 				LocalImage:                   o.LocalImage,
 				Offline:                      o.CommonVerifyOptions.Offline,
-				TSAServerURL:                 o.CommonVerifyOptions.TSAServerURL,
 				TSACertChainPath:             o.CommonVerifyOptions.TSACertChainPath,
 				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
 			}

cmd/cosign/cli/verify/verify.go

@@ -43,7 +43,6 @@ import (
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
-	tsaclient "github.com/sigstore/timestamp-authority/pkg/client"
 )
 
 // VerifyCommand verifies a signature on a supplied container image
@@ -124,30 +123,24 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
 	}
 
-	if c.TSAServerURL != "" {
-		co.TSAClient, err = tsaclient.GetTimestampClient(c.TSAServerURL)
+	if c.TSACertChainPath != "" {
+		_, err := os.Stat(c.TSACertChainPath)
 		if err != nil {
-			return fmt.Errorf("failed to create TSA client: %w", err)
+			return fmt.Errorf("unable to open timestamp certificate chain file: %w", err)
 		}
-		if c.TSACertChainPath != "" {
-			_, err := os.Stat(c.TSACertChainPath)
-			if err != nil {
-				return fmt.Errorf("unable to open timestamp certificate chain file: %w", err)
-			}
-			// TODO: Add support for TUF certificates.
-			pemBytes, err := os.ReadFile(filepath.Clean(c.TSACertChainPath))
-			if err != nil {
-				return fmt.Errorf("error reading certification chain path file: %w", err)
-			}
-			// TODO: Update this logic once https://github.com/sigstore/timestamp-authority/issues/121 gets merged.
-			// This relies on untrusted leaf certificate.
-			tsaCertPool := x509.NewCertPool()
-			ok := tsaCertPool.AppendCertsFromPEM(pemBytes)
-			if !ok {
-				return fmt.Errorf("error parsing response into Timestamp while appending certs from PEM")
-			}
-			co.TSACerts = tsaCertPool
+		// TODO: Add support for TUF certificates.
+		pemBytes, err := os.ReadFile(filepath.Clean(c.TSACertChainPath))
+		if err != nil {
+			return fmt.Errorf("error reading certification chain path file: %w", err)
+		}
+		// TODO: Update this logic once https://github.com/sigstore/timestamp-authority/issues/121 gets merged.
+		// This relies on untrusted leaf certificate.
+		tsaCertPool := x509.NewCertPool()
+		ok := tsaCertPool.AppendCertsFromPEM(pemBytes)
+		if !ok {
+			return fmt.Errorf("error parsing response into Timestamp while appending certs from PEM")
 		}
+		co.TSACerts = tsaCertPool
 	}
 
 	if keylessVerification(c.KeyRef, c.Sk) {

pkg/cosign/verify.go

@@ -56,7 +56,6 @@ import (
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
-	tsaclient "github.com/sigstore/timestamp-authority/pkg/generated/client"
 	tsaverification "github.com/sigstore/timestamp-authority/pkg/verification"
 )
 
@@ -128,9 +127,6 @@ type CheckOpts struct {
 	// Force offline verification of the signature
 	Offline bool
 
-	// TSAClient, if set, is used to verify signatures using a RFC3161 time-stamping server.
-	TSAClient *tsaclient.TimestampAuthority
-
 	// TSACerts are the intermediate CA certs used to verify a time-stamping data.
 	TSACerts *x509.CertPool
 
@@ -686,8 +682,8 @@ func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash,
 			return bundleVerified, err
 		}
 	}
-	if co.TSAClient != nil {
-		bundleVerified, err = VerifyTSABundle(ctx, sig, co.TSAClient, co.TSACerts)
+	if co.TSACerts != nil {
+		bundleVerified, err = VerifyTSABundle(ctx, sig, co.TSACerts)
 		if err != nil {
 			return false, fmt.Errorf("unable to verify TSA bundle: %w", err)
 		}
@@ -949,7 +945,7 @@ func VerifyBundle(ctx context.Context, sig oci.Signature, rekorClient *client.Re
 	return true, nil
 }
 
-func VerifyTSABundle(ctx context.Context, sig oci.Signature, tsaClient *tsaclient.TimestampAuthority, tsaCerts *x509.CertPool) (bool, error) {
+func VerifyTSABundle(ctx context.Context, sig oci.Signature, tsaCerts *x509.CertPool) (bool, error) {
 	bundle, err := sig.TSABundle()
 	if err != nil {
 		return false, err

pkg/cosign/verify_test.go

@@ -462,7 +462,6 @@ func TestVerifyImageSignatureWithSigVerifierAndTSA(t *testing.T) {
 	}
 	if bundleVerified, err := VerifyImageSignature(context.TODO(), sig, v1.Hash{}, &CheckOpts{
 		SigVerifier:    sv,
-		TSAClient:      client,
 		TSACerts:       tsaCertPool,
 		SkipTlogVerify: true,
 	}); err != nil || !bundleVerified {
@@ -514,7 +513,6 @@ func TestVerifyImageSignatureWithSigVerifierAndRekorTSA(t *testing.T) {
 	}
 	if _, err := VerifyImageSignature(context.TODO(), sig, v1.Hash{}, &CheckOpts{
 		SigVerifier: sv,
-		TSAClient:   client,
 		TSACerts:    tsaCertPool,
 		RekorClient: mClient,
 	}); err == nil || !strings.Contains(err.Error(), "verifying inclusion proof") {