diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index 0a24e23c725..e6f9277b92c 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -22,7 +22,6 @@ import ( type CommonVerifyOptions struct { Offline bool // Force offline verification TSACertChainPath string - TSAServerURL string SkipTlogVerify bool } @@ -30,9 +29,6 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.Offline, "offline", false, "only allow offline verification") - cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "", - "url to a timestamp RFC3161 server, default none") - cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-cert-chain", "", "path to certificate chain PEM file for the Timestamp Authority") diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 97fc84978f5..3ca3dd44d1f 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -119,7 +119,6 @@ against the transparency log.`, SignatureRef: o.SignatureRef, LocalImage: o.LocalImage, Offline: o.CommonVerifyOptions.Offline, - TSAServerURL: o.CommonVerifyOptions.TSAServerURL, TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath, SkipTlogVerify: o.CommonVerifyOptions.SkipTlogVerify, } diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index f23af02348a..84570e55898 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -43,7 +43,6 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/payload" - tsaclient "github.com/sigstore/timestamp-authority/pkg/client" ) // VerifyCommand verifies a signature on a supplied container image @@ -124,30 +123,24 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { co.ClaimVerifier = cosign.SimpleClaimVerifier } - if c.TSAServerURL != "" { - co.TSAClient, err = tsaclient.GetTimestampClient(c.TSAServerURL) + if c.TSACertChainPath != "" { + _, err := os.Stat(c.TSACertChainPath) if err != nil { - return fmt.Errorf("failed to create TSA client: %w", err) + return fmt.Errorf("unable to open timestamp certificate chain file: %w", err) } - if c.TSACertChainPath != "" { - _, err := os.Stat(c.TSACertChainPath) - if err != nil { - return fmt.Errorf("unable to open timestamp certificate chain file: %w", err) - } - // TODO: Add support for TUF certificates. - pemBytes, err := os.ReadFile(filepath.Clean(c.TSACertChainPath)) - if err != nil { - return fmt.Errorf("error reading certification chain path file: %w", err) - } - // TODO: Update this logic once https://github.com/sigstore/timestamp-authority/issues/121 gets merged. - // This relies on untrusted leaf certificate. - tsaCertPool := x509.NewCertPool() - ok := tsaCertPool.AppendCertsFromPEM(pemBytes) - if !ok { - return fmt.Errorf("error parsing response into Timestamp while appending certs from PEM") - } - co.TSACerts = tsaCertPool + // TODO: Add support for TUF certificates. + pemBytes, err := os.ReadFile(filepath.Clean(c.TSACertChainPath)) + if err != nil { + return fmt.Errorf("error reading certification chain path file: %w", err) + } + // TODO: Update this logic once https://github.com/sigstore/timestamp-authority/issues/121 gets merged. + // This relies on untrusted leaf certificate. + tsaCertPool := x509.NewCertPool() + ok := tsaCertPool.AppendCertsFromPEM(pemBytes) + if !ok { + return fmt.Errorf("error parsing response into Timestamp while appending certs from PEM") } + co.TSACerts = tsaCertPool } if keylessVerification(c.KeyRef, c.Sk) { diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index 8d1974cc61c..14a47c5bfec 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -84,7 +84,6 @@ cosign dockerfile verify [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-cert-chain string path to certificate chain PEM file for the Timestamp Authority - --timestamp-server-url string url to a timestamp RFC3161 server, default none ``` ### Options inherited from parent commands diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index 0c051a3c141..dc1fe37c696 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -78,7 +78,6 @@ cosign manifest verify [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-cert-chain string path to certificate chain PEM file for the Timestamp Authority - --timestamp-server-url string url to a timestamp RFC3161 server, default none ``` ### Options inherited from parent commands diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index a07bcade0da..616c43781a1 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -84,7 +84,6 @@ cosign verify-attestation [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-cert-chain string path to certificate chain PEM file for the Timestamp Authority - --timestamp-server-url string url to a timestamp RFC3161 server, default none --type string specify a predicate type (slsaprovenance|link|spdx|spdxjson|cyclonedx|vuln|custom) or an URI (default "custom") ``` diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 8915299fe46..32cc60e2ebb 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -84,7 +84,6 @@ cosign verify-blob [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-cert-chain string path to certificate chain PEM file for the Timestamp Authority - --timestamp-server-url string url to a timestamp RFC3161 server, default none ``` ### Options inherited from parent commands diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 4a87a16afaf..ae63263554b 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -94,7 +94,6 @@ cosign verify [flags] --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-cert-chain string path to certificate chain PEM file for the Timestamp Authority - --timestamp-server-url string url to a timestamp RFC3161 server, default none ``` ### Options inherited from parent commands diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 1a6f02cdbed..c4542b976e9 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -56,7 +56,6 @@ import ( "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/sigstore/sigstore/pkg/signature/options" sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" - tsaclient "github.com/sigstore/timestamp-authority/pkg/generated/client" tsaverification "github.com/sigstore/timestamp-authority/pkg/verification" ) @@ -128,9 +127,6 @@ type CheckOpts struct { // Force offline verification of the signature Offline bool - // TSAClient, if set, is used to verify signatures using a RFC3161 time-stamping server. - TSAClient *tsaclient.TimestampAuthority - // TSACerts are the intermediate CA certs used to verify a time-stamping data. TSACerts *x509.CertPool @@ -686,8 +682,8 @@ func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash, return bundleVerified, err } } - if co.TSAClient != nil { - bundleVerified, err = VerifyTSABundle(ctx, sig, co.TSAClient, co.TSACerts) + if co.TSACerts != nil { + bundleVerified, err = VerifyTSABundle(ctx, sig, co.TSACerts) if err != nil { return false, fmt.Errorf("unable to verify TSA bundle: %w", err) } @@ -949,7 +945,7 @@ func VerifyBundle(ctx context.Context, sig oci.Signature, rekorClient *client.Re return true, nil } -func VerifyTSABundle(ctx context.Context, sig oci.Signature, tsaClient *tsaclient.TimestampAuthority, tsaCerts *x509.CertPool) (bool, error) { +func VerifyTSABundle(ctx context.Context, sig oci.Signature, tsaCerts *x509.CertPool) (bool, error) { bundle, err := sig.TSABundle() if err != nil { return false, err diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 654d5618c3e..0843256f40a 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -462,7 +462,6 @@ func TestVerifyImageSignatureWithSigVerifierAndTSA(t *testing.T) { } if bundleVerified, err := VerifyImageSignature(context.TODO(), sig, v1.Hash{}, &CheckOpts{ SigVerifier: sv, - TSAClient: client, TSACerts: tsaCertPool, SkipTlogVerify: true, }); err != nil || !bundleVerified { @@ -514,7 +513,6 @@ func TestVerifyImageSignatureWithSigVerifierAndRekorTSA(t *testing.T) { } if _, err := VerifyImageSignature(context.TODO(), sig, v1.Hash{}, &CheckOpts{ SigVerifier: sv, - TSAClient: client, TSACerts: tsaCertPool, RekorClient: mClient, }); err == nil || !strings.Contains(err.Error(), "verifying inclusion proof") {