continued sign refacc #1098
continued sign refacc #1098
Conversation
dekkagaijin
force-pushed
the
sign-refacc
branch
7 times, most recently
from
ab9569d to
153228d
Compare
internal/pkg/cosign/sign.go
Outdated
| type SigningResults struct { | ||
| SignedPayload []byte | ||
| Signature []byte | ||
| Pub crypto.PublicKey | ||
| Cert, Chain []byte | ||
| Bundle *oci.Bundle | ||
|
|
||
| OCISignature oci.Signature | ||
| SignedEntity oci.SignedEntity | ||
| } |
There was a problem hiding this comment.
The SignedEntity is what's passed in, and virtually all of the stuff on top is accessible from the oci.Signature, so I think the result should just be oci.Signature.
There was a problem hiding this comment.
So it seems like this result struct is built up across multiple implementations that must be composed a particular way to work, which isn't really the goal of composition. 🤔
Given the pieces I'm seeing I think the interface should just be:
type Signer interface {
Sign(ctx context.Context, payload []byte) (oci.Signature, error)
}There was a problem hiding this comment.
roger. The only thing not captured by oci.Signature was the signature's public key
internal/pkg/cosign/sign.go
Outdated
| // Attach the signature to the entity. | ||
| newSE, err := mutate.AttachSignatureToEntity(results.SignedEntity, results.OCISignature, mutate.WithDupeDetector(sa.DD)) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| results.SignedEntity = newSE |
There was a problem hiding this comment.
Don't conflate signing with mutating the signed entity to carry that signature. The signer should just sign, let the caller worry about this.
internal/pkg/cosign/sign.go
Outdated
| return &SigningResults{ | ||
| Signature: sig, | ||
| SignedPayload: req.SignaturePayload, | ||
| SignedEntity: req.SignedEntity, |
There was a problem hiding this comment.
This seems to be the only use of req.SignedEntity. What are our expectations of the Payload?
There was a problem hiding this comment.
I was thinking a prior step might want to modify the req.SignedEntity, which is immutable, so I wanted to return the actual Entity in the results.
Our expectations for payload are to be able to upload it to Rekor, but we can get that from the oci.Signature
cmd/cosign/cli/sign/sign.go
Outdated
| if err != nil { | ||
| return nil, errors.Wrap(err, "getting key from Fulcio") |
There was a problem hiding this comment.
This saves ~3 LoC and is less clear, I'd revert.
If you want to save 2 LoC without losing clarity, you can fold the call into the if:
if k, err = fulcio.NewSigner(...); err != nil {
return nil, errors.Wrap(err, "getting key from Fulcio")
}There was a problem hiding this comment.
Also, I would expect that ultimately the bonus logic in fulcioverifier just becomes yet-another composition of the Signer interface.
There was a problem hiding this comment.
right, already have a TODO for it
pkg/oci/remote/write.go
Outdated
| @@ -74,7 +74,7 @@ func WriteSignedImageIndexImages(ref name.Reference, sii oci.SignedImageIndex, o | |||
| func WriteSignatures(repo name.Repository, se oci.SignedEntity, opts ...Option) error { | |||
| o := makeOptions(repo, opts...) | |||
|
|
|||
| // Access the signature list to publish | |||
| // Access the signature list to published | |||
There was a problem hiding this comment.
this is an incorrect correction
dekkagaijin
force-pushed
the
sign-refacc
branch
3 times, most recently
from
e47eec1 to
4c135b6
Compare
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
dekkagaijin
force-pushed
the
sign-refacc
branch
from
4c135b6 to
a99d528
Compare
There was a problem hiding this comment.
I like the interface a lot more. Left a few comments inline, but at a high level:
- Can we shuffle the package structure around so that implementations generally live in their own packages with private types and public ctors in terms of the interface?
- As I was building up
ociI was trying to ensure fairly high coverage as I went, and it should now be fairly high. Can we try to do the same here?
| ) | ||
|
|
||
| type Signer interface { | ||
| Sign(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error) |
There was a problem hiding this comment.
Isn't the public key available from the oci.Signature?
There was a problem hiding this comment.
nope ¯\(ツ)/¯
It's not stored in the registry, so that makes sense.
There was a problem hiding this comment.
What are callers consuming it to do today?
| signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" | ||
| ) | ||
|
|
||
| type Signer interface { |
There was a problem hiding this comment.
This is where you really want good comments documenting the expectations.
There was a problem hiding this comment.
I like the interface a lot more. Left a few comments inline, but at a high level:
- Can we shuffle the package structure around so that implementations generally live in their own packages with private types and public ctors in terms of the interface?
yed
- As I was building up
ociI was trying to ensure fairly high coverage as I went, and it should now be fairly high. Can we try to do the same here?
Will do, but I'd like to have the package structure stable before I go implementing all the accoutrements for testing
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
Signed-off-by: Jake Sanders <jsand@google.com>
internal/pkg/cosign/fulcio/fulcio.go
Outdated
| // the resulting `Cert` and `Chain`, which are added to the returned `oci.Signature` | ||
| type FulcioSignerWrapper struct { | ||
| Inner Signer | ||
| type SignerWrapper struct { |
internal/pkg/cosign/fulcio/fulcio.go
Outdated
| @@ -77,3 +78,12 @@ func (fs *FulcioSignerWrapper) Sign(ctx context.Context, payload io.Reader) (oci | |||
|
|
|||
| return newSig, pub, nil | |||
| } | |||
|
|
|||
| // NewSigner returns a *SignerWrapper which signs and uploads the given payload to Fulcio. | |||
| func NewSigner(inner cosign.Signer, cert, chain []byte) *SignerWrapper { | |||
internal/pkg/cosign/fulcio/fulcio.go
Outdated
| @@ -77,3 +78,12 @@ func (fs *FulcioSignerWrapper) Sign(ctx context.Context, payload io.Reader) (oci | |||
|
|
|||
| return newSig, pub, nil | |||
| } | |||
|
|
|||
| // NewSigner returns a *SignerWrapper which signs and uploads the given payload to Fulcio. | |||
There was a problem hiding this comment.
This comment could use work :)
There was a problem hiding this comment.
your FACE could use work
| sig, pub, err := fs.Inner.Sign(ctx, payload) | ||
| // Sign implements `cosign.Signer` | ||
| func (fs *SignerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error) { | ||
| sig, pub, err := fs.inner.Sign(ctx, payload) |
There was a problem hiding this comment.
I don't really grok why this is wrapping any Signer instead of having a specific Signer implementation embedded here. Can this truly be composed with other Signer implementations arbitrarily? What other compositions make sense?
There was a problem hiding this comment.
not quite arbitrarily but we made the Signer abstraction for a reason. I think noting the requirements for our public instance in comments would be a legitimate way of documenting them (vs. using the type system)
cmd/cosign/cli/sign/sign.go
Outdated
| @@ -212,16 +214,9 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO | |||
| s = &icos.PayloadSigner{ | |||
There was a problem hiding this comment.
I'd move the payload signer as well.
Signed-off-by: Jake Sanders <jsand@google.com>
dekkagaijin
force-pushed
the
sign-refacc
branch
from
dce5922 to
5116c1e
Compare
| return nil | ||
| var s icos.Signer | ||
| s = ipayload.NewSigner(sv, nil, nil) | ||
| s = ifulcio.NewSigner(s, sv.Cert, sv.Chain) |
There was a problem hiding this comment.
A few things about this line don't sit right with me:
- Shouldn't it be predicated on some condition?
- I still don't like the fact that the fulcio Signer wraps another random Signer where we have zero visibility into what it does. I think the reality here is that the payload Signer is doing the fulcio signing, and the fulcio Signer is just decorating the resulting oci.Signature to match. I think this is a fragile composition, and I think I'd rather see payload's Signer be a hidden implementation detail of a fulcio Signer than allow arbitrary composition here.
There was a problem hiding this comment.
yes :p
"TODO:"
"* move over fulcio operations as well"
This continues to refactor signing operations re: #844 and #931
TODO: