Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to verify local image #1159

Merged
merged 1 commit into from
Dec 8, 2021
Merged

Add option to verify local image #1159

merged 1 commit into from
Dec 8, 2021

Conversation

haydentherapper
Copy link
Contributor

This builds on the previous work to support saving an image and its signature for airgapped environments. This adds a flag, --local-image, to verify a signed image from disk.

Example:

cosign save us-west1-docker.pkg.dev/project/docker-repo/image:tag1 --dir .
cosign verify --key cosign.pub --local-image . --verbose

With --verbose, we see no network calls.

Ref #1015

Release Note

Add `cosign verify --local-image path` for verifying signed images from disk

@haydentherapper
Copy link
Contributor Author

cc @priyawadhwa

@haydentherapper haydentherapper force-pushed the verify-from-path branch 2 times, most recently from b22f444 to df43b65 Compare December 8, 2021 00:09
@haydentherapper
Copy link
Contributor Author

cc @dlorenc - FYI, this should allow for offline verification too

@dlorenc
Copy link
Member

dlorenc commented Dec 8, 2021

Amazing!!!

cc @jonjohnsonjr

jonjohnsonjr
jonjohnsonjr reviewed Dec 8, 2021
View reviewed changes
cmd/cosign/cli/verify/verify.go
return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img)
}
if c.LocalImage {
verified, bundleVerified, err := cosign.VerifyLocalImageSignatures(ctx, img, co)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A single directory can contain multiple images -- I'd consider making LocalImage a string that points to the path instead of a bool and use img to address the image within that path.

The UX here gets a little funky -- for a directory with a single image, you probably want to just default to it and not require users to pass it as an arg as well.

@priyawadhwa might have some ideas here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we overwrite the directory every time we run cosign save so only a single image should be allowed at the moment -- eventually if we add support for multiple images in a directory then we'll need to figure out what the UX would look like

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out! I agree that since we don't support persisting multiple images in a single directory, this shouldn't be an issue for now.

For the future, I like the approach of specifying the image along with the path by flag.

priyawadhwa
priyawadhwa reviewed Dec 8, 2021
View reviewed changes
Copy link
Contributor

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, this looks great!

@haydentherapper
Add option to verify local image
b9206d4 
This builds on the previous work to support saving an image and
its signature for airgapped environments. This adds a flag,
--local-image, to verify a persisted image using the on-disk sig.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
priyawadhwa
priyawadhwa approved these changes Dec 8, 2021
View reviewed changes
Copy link
Contributor

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@dlorenc dlorenc merged commit 10b7f9d into sigstore:main Dec 8, 2021
@github-actions github-actions bot added this to the v1.4.1 milestone Dec 8, 2021
@haydentherapper haydentherapper mentioned this pull request Dec 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonjohnsonjr jonjohnsonjr jonjohnsonjr left review comments

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.4.1
Development

Successfully merging this pull request may close these issues.
4 participants
@haydentherapper @dlorenc @priyawadhwa @jonjohnsonjr