refactor: share logic between verify-blob, verify, and verify-attestation

[asraa]

Signed-off-by: Asra Ali asraa@google.com

• Cleanup: Unifies the logic around blob verification and OCI
• Cleanup: Updates the OCI logic to check for the timestamp using the bundle (@hectorj2f you can also add a condition to replace validityTime with the TSA)
• Security: Fixes an issue at HEAD: with COSIGN_EXPERIMENTAL removed, OCI validation succeeds when there is no bundle provided in offline mode, EVEN IF the certificate was expired (basically we skip the cert expiration check if there is no call to Rekor or a bundle).

Follow-ups:

• Fix the security issue when using TSA

Summary

Release Note

Documentation

[asraa]

Going to just move the blob verifies to the package. That will further simplify.

[hectorj2f]

@asraa I opened a PR adding support for the blob verification for TSA and/or Rekor here: #2464

[asraa]

@asraa I opened a PR adding support for the blob verification for TSA and/or Rekor here: #2464

The signing makes sense, but can we use this refactored shared logic for verification?

[hectorj2f]

These changes look good to me.

but can we use this refactored shared logic for verification?

This depends on our choice for blob signing. If we choose to generate two bundles. How do we expect the verification to work ?

[asraa]

If we choose to generate two bundles. How do we expect the verification to work ?

I think the same as OCI. Here's a flow:

1. Verify the cryptographic signature on the artifact using the public key verifier
2. If a Rekor bundle is provided or required, verify it and extract the integrated time.
3. If a TSA bundle is provided or requried, verify it and extract the TSA time. This will take precedence over the Rekor time (since it's verifiable)
4. If a certificate is used, check the certificate against the time (either Rekor or TSA, but TSA if both are provided)

[hectorj2f]

Okay, let's get these changes in main.

[asraa]

Just updated to fix the tests. I had to do two things:

• OCI does not compare certificates/pubkeys in the bundle, so our blob tests doing that with a tampered bundle don't fail as expected
• Another tests fails because of verification doesn't REQUIRE a TLOG check if it's not needed (i.e. for public keys). I can change that. Please let me know.

[hectorj2f]

@asraa Please, rebase your branch. I have added some changes to use a flag skip-tlog-verify as proposed. It also supports both validations tsa and rekor. Let me know if you find any issue so I can help.

[asraa]

SG, just fixed the public key comparisons for OCI as well.

[asraa]

@hectorj2f @priyawadhwa @znewman01 @kpk47 i would appreciate a review!

Some of the verification logic is now clobbered with a few PRs merged into main, and I will put out a follow-up & more tests (particularly: if you skip TLOG verify and use a TSA you also end up skipping the short-lived expiry validation now)

[haydentherapper]

Most of these tests set the experimental flag, but we've begun to remove it - should we remove it from the tests too? (Separate refactor prolly)

[asraa]

Yeah, I'll add in a separate PR: it actually does nothing now :)

[hectorj2f]

LGTM, we have simplified the verification logic a lot.

[codecov-commenter]

Codecov Report

Merging #2461 (c21521d) into main (ba5997b) will decrease coverage by 0.64%.
The diff coverage is 35.77%.

@@            Coverage Diff             @@
##             main    #2461      +/-   ##
==========================================
- Coverage   30.96%   30.32%   -0.65%     
==========================================
  Files         139      139              
  Lines        8635     8475     -160     
==========================================
- Hits         2674     2570     -104     
+ Misses       5600     5552      -48     
+ Partials      361      353       -8     

Impacted Files	Coverage Δ
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/sign/sign.go	15.46% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go	19.48% <0.00%> (+1.33%)	⬆️
pkg/cosign/verify.go	36.20% <28.36%> (+0.09%)	⬆️
cmd/cosign/cli/verify/verify_blob.go	50.77% <55.88%> (-2.13%)	⬇️
cmd/cosign/cli/sign.go	0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[znewman01]

(I owe you a more detailed pass, just a couple things that jumped out at first)

[znewman01]

Should this be != 1?

Oh, I guess not because BundlePath isn't really a full "bundle" yet. That's annoying.

[asraa]

Yeahhhh. This is super annoying because in sign-blob, you can produce a bundle path (to store the sig) INDEPENDENT of the tlog upload. If you don't upload to the tlog, then the bundle will ONLY contain the signature (and NOT the public key).

This was tested in the e2e tests... so I had to modify this. Basically: in some cases you legit pass in a --key AND a --bundle that stores the signature.

[znewman01]

Does this mean that if we pass a chain, we automatically trust it?

That feels wrong to me.

[haydentherapper]

Before the refactoring, this was a way to pass in a chain as an alternative to fetching from the TUF root. Without a chain, we'd default to the TUF metadata, otherwise we'd use the chain passed in.

One bit of feedback is there's a lot of places we're checking chain != nil or c.CertChain != "", so it's a little hard to quickly see exactly where we're getting the trust root from.

[haydentherapper]

To Zack's point, there are three ways you could pass a root in (this is also all applicable to intermediates):

• SIGSTORE_ROOT_FILE, which will get read in in fulcio.GetRoots
• tuf (either the sigstore tuf root or a self-hosted one), read in in fulcio.GetRoots
• Passing in the cert chain here

I'm not opposed if we want to force the user to set SIGSTORE_ROOT_FILE, as this supports both roots and intermediates (added in #1749). I don't recall why this was added this way - likely just a product of iterative development and some overlapping features haha.

That said, I'm also not opposed to supporting the chain flag too. It really is no different than SIGSTORE_ROOT_FILE, but if it makes things easier, we could drop it. Just wanna make sure we don't lose any supported features.

[asraa]

Yeah: this is because in the BLOB case you pass in the cert chain, so you DO trust it "out of band".
In the OCI case, the cert chain is provided on the registry. This was the only way I could get parity on the behavior. the cert chain passed here does represent the full trust chain.

[asraa]

One bit of feedback is there's a lot of places we're checking chain != nil or c.CertChain != "", so it's a little hard to quickly see exactly where we're getting the trust root from.

Just realized you mentioned this so I went and checked. There's only one place that c.CertChain is used, and that's to populated chain -- after that everything is populated from chain. Cleaned that up.

If we treat --cert-chain as a separate option rather than checking when --certificate is provided OR if --bundle is provided, I just check independently once. Then I add as the annotation when a certificate is used (whether populated from --certificate or --bundle)

[asraa]

LMK if there's anything else here, or we can resolve.

[znewman01]

Filed #2472 as a follow up

[haydentherapper]

What happens if chain is not set, in the case of using the default TUF chain here? chainPEM will not be set, is that an issue?

[haydentherapper]

Hm, in

cosign/pkg/cosign/verify.go

Line 644 in 0827726

if len(chain) > 0 {

, it's fine if the chain isn't set because we set the checkopts later. But TBH, I forget why this code was there, to read in the intermediates from the chain

[haydentherapper]

I think the purpose was that the roots were loading in earlier, and if you have an intermediate in your chain, we'd automatically populate an intermediate pool. Had to review 7402eb4 where I added this

[haydentherapper]

I bet this was added originally because we didn't have the intermediate in the TUF root, so the idea was that we'd fetch the intermediate from the chain automatically (and we treated the intermediate as "untrusted", just a part of chain building)

(Note to myself, write better PR messages)

[asraa]

I think the purpose was that the roots were loading in earlier, and if you have an intermediate in your chain, we'd automatically populate an intermediate pool. Had to review 7402eb4 where I added this

Exactly. Before we actually reset intermediates, but in using blobs, we actually wanted to preserve the TUF roots that were populated already.

[asraa]

@haydentherapper @znewman01 lemme know if you have time to do another pass! since it's working around the verification logic, would love to have it in. I have a follow-up issue on cleaning up the verification main method.