sigstore · dekkagaijin · Sep 17, 2021 · Sep 16, 2021 · Sep 17, 2021 · Sep 17, 2021
diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go
@@ -39,6 +39,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier"
+	"github.com/sigstore/cosign/internal/oci"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
@@ -378,13 +379,13 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts RegistryOpts, annotations
 	return nil
 }
 
-func bundle(entry *models.LogEntryAnon) *cremote.Bundle {
+func bundle(entry *models.LogEntryAnon) *oci.Bundle {
 	if entry.Verification == nil {
 		return nil
 	}
-	return &cremote.Bundle{
+	return &oci.Bundle{
 		SignedEntryTimestamp: entry.Verification.SignedEntryTimestamp,
-		Payload: cremote.BundlePayload{
+		Payload: oci.BundlePayload{
 			Body:           entry.Body,
 			IntegratedTime: *entry.IntegratedTime,
 			LogIndex:       *entry.LogIndex,

diff --git a/internal/oci/remote/remote.go b/internal/oci/remote/remote.go
@@ -0,0 +1,134 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package remote
+
+import (
+	"bytes"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/cosign/internal/oci"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+)
+
+const (
+	sigkey   = "dev.cosignproject.cosign/signature"
+	certkey  = "dev.sigstore.cosign/certificate"
+	chainkey = "dev.sigstore.cosign/chain"
+)
+
+// Signatures fetches the signatures image represented by the named reference.
+func Signatures(ref name.Reference, opts ...remote.Option) (oci.Signatures, error) {
+	img, err := remote.Image(ref, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &sigs{
+		Image: img,
+	}, nil
+}
+
+type sigs struct {
+	v1.Image
+}
+
+var _ oci.Signatures = (*sigs)(nil)
+
+// Get implements oci.Signatures
+func (s *sigs) Get() ([]oci.Signature, error) {
+	m, err := s.Manifest()
+	if err != nil {
+		return nil, err
+	}
+	signatures := make([]oci.Signature, 0, len(m.Layers))
+	for _, desc := range m.Layers {
+		signatures = append(signatures, &sigLayer{
+			img:  s,
+			desc: desc,
+		})
+	}
+	return signatures, nil
+}
+
+type sigLayer struct {
+	img  *sigs
+	desc v1.Descriptor
+}
+
+var _ oci.Signature = (*sigLayer)(nil)
+
+// Payload implements oci.Signature
+func (s *sigLayer) Payload() ([]byte, error) {
+	l, err := s.img.LayerByDigest(s.desc.Digest)
+	if err != nil {
+		return nil, err
+	}
+
+	// Compressed is a misnomer here, we just want the raw bytes from the registry.
+	r, err := l.Compressed()
+	if err != nil {
+		return nil, err
+	}
+	payload, err := ioutil.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+	return payload, nil
+}
+
+// Base64Signature implements oci.Signature
+func (s *sigLayer) Base64Signature() (string, error) {
+	b64sig, ok := s.desc.Annotations[sigkey]
+	if !ok {
+		return "", fmt.Errorf("signature layer %s is missing %q annotation", s.desc.Digest, sigkey)
+	}
+	return b64sig, nil
+}
+
+// Cert implements oci.Signature
+func (s *sigLayer) Cert() (*x509.Certificate, error) {
+	certPEM, ok := s.desc.Annotations[certkey]
+	if !ok {
+		return nil, nil
+	}
+	certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader([]byte(certPEM)))
+	if err != nil {
+		return nil, err
+	}
+	return certs[0], nil
+}
+
+// Chain implements oci.Signature
+func (s *sigLayer) Chain() ([]*x509.Certificate, error) {
+	chainPEM, ok := s.desc.Annotations[chainkey]
+	if !ok {
+		return nil, nil
+	}
+	certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader([]byte(chainPEM)))
+	if err != nil {
+		return nil, err
+	}
+	return certs, nil
+}
+
+// Bundle implements oci.Signature
+func (s *sigLayer) Bundle() (*oci.Bundle, error) {
+	return nil, nil
+}
diff --git a/internal/oci/signatures.go b/internal/oci/signatures.go
@@ -15,7 +15,12 @@
 
 package oci
 
-import v1 "github.com/google/go-containerregistry/pkg/v1"
+import (
+	"crypto/x509"
+
+	"github.com/go-openapi/strfmt"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+)
 
 // Signatures represents a set of signatures that are associated with a particular
 // v1.Image.
@@ -25,4 +30,46 @@ type Signatures interface {
 	// TODO(mattmoor): Accessors that build on `v1.Image` to provide
 	// higher-level accessors for the signature data that is embedded
 	// in the wrapped `v1.Image`
+
+	// Get retrieves the list of signatures stored.
+	Get() ([]Signature, error)
+}
+
+// Signature holds a single image signature.
+type Signature interface {
+	// Payload fetches the opaque data that is being signed.
+	// This will always return data when there is no error.
+	Payload() ([]byte, error)
+
+	// Base64Signature fetches the base64 encoded signature
+	// of the payload.  This will always return data when
+	// there is no error.
+	Base64Signature() (string, error)
+
+	// Cert fetches the optional public key from the key pair that
+	// was used to sign the payload.
+	Cert() (*x509.Certificate, error)
+
+	// Chain fetches the optional "full certificate chain" rooted
+	// at a Fulcio CA, the leaf of which was used to sign the
+	// payload.
+	Chain() ([]*x509.Certificate, error)
+
+	// Bundle fetches the optional metadata that records the ephemeral
+	// Fulcio key in the transparency log.
+	Bundle() (*Bundle, error)
+}
+
+// Bundle holds metadata about recording a Signature's ephemeral key to
+// a Rekor transparency log.
+type Bundle struct {
+	SignedEntryTimestamp strfmt.Base64
+	Payload              BundlePayload
+}
+
+type BundlePayload struct {
+	Body           interface{} `json:"body"`
+	IntegratedTime int64       `json:"integratedTime"`
+	LogIndex       int64       `json:"logIndex"`
+	LogID          string      `json:"logID"`
 }
diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go
@@ -16,11 +16,8 @@
 package cosign
 
 import (
-	"bytes"
 	"context"
 	"crypto/x509"
-	"encoding/json"
-	"io/ioutil"
 	"runtime"
 	"strings"
 
@@ -30,16 +27,16 @@ import (
 	"github.com/pkg/errors"
 	"knative.dev/pkg/pool"
 
-	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
-	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/cosign/internal/oci"
+	ociremote "github.com/sigstore/cosign/internal/oci/remote"
 )
 
 type SignedPayload struct {
 	Base64Signature string
 	Payload         []byte
 	Cert            *x509.Certificate
 	Chain           []*x509.Certificate
-	Bundle          *cremote.Bundle
+	Bundle          *oci.Bundle
 	bundleVerified  bool
 }
 
@@ -82,72 +79,38 @@ func FetchSignaturesForImage(ctx context.Context, signedImgRef name.Reference, s
 func FetchSignaturesForImageDigest(ctx context.Context, signedImageDigest v1.Hash, sigRepo name.Repository, sigTagSuffix string, registryOpts ...remote.Option) ([]SignedPayload, error) {
 	tag := AttachedImageTag(sigRepo, signedImageDigest, sigTagSuffix)
 
-	sigImg, err := remote.Image(tag, registryOpts...)
+	sigs, err := ociremote.Signatures(tag, registryOpts...)
 	if err != nil {
 		return nil, errors.Wrap(err, "remote image")
 	}
-
-	m, err := sigImg.Manifest()
+	l, err := sigs.Get()
 	if err != nil {
-		return nil, errors.Wrap(err, "manifest")
+		return nil, errors.Wrap(err, "fetching signatures")
 	}
 
 	g := pool.New(runtime.NumCPU())
-	signatures := make([]SignedPayload, len(m.Layers))
-	for i, desc := range m.Layers {
-		i, desc := i, desc
+	signatures := make([]SignedPayload, len(l))
+	for i, sig := range l {
+		i, sig := i, sig
 		g.Go(func() error {
-			base64sig, ok := desc.Annotations[sigkey]
-			if !ok {
-				return nil
-			}
-			l, err := sigImg.LayerByDigest(desc.Digest)
+			signatures[i].Payload, err = sig.Payload()
 			if err != nil {
 				return err
 			}
-
-			// Compressed is a misnomer here, we just want the raw bytes from the registry.
-			r, err := l.Compressed()
+			signatures[i].Base64Signature, err = sig.Base64Signature()
 			if err != nil {
 				return err
 			}
-			payload, err := ioutil.ReadAll(r)
+			signatures[i].Cert, err = sig.Cert()
 			if err != nil {
 				return err
 			}
-			sp := SignedPayload{
-				Payload:         payload,
-				Base64Signature: base64sig,
-			}
-			// We may have a certificate and chain
-			certPem := desc.Annotations[certkey]
-			if certPem != "" {
-				certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader([]byte(certPem)))
-				if err != nil {
-					return err
-				}
-				sp.Cert = certs[0]
-			}
-			chainPem := desc.Annotations[chainkey]
-			if chainPem != "" {
-				certs, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader([]byte(chainPem)))
-				if err != nil {
-					return err
-				}
-				sp.Chain = certs
-			}
-
-			bundle := desc.Annotations[BundleKey]
-			if bundle != "" {
-				var b cremote.Bundle
-				if err := json.Unmarshal([]byte(bundle), &b); err != nil {
-					return errors.Wrap(err, "unmarshaling bundle")
-				}
-				sp.Bundle = &b
+			signatures[i].Chain, err = sig.Chain()
+			if err != nil {
+				return err
 			}
-
-			signatures[i] = sp
-			return nil
+			signatures[i].Bundle, err = sig.Bundle()
+			return err
 		})
 	}
 	if err := g.Wait(); err != nil {

diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go
@@ -35,9 +35,6 @@ import (
 const (
 	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
 
-	sigkey    = "dev.cosignproject.cosign/signature"
-	certkey   = "dev.sigstore.cosign/certificate"
-	chainkey  = "dev.sigstore.cosign/chain"
 	BundleKey = "dev.sigstore.cosign/bundle"
 )
 

diff --git a/pkg/cosign/remote/remote.go b/pkg/cosign/remote/remote.go
@@ -22,7 +22,6 @@ import (
 	"io/ioutil"
 	"net/http"
 
-	"github.com/go-openapi/strfmt"
 	"github.com/go-openapi/swag"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -32,6 +31,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/pkg/errors"
 
+	"github.com/sigstore/cosign/internal/oci"
 	"github.com/sigstore/cosign/internal/oci/empty"
 	ctypes "github.com/sigstore/cosign/pkg/types"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -110,23 +110,11 @@ LayerLoop:
 	return nil, nil
 }
 
-type BundlePayload struct {
-	Body           interface{} `json:"body"`
-	IntegratedTime int64       `json:"integratedTime"`
-	LogIndex       int64       `json:"logIndex"`
-	LogID          string      `json:"logID"`
-}
-
-type Bundle struct {
-	SignedEntryTimestamp strfmt.Base64
-	Payload              BundlePayload
-}
-
 type UploadOpts struct {
 	Cert                  []byte
 	Chain                 []byte
 	DupeDetector          signature.Verifier
-	Bundle                *Bundle
+	Bundle                *oci.Bundle
 	AdditionalAnnotations map[string]string
 	RemoteOpts            []remote.Option
 	MediaType             string