From 5b08ca0dce5792f11bcc552c8f005dd57fb12593 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 9 Jul 2024 00:02:03 +0000 Subject: [PATCH 01/19] init: use sigstore-go to verify sigstore bundles certificates Signed-off-by: Ramon Petgrave --- go.mod | 1 + verifiers/internal/gha/sigstore.go | 84 ++++++++++++++++++++++++++++++ verifiers/internal/gha/verifier.go | 45 ++++++++-------- 3 files changed, 108 insertions(+), 22 deletions(-) create mode 100644 verifiers/internal/gha/sigstore.go diff --git a/go.mod b/go.mod index 3fb36cf59..d9a65fa08 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( ) require ( + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/google/go-containerregistry v0.19.1 github.com/gorilla/mux v1.8.1 github.com/sigstore/cosign/v2 v2.2.4 diff --git a/verifiers/internal/gha/sigstore.go b/verifiers/internal/gha/sigstore.go new file mode 100644 index 000000000..cf3586ce6 --- /dev/null +++ b/verifiers/internal/gha/sigstore.go @@ -0,0 +1,84 @@ +package gha + +import ( + "context" + + "github.com/sigstore/sigstore-go/pkg/bundle" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/verify" + + protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" +) + +func verifySigstoreBundle(ctx context.Context, provenanceBytes []byte) (*SignedAttestation, error) { + trustedRoot, err := root.FetchTrustedRoot() + if err != nil { + return nil, err + } + + verifier, err := verify.NewSignedEntityVerifier( + trustedRoot, + verify.WithSignedCertificateTimestamps(1), + verify.WithTransparencyLog(1), + verify.WithObserverTimestamps(1), + ) + if err != nil { + return nil, err + } + + certID, err := verify.NewShortCertificateIdentity( + "https://token.actions.githubusercontent.com", + "", + "", + "^https://github.com/sigstore/sigstore-js/", + ) + if err != nil { + return nil, err + } + + policy := verify.NewPolicy(verify.WithoutArtifactUnsafe(), verify.WithCertificateIdentity(certID)) + + bundle, err := loadBundleFromBytes(provenanceBytes) + if err != nil { + return nil, err + } + + _, err = verifier.Verify(bundle, policy) + if err != nil { + return nil, err + } + + return getSignedAttestationFromSigstoreBundle(ctx, bundle) +} + +func loadBundleFromBytes(provenanceBytes []byte) (*bundle.ProtobufBundle, error) { + var bundle bundle.ProtobufBundle + bundle.Bundle = new(protobundle.Bundle) + err := bundle.UnmarshalJSON(provenanceBytes) + if err != nil { + return nil, err + } + return &bundle, nil +} + +func getSignedAttestationFromSigstoreBundle(ctx context.Context, bundle *bundle.ProtobufBundle) (*SignedAttestation, error) { + envelope, err := getEnvelopeFromBundle(bundle.Bundle) + if err != nil { + return nil, err + } + + cert, err := getLeafCertFromBundle(bundle.Bundle) + if err != nil { + return nil, err + } + + publicKey := bundle.GetVerificationMaterial().GetPublicKey() + + signedAttestation := &SignedAttestation{ + Envelope: envelope, + SigningCert: cert, + // RekorEntry: nil, // no need to set this field, if we're not directly using rekor + PublicKey: publicKey, + } + return signedAttestation, nil +} diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 68dd86f08..b7219d907 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -12,7 +12,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/rekor/pkg/client" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" @@ -214,27 +213,29 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { - isSigstoreBundle := IsSigstoreBundle(provenance) - - // This includes a default retry count of 3. - rClient, err := client.GetRekorClient(defaultRekorAddr) - if err != nil { - return nil, nil, err - } - - trustedRoot, err := TrustedRootSingleton(ctx) - if err != nil { - return nil, nil, err - } - - var signedAtt *SignedAttestation - /* Verify signature on the intoto attestation. */ - if isSigstoreBundle { - signedAtt, err = VerifyProvenanceBundle(ctx, provenance, trustedRoot) - } else { - signedAtt, err = VerifyProvenanceSignature(ctx, trustedRoot, rClient, - provenance, artifactHash) - } + // isSigstoreBundle := IsSigstoreBundle(provenance) + + // // This includes a default retry count of 3. + // rClient, err := client.GetRekorClient(defaultRekorAddr) + // if err != nil { + // return nil, nil, err + // } + + // trustedRoot, err := TrustedRootSingleton(ctx) + // if err != nil { + // return nil, nil, err + // } + + // var signedAtt *SignedAttestation + // /* Verify signature on the intoto attestation. */ + // if isSigstoreBundle { + // signedAtt, err = VerifyProvenanceBundle(ctx, provenance, trustedRoot) + // } else { + // signedAtt, err = VerifyProvenanceSignature(ctx, trustedRoot, rClient, + // provenance, artifactHash) + // } + + signedAtt, err := verifySigstoreBundle(ctx, provenance) if err != nil { return nil, nil, err } From 347a11bf372f7aec9266a95eaf204ca03cca7e02 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 11 Jul 2024 19:07:33 +0000 Subject: [PATCH 02/19] no SAN check Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/sigstore.go | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/verifiers/internal/gha/sigstore.go b/verifiers/internal/gha/sigstore.go index cf3586ce6..b2e19358d 100644 --- a/verifiers/internal/gha/sigstore.go +++ b/verifiers/internal/gha/sigstore.go @@ -26,17 +26,24 @@ func verifySigstoreBundle(ctx context.Context, provenanceBytes []byte) (*SignedA return nil, err } - certID, err := verify.NewShortCertificateIdentity( - "https://token.actions.githubusercontent.com", - "", - "", - "^https://github.com/sigstore/sigstore-js/", - ) - if err != nil { - return nil, err - } + // certID, err := verify.NewShortCertificateIdentity( + // "https://token.actions.githubusercontent.com", + // "", + // "", + // "^https://github.com/slsa-framework/example-package/", + // ) + // if err != nil { + // return nil, err + // } - policy := verify.NewPolicy(verify.WithoutArtifactUnsafe(), verify.WithCertificateIdentity(certID)) + policy := verify.NewPolicy( + verify.WithoutArtifactUnsafe(), + // verify.WithCertificateIdentity(certID), + // WithCertificateIdentity() checks if the SAN matches with the given identity regex + // TODO: I think the SAN in the certificate is verified later on in the code, which allows the SAN + // to be any of the trusted builder IDs. + verify.WithoutIdentitiesUnsafe(), + ) bundle, err := loadBundleFromBytes(provenanceBytes) if err != nil { From a25f5855fd781f75843aa655e944c05d6fc21103 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 11 Jul 2024 19:09:09 +0000 Subject: [PATCH 03/19] checkout verifier.go Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/verifier.go | 45 +++++++++++++++--------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index b7219d907..68dd86f08 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -12,6 +12,7 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/rekor/pkg/client" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" @@ -213,29 +214,27 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { - // isSigstoreBundle := IsSigstoreBundle(provenance) - - // // This includes a default retry count of 3. - // rClient, err := client.GetRekorClient(defaultRekorAddr) - // if err != nil { - // return nil, nil, err - // } - - // trustedRoot, err := TrustedRootSingleton(ctx) - // if err != nil { - // return nil, nil, err - // } - - // var signedAtt *SignedAttestation - // /* Verify signature on the intoto attestation. */ - // if isSigstoreBundle { - // signedAtt, err = VerifyProvenanceBundle(ctx, provenance, trustedRoot) - // } else { - // signedAtt, err = VerifyProvenanceSignature(ctx, trustedRoot, rClient, - // provenance, artifactHash) - // } - - signedAtt, err := verifySigstoreBundle(ctx, provenance) + isSigstoreBundle := IsSigstoreBundle(provenance) + + // This includes a default retry count of 3. + rClient, err := client.GetRekorClient(defaultRekorAddr) + if err != nil { + return nil, nil, err + } + + trustedRoot, err := TrustedRootSingleton(ctx) + if err != nil { + return nil, nil, err + } + + var signedAtt *SignedAttestation + /* Verify signature on the intoto attestation. */ + if isSigstoreBundle { + signedAtt, err = VerifyProvenanceBundle(ctx, provenance, trustedRoot) + } else { + signedAtt, err = VerifyProvenanceSignature(ctx, trustedRoot, rClient, + provenance, artifactHash) + } if err != nil { return nil, nil, err } From 9facffa47f0bcf7676db12658c7a7c547382a96a Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 11 Jul 2024 21:14:54 +0000 Subject: [PATCH 04/19] upgrade sigstore-go 0.4.0 Signed-off-by: Ramon Petgrave --- go.mod | 15 +++++++-------- go.sum | 30 ++++++++++++++++-------------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/go.mod b/go.mod index d9a65fa08..d6a653ead 100644 --- a/go.mod +++ b/go.mod @@ -16,11 +16,10 @@ require ( ) require ( - github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/google/go-containerregistry v0.19.1 github.com/gorilla/mux v1.8.1 github.com/sigstore/cosign/v2 v2.2.4 - github.com/sigstore/sigstore-go v0.2.0 + github.com/sigstore/sigstore-go v0.4.0 github.com/slsa-framework/slsa-github-generator v1.9.0 github.com/spf13/cobra v1.8.0 golang.org/x/mod v0.18.0 @@ -39,7 +38,7 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/sourcegraph/conc v0.3.0 // indirect - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect go.opentelemetry.io/otel/metric v1.24.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect @@ -92,7 +91,7 @@ require ( github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect github.com/sigstore/fulcio v1.4.5 - github.com/sigstore/protobuf-specs v0.3.0 + github.com/sigstore/protobuf-specs v0.3.2 github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -108,15 +107,15 @@ require ( go.opentelemetry.io/otel/trace v1.24.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.23.0 // indirect golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 golang.org/x/net v0.23.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect google.golang.org/grpc v1.62.1 // indirect - google.golang.org/protobuf v1.33.0 + google.golang.org/protobuf v1.34.1 gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/go.sum b/go.sum index f77df98d4..6cfbebdad 100644 --- a/go.sum +++ b/go.sum @@ -441,20 +441,22 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDFJro= github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y= github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc= github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8= -github.com/sigstore/protobuf-specs v0.3.0 h1:E49qS++llp4psM+3NNVEb+C4AD422bT9VkOQIPrNLpA= -github.com/sigstore/protobuf-specs v0.3.0/go.mod h1:ynKzXpqr3dUj2Xk9O/5ZUhjnpi0F53DNi5AdH6pS3jc= +github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo= +github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA= github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= -github.com/sigstore/sigstore-go v0.2.0 h1:pbDfn8voPQZCySzCpiDE+3qljzsczHUX26dQsnjH2Cg= -github.com/sigstore/sigstore-go v0.2.0/go.mod h1:M6iQfFjmK0wbez+lRTg+O7cJxjYa7s++zfW30rzZBKk= +github.com/sigstore/sigstore-go v0.4.0 h1:0BxofjPnd+1LzyiCgsFP0NviMg8l20ZMf4aitkvYEU8= +github.com/sigstore/sigstore-go v0.4.0/go.mod h1:KZQFwvDItf1sr5P8YhVIjjXBe1ZyeFuC4odn7/2Uie0= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= @@ -507,8 +509,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141 h1:SsiWxSpJ9AD71/vqiZVUjXW1Uusv1wlKn4zPKFNq25w= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240207172116-f5cf71290141/go.mod h1:D7dcS4bZMmF3pXOgUo8Vs6GLYM9sdrFFd37JqiP3hN4= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho= @@ -557,8 +559,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -602,14 +604,14 @@ golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -640,8 +642,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= From fbd10e9b992b77aa0526e42c1b91aecc366d50e3 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 11 Jul 2024 22:00:16 +0000 Subject: [PATCH 05/19] get rekor pubkey from sigstore-go, todo: cleanup Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/rekor.go | 18 ++++++++++- verifiers/utils/sigstore_tuf.go | 54 +++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 verifiers/utils/sigstore_tuf.go diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 597bdb4d6..f4fe79a7b 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -33,6 +33,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/signing/envelope" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" + "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) const ( @@ -83,8 +84,23 @@ func verifyTlogEntry(ctx context.Context, e models.LogEntryAnon, verifyInclusion bool, rekorKeys *cosign.TrustedTransparencyLogPubKeys) ( *models.LogEntryAnon, error, ) { + // get the public key from sigstore-go + trustedRoot, err := utils.GetTrustedRoot() + if err != nil { + return nil, err + } + rekorLogsMap := trustedRoot.RekorLogs() + keyID := *e.LogID + if _, ok := rekorLogsMap[keyID]; !ok { + return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, "Rekor log ID not found in trusted root") + } + pubKey, ok := rekorLogsMap[keyID].PublicKey.(*ecdsa.PublicKey) + if !ok { + return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, "rekor public key is not an ECDSA key") + } + // Verify the root hash against the current Signed Entry Tree Head - verifier, err := signature.LoadECDSAVerifier(rekorKeys.Keys[*e.LogID].PubKey.(*ecdsa.PublicKey), + verifier, err := signature.LoadECDSAVerifier(pubKey, crypto.SHA256) if err != nil { return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) diff --git a/verifiers/utils/sigstore_tuf.go b/verifiers/utils/sigstore_tuf.go new file mode 100644 index 000000000..f9c4db070 --- /dev/null +++ b/verifiers/utils/sigstore_tuf.go @@ -0,0 +1,54 @@ +package utils + +import ( + "sync" + + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" + sigstoreTUF "github.com/sigstore/sigstore-go/pkg/tuf" +) + +var ( + // cache the default Sigstore TUF client. + defaultSigstoreTUFClient *sigstoreTUF.Client + // defaultSigstoreTUFClientOnce is used for initializing the defaultSigstoreTUFClient. + defaultSigstoreTUFClientOnce sync.Once + + // cache the trusted root. + trustedRoot *sigstoreRoot.TrustedRoot + // trustedRootOnce is used for initializing the trustedRoot. + trustedRootOnce sync.Once +) + +// SigstoreTUFClient is the interface for the Sigstore TUF client. +type SigstoreTUFClient interface { + // GetTarget retrieves the target file from the TUF repository. + GetTarget(target string) ([]byte, error) +} + +// GetDefaultSigstoreTUFClient returns the default Sigstore TUF client. +// The client will be cached in memory. +func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { + var err error + defaultSigstoreTUFClientOnce.Do(func() { + defaultSigstoreTUFClient, err = sigstoreTUF.DefaultClient() + }) + if err != nil { + return nil, err + } + return defaultSigstoreTUFClient, nil +} + +// GetTrustedRoot returns the trusted root for the Sigstore TUF client. +func GetTrustedRoot() (*sigstoreRoot.TrustedRoot, error) { + client, err := GetDefaultSigstoreTUFClient() + if err != nil { + return nil, err + } + trustedRootOnce.Do(func() { + trustedRoot, err = sigstoreRoot.GetTrustedRoot(client) + }) + if err != nil { + return nil, err + } + return trustedRoot, nil +} From 6eea9b85619ed720ebdba2ca7fc184496143ac80 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Mon, 15 Jul 2024 23:42:26 +0000 Subject: [PATCH 06/19] remove cosign from verifySignedAttestation() Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/rekor.go | 46 ++++++++++++++++++------------ verifiers/internal/gha/sigstore.go | 4 +-- verifiers/internal/gha/verifier.go | 3 +- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index f4fe79a7b..ddd5db3c2 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -11,6 +11,7 @@ import ( "fmt" "os" "strings" + "sync" "time" cjson "github.com/docker/go/canonical/json" @@ -32,6 +33,8 @@ import ( dsseverifier "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/slsa-framework/slsa-github-generator/signing/envelope" + rekorClient "github.com/sigstore/rekor/pkg/client" + sigstoreVerify "github.com/sigstore/sigstore-go/pkg/verify" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) @@ -40,6 +43,22 @@ const ( defaultRekorAddr = "https://rekor.sigstore.dev" ) +var ( + defaultRekorClient *client.Rekor + defaultRekorClientOnce sync.Once +) + +func getDefaultRekorClient() (*client.Rekor, error) { + var err error + defaultRekorClientOnce.Do(func() { + defaultRekorClient, err = rekorClient.GetRekorClient(defaultRekorAddr) + }) + if err != nil { + return nil, err + } + return defaultRekorClient, nil +} + func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entryUUID string, trustedRoot *TrustedRoot) ( *models.LogEntryAnon, error, @@ -362,33 +381,22 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *TrustedR return err } signatureTimestamp := time.Unix(*signedAtt.RekorEntry.IntegratedTime, 0) - - // 1. Verify certificate chain. - co := &cosign.CheckOpts{ - RootCerts: trustedRoot.FulcioRoot, - IntermediateCerts: trustedRoot.FulcioIntermediates, - Identities: []cosign.Identity{ - { - Issuer: certOidcIssuer, - SubjectRegExp: certSubjectRegexp, - }, - }, - CTLogPubKeys: trustedRoot.CTPubKeys, - } - verifier, err := cosign.ValidateAndUnpackCert(signedAtt.SigningCert, co) + sigstoreGoTrustedRoot, err := utils.GetTrustedRoot() if err != nil { + return err + } + + // Verify the certificate chain, and that the certificate was valid at the time of signing. + if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, *cert, sigstoreGoTrustedRoot); err != nil { + fmt.Fprintf(os.Stderr, "error verifying leaf certificate with sisgtore-go: %v\n", err) return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } // 2. Verify signature using validated certificate. + verifier, err := signature.LoadVerifier(cert.PublicKey, crypto.SHA256) verifier = dsseverifier.WrapVerifier(verifier) if err := verifier.VerifySignature(bytes.NewReader(attBytes), bytes.NewReader(attBytes)); err != nil { return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } - - // 3. Verify signature was creating during certificate validity period. - if err := cosign.CheckExpiry(cert, signatureTimestamp); err != nil { - return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) - } return nil } diff --git a/verifiers/internal/gha/sigstore.go b/verifiers/internal/gha/sigstore.go index b2e19358d..d0ba66667 100644 --- a/verifiers/internal/gha/sigstore.go +++ b/verifiers/internal/gha/sigstore.go @@ -4,14 +4,14 @@ import ( "context" "github.com/sigstore/sigstore-go/pkg/bundle" - "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore-go/pkg/verify" + "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" ) func verifySigstoreBundle(ctx context.Context, provenanceBytes []byte) (*SignedAttestation, error) { - trustedRoot, err := root.FetchTrustedRoot() + trustedRoot, err := utils.GetTrustedRoot() if err != nil { return nil, err } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 68dd86f08..09f234b91 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -12,7 +12,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/rekor/pkg/client" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" @@ -217,7 +216,7 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, isSigstoreBundle := IsSigstoreBundle(provenance) // This includes a default retry count of 3. - rClient, err := client.GetRekorClient(defaultRekorAddr) + rClient, err := getDefaultRekorClient() if err != nil { return nil, nil, err } From 43bffcc34ca586aeb1359a59dbb631d2df1b52ad Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 17 Jul 2024 17:40:53 +0000 Subject: [PATCH 07/19] cleaner variable names Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/rekor.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index ddd5db3c2..9d6831588 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -110,10 +110,11 @@ func verifyTlogEntry(ctx context.Context, e models.LogEntryAnon, } rekorLogsMap := trustedRoot.RekorLogs() keyID := *e.LogID - if _, ok := rekorLogsMap[keyID]; !ok { + rekorLog, ok := rekorLogsMap[keyID] + if !ok { return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, "Rekor log ID not found in trusted root") } - pubKey, ok := rekorLogsMap[keyID].PublicKey.(*ecdsa.PublicKey) + pubKey, ok := rekorLog.PublicKey.(*ecdsa.PublicKey) if !ok { return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, "rekor public key is not an ECDSA key") } From 83fe8fc14bdd0807cee17819a9763c1d787f671d Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 17 Jul 2024 19:24:27 +0000 Subject: [PATCH 08/19] new getDefaultcosignOpts, refactor TrustedRoot, todo replace custom struct entirely Signed-off-by: Ramon Petgrave --- cli/slsa-verifier/main_regression_test.go | 1 + verifiers/internal/gha/bundle.go | 2 +- verifiers/internal/gha/rekor.go | 18 +--- verifiers/internal/gha/sigstore.go | 4 +- verifiers/internal/gha/trusted_root.go | 108 ++++++++++++---------- verifiers/internal/gha/verifier.go | 19 ++-- verifiers/utils/sigstore_tuf.go | 11 ++- 7 files changed, 82 insertions(+), 81 deletions(-) diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go index a7ade249f..f502f0480 100644 --- a/cli/slsa-verifier/main_regression_test.go +++ b/cli/slsa-verifier/main_regression_test.go @@ -523,6 +523,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { noversion: true, }, } + // tests = tests[:1] for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below t.Run(tt.name, func(t *testing.T) { diff --git a/verifiers/internal/gha/bundle.go b/verifiers/internal/gha/bundle.go index 54b220dc5..89b3e1815 100644 --- a/verifiers/internal/gha/bundle.go +++ b/verifiers/internal/gha/bundle.go @@ -53,7 +53,7 @@ func verifyRekorEntryFromBundle(ctx context.Context, tlogEntry *v1.TransparencyL // Verify tlog entry. if _, err := verifyTlogEntry(ctx, *rekorEntry, false, - trustedRoot.RekorPubKeys); err != nil { + trustedRoot); err != nil { return nil, err } diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 9d6831588..c4a7aa0ec 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -16,7 +16,6 @@ import ( cjson "github.com/docker/go/canonical/json" "github.com/go-openapi/runtime" - "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/client/index" @@ -36,7 +35,6 @@ import ( rekorClient "github.com/sigstore/rekor/pkg/client" sigstoreVerify "github.com/sigstore/sigstore-go/pkg/verify" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" - "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) const ( @@ -90,7 +88,7 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, return nil, errors.New("expected matching UUID") } // Validate the entry response. - return verifyTlogEntry(ctx, entry, true, trustedRoot.RekorPubKeys) + return verifyTlogEntry(ctx, entry, true, trustedRoot) } return nil, serrors.ErrorRekorSearch @@ -100,14 +98,10 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, // Verification includes verifying the SignedEntryTimestamp and, if verifyInclusion // is true, the inclusion proof along with the signed tree head. func verifyTlogEntry(ctx context.Context, e models.LogEntryAnon, - verifyInclusion bool, rekorKeys *cosign.TrustedTransparencyLogPubKeys) ( + verifyInclusion bool, trustedRoot *TrustedRoot) ( *models.LogEntryAnon, error, ) { // get the public key from sigstore-go - trustedRoot, err := utils.GetTrustedRoot() - if err != nil { - return nil, err - } rekorLogsMap := trustedRoot.RekorLogs() keyID := *e.LogID rekorLog, ok := rekorLogsMap[keyID] @@ -273,7 +267,7 @@ func GetValidSignedAttestationWithCert(rClient *client.Rekor, var rekorEntry models.LogEntryAnon for uuid, e := range logEntry { if _, err := verifyTlogEntry(context.Background(), e, true, - trustedRoot.RekorPubKeys); err != nil { + trustedRoot); err != nil { return nil, fmt.Errorf("error verifying tlog entry: %w", err) } rekorEntry = e @@ -382,13 +376,9 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *TrustedR return err } signatureTimestamp := time.Unix(*signedAtt.RekorEntry.IntegratedTime, 0) - sigstoreGoTrustedRoot, err := utils.GetTrustedRoot() - if err != nil { - return err - } // Verify the certificate chain, and that the certificate was valid at the time of signing. - if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, *cert, sigstoreGoTrustedRoot); err != nil { + if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, *cert, trustedRoot); err != nil { fmt.Fprintf(os.Stderr, "error verifying leaf certificate with sisgtore-go: %v\n", err) return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } diff --git a/verifiers/internal/gha/sigstore.go b/verifiers/internal/gha/sigstore.go index d0ba66667..50a52c9bf 100644 --- a/verifiers/internal/gha/sigstore.go +++ b/verifiers/internal/gha/sigstore.go @@ -11,13 +11,13 @@ import ( ) func verifySigstoreBundle(ctx context.Context, provenanceBytes []byte) (*SignedAttestation, error) { - trustedRoot, err := utils.GetTrustedRoot() + sigstoreTrustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { return nil, err } verifier, err := verify.NewSignedEntityVerifier( - trustedRoot, + sigstoreTrustedRoot, verify.WithSignedCertificateTimestamps(1), verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1), diff --git a/verifiers/internal/gha/trusted_root.go b/verifiers/internal/gha/trusted_root.go index dd0354cb6..d743a7049 100644 --- a/verifiers/internal/gha/trusted_root.go +++ b/verifiers/internal/gha/trusted_root.go @@ -2,75 +2,85 @@ package gha import ( "context" - "crypto/x509" "fmt" - "sync/atomic" + "sync" + + "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" "github.com/sigstore/cosign/v2/pkg/cosign" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/fulcioroots" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" ) +var ( + // defaultCosignCheckOpts are the default options for cosign checks. + defaultCosignCheckOpts *cosign.CheckOpts + + // defaultCosignCheckOptsOnce is used for initializing the defaultCosignCheckOpts. + defaultCosignCheckOptsOnce sync.Once +) + // TrustedRoot struct that holds the verification material necessary // to validate items. MUST be populated out of band. type TrustedRoot struct { - // RekorPubKeys is a map from log ID to public keys containing metadata. - RekorPubKeys *cosign.TrustedTransparencyLogPubKeys - - // SctPubKeys is a map from log ID to public keys for the SCT. - CTPubKeys *cosign.TrustedTransparencyLogPubKeys - - // Certificate pool for Fulcio roots. - FulcioRoot *x509.CertPool - - // Certificate pool for Fulcio intermediates - FulcioIntermediates *x509.CertPool + *sigstoreRoot.TrustedRoot } -func getTrustedRoot(ctx context.Context) (*TrustedRoot, error) { - rekorPubKeys, err := cosign.GetRekorPubs(ctx) - if err != nil { - return nil, fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) - } - - ctPubKeys, err := cosign.GetCTLogPubs(ctx) - if err != nil { - // this is unexpected, hold on to this error. - return nil, fmt.Errorf("%w: %s", serrors.ErrorInternal, err) - } - - roots, err := fulcioroots.Get() - if err != nil { - // this is unexpected, hold on to this error. - return nil, fmt.Errorf("%w: %s", serrors.ErrorInternal, err) - } - intermediates, err := fulcioroots.GetIntermediates() +// getTrustedRoot returns a custom TrustedRoot embedded with a cached TrustedRoot from the default Sigstore TUF client. +func TrustedRootSingleton(ctx context.Context) (*TrustedRoot, error) { + sigstoreTrustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { - // this is unexpected, hold on to this error. - return nil, fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + return nil, err } - return &TrustedRoot{ - FulcioRoot: roots, - FulcioIntermediates: intermediates, - RekorPubKeys: rekorPubKeys, - CTPubKeys: ctPubKeys, + TrustedRoot: sigstoreTrustedRoot, }, nil } -// Cache the TUF roots to reduce traffic and read contention on the cached file. -var manager atomic.Value +// getDefaultCosignCheckOpts returns the default cosign check options. +// This is cached in memory. +// CheckOpts.RegistryClientOpts must be added by the receiver. +func getDefaultCosignCheckOpts(ctx context.Context) (*cosign.CheckOpts, error) { + var err error + // Initialize the defaultCosignCheckOpts. + // defaultCosignCheckOptsOnce is reinitialized upon error. + defaultCosignCheckOptsOnce.Do(func() { + rootCerts, err := fulcioroots.Get() + if err != nil { + err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + defaultCosignCheckOptsOnce = sync.Once{} + return + } + intermediateCerts, err := fulcioroots.GetIntermediates() + if err != nil { + err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + defaultCosignCheckOptsOnce = sync.Once{} + return + } + rekorPubKeys, err := cosign.GetRekorPubs(ctx) + if err != nil { + err = fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) + defaultCosignCheckOptsOnce = sync.Once{} + return + } + ctPubKeys, err := cosign.GetCTLogPubs(ctx) + if err != nil { + // this is unexpected, hold on to this error. + err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + defaultCosignCheckOptsOnce = sync.Once{} + return + } -func TrustedRootSingleton(ctx context.Context) (*TrustedRoot, error) { - root := manager.Load() - if root != nil { - return root.(*TrustedRoot), nil - } - trustedRoot, err := getTrustedRoot(ctx) + defaultCosignCheckOpts = &cosign.CheckOpts{ + RootCerts: rootCerts, + IntermediateCerts: intermediateCerts, + RekorPubKeys: rekorPubKeys, + CTLogPubKeys: ctPubKeys, + } + }) if err != nil { return nil, err } - - manager.Store(trustedRoot) - return trustedRoot, nil + return defaultCosignCheckOpts, nil } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 09f234b91..3f53f48bf 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -11,7 +11,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/v2/pkg/cosign" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" @@ -248,13 +247,8 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, provenance []byte, artifactImage string, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { - /* Retrieve any valid signed attestations that chain up to Fulcio root CA. */ - trustedRoot, err := TrustedRootSingleton(ctx) - if err != nil { - return nil, nil, err - } - var provenanceTargetRepository name.Repository + var err error // Consume input for --provenance-repository when set if provenanceOpts.ExpectedProvenanceRepository != nil { provenanceTargetRepository, err = name.NewRepository(*provenanceOpts.ExpectedProvenanceRepository) @@ -271,13 +265,12 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository)) } - opts := &cosign.CheckOpts{ - RegistryClientOpts: registryClientOpts, - RootCerts: trustedRoot.FulcioRoot, - IntermediateCerts: trustedRoot.FulcioIntermediates, - RekorPubKeys: trustedRoot.RekorPubKeys, - CTLogPubKeys: trustedRoot.CTPubKeys, + /* Retrieve any valid signed attestations that chain up to Fulcio root CA. */ + opts, err := getDefaultCosignCheckOpts(ctx) + if err != nil { + return nil, nil, err } + opts.RegistryClientOpts = registryClientOpts atts, _, err := container.RunCosignImageVerification(ctx, artifactImage, opts) diff --git a/verifiers/utils/sigstore_tuf.go b/verifiers/utils/sigstore_tuf.go index f9c4db070..e0d276f63 100644 --- a/verifiers/utils/sigstore_tuf.go +++ b/verifiers/utils/sigstore_tuf.go @@ -31,6 +31,10 @@ func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { var err error defaultSigstoreTUFClientOnce.Do(func() { defaultSigstoreTUFClient, err = sigstoreTUF.DefaultClient() + if err != nil { + defaultSigstoreTUFClientOnce = sync.Once{} + return + } }) if err != nil { return nil, err @@ -38,14 +42,17 @@ func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { return defaultSigstoreTUFClient, nil } -// GetTrustedRoot returns the trusted root for the Sigstore TUF client. -func GetTrustedRoot() (*sigstoreRoot.TrustedRoot, error) { +// GetSigstoreTrustedRoot returns the trusted root for the Sigstore TUF client. +func GetSigstoreTrustedRoot() (*sigstoreRoot.TrustedRoot, error) { client, err := GetDefaultSigstoreTUFClient() if err != nil { return nil, err } trustedRootOnce.Do(func() { trustedRoot, err = sigstoreRoot.GetTrustedRoot(client) + if err != nil { + trustedRootOnce = sync.Once{} + } }) if err != nil { return nil, err From 5ce919ecd90f96b4ba658e14417712a6b4e74692 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 14:27:02 +0000 Subject: [PATCH 09/19] change TrustedRoot to sigstoreRoot.TrustedRoot Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/bundle.go | 9 +++++---- verifiers/internal/gha/bundle_test.go | 3 ++- verifiers/internal/gha/npm.go | 5 +++-- verifiers/internal/gha/npm_test.go | 14 +++++++------- verifiers/internal/gha/provenance.go | 3 ++- verifiers/internal/gha/rekor.go | 18 ++++++++++++------ verifiers/internal/gha/trusted_root.go | 10 +++++----- verifiers/internal/gha/verifier.go | 5 +++-- verifiers/utils/sigstore_tuf.go | 19 +++++++++++-------- 9 files changed, 50 insertions(+), 36 deletions(-) diff --git a/verifiers/internal/gha/bundle.go b/verifiers/internal/gha/bundle.go index 89b3e1815..9a57e9b04 100644 --- a/verifiers/internal/gha/bundle.go +++ b/verifiers/internal/gha/bundle.go @@ -13,6 +13,7 @@ import ( bundle_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1" "github.com/sigstore/rekor/pkg/generated/models" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" "google.golang.org/protobuf/encoding/protojson" ) @@ -36,7 +37,7 @@ func IsSigstoreBundle(bytes []byte) bool { // verifyRekorEntryFromBundle extracts and verifies the Rekor entry from the Sigstore // bundle verification material, validating the SignedEntryTimestamp. func verifyRekorEntryFromBundle(ctx context.Context, tlogEntry *v1.TransparencyLogEntry, - trustedRoot *TrustedRoot) ( + trustedRoot *sigstoreRoot.TrustedRoot) ( *models.LogEntryAnon, error, ) { canonicalBody := tlogEntry.GetCanonicalizedBody() @@ -159,7 +160,7 @@ func matchRekorEntryWithEnvelope(tlogEntry *v1.TransparencyLogEntry, env *dsseli // returns the verified DSSE envelope containing the provenance // and the signing certificate given the provenance. func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte, - trustedRoot *TrustedRoot) ( + trustedRoot *sigstoreRoot.TrustedRoot) ( *SignedAttestation, error, ) { proposedSignedAtt, err := verifyBundleAndEntryFromBytes(ctx, bundleBytes, trustedRoot, true) @@ -176,7 +177,7 @@ func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte, // verifyBundleAndEntry validates the rekor entry inn the bundle // and that the entry (cert, signatures) matches the data in the bundle. func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle, - trustedRoot *TrustedRoot, requireCert bool, + trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool, ) (*SignedAttestation, error) { // We only expect one TLOG entry. If this changes in the future, we must iterate // for a matching one. @@ -226,7 +227,7 @@ func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle, // verifyBundleAndEntryFromBytes validates the rekor entry inn the bundle // and that the entry (cert, signatures) matches the data in the bundle. func verifyBundleAndEntryFromBytes(ctx context.Context, bundleBytes []byte, - trustedRoot *TrustedRoot, requireCert bool, + trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool, ) (*SignedAttestation, error) { // Extract the SigningCert, Envelope, and RekorEntry from the bundle. var bundle bundle_v1.Bundle diff --git a/verifiers/internal/gha/bundle_test.go b/verifiers/internal/gha/bundle_test.go index 87fe03e25..af610b697 100644 --- a/verifiers/internal/gha/bundle_test.go +++ b/verifiers/internal/gha/bundle_test.go @@ -8,13 +8,14 @@ import ( "github.com/google/go-cmp/cmp" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" + "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) func Test_verifyBundle(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go index ea4c9c79b..a09b89bad 100644 --- a/verifiers/internal/gha/npm.go +++ b/verifiers/internal/gha/npm.go @@ -13,6 +13,7 @@ import ( intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/secure-systems-lab/go-securesystemslib/dsse" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance" @@ -50,7 +51,7 @@ func (b *BundleBytes) UnmarshalJSON(data []byte) error { type Npm struct { ctx context.Context - root *TrustedRoot + root *sigstoreRoot.TrustedRoot verifiedBuilderID *utils.TrustedBuilderID verifiedProvenanceAtt *SignedAttestation verifiedPublishAtt *SignedAttestation @@ -66,7 +67,7 @@ func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate { return n.verifiedProvenanceAtt.SigningCert } -func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*Npm, error) { +func NpmNew(ctx context.Context, root *sigstoreRoot.TrustedRoot, attestationBytes []byte) (*Npm, error) { var aSet attestationSet if err := json.Unmarshal(attestationBytes, &aSet); err != nil { return nil, fmt.Errorf("%w: json.Unmarshal: %v", errrorInvalidAttestations, err) diff --git a/verifiers/internal/gha/npm_test.go b/verifiers/internal/gha/npm_test.go index e9c3d6d4f..956ec21e4 100644 --- a/verifiers/internal/gha/npm_test.go +++ b/verifiers/internal/gha/npm_test.go @@ -719,7 +719,7 @@ func Test_verifyPackageName(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -802,7 +802,7 @@ func Test_verifyPublishAttestationSubjectDigest(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -880,7 +880,7 @@ func Test_verifyPackageVersion(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -1061,7 +1061,7 @@ func Test_verifyIntotoHeaders(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -1150,7 +1150,7 @@ func Test_NpmNew(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -1198,7 +1198,7 @@ func Test_verifyPublishAttestationSignature(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } @@ -1245,7 +1245,7 @@ func Test_verifyProvenanceAttestationSignature(t *testing.T) { t.Parallel() ctx := context.Background() - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { t.Fatal(err) } diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index d71db7fe2..df27e077f 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -11,6 +11,7 @@ import ( dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" proto_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/slsa-framework/slsa-github-generator/signing/envelope" @@ -209,7 +210,7 @@ func verifyDigest(prov iface.Provenance, expectedHash string) error { // VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance // and the signing certificate given the provenance and artifact hash. -func VerifyProvenanceSignature(ctx context.Context, trustedRoot *TrustedRoot, +func VerifyProvenanceSignature(ctx context.Context, trustedRoot *sigstoreRoot.TrustedRoot, rClient *client.Rekor, provenance []byte, artifactHash string) ( *SignedAttestation, error, diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index c4a7aa0ec..609c8544c 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -33,6 +33,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/signing/envelope" rekorClient "github.com/sigstore/rekor/pkg/client" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" sigstoreVerify "github.com/sigstore/sigstore-go/pkg/verify" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" ) @@ -43,13 +44,18 @@ const ( var ( defaultRekorClient *client.Rekor - defaultRekorClientOnce sync.Once + defaultRekorClientOnce = new(sync.Once) ) +// getDefaultRekorClient returns a cached Rekor client. func getDefaultRekorClient() (*client.Rekor, error) { var err error defaultRekorClientOnce.Do(func() { defaultRekorClient, err = rekorClient.GetRekorClient(defaultRekorAddr) + if err != nil { + defaultRekorClientOnce = new(sync.Once) + return + } }) if err != nil { return nil, err @@ -58,7 +64,7 @@ func getDefaultRekorClient() (*client.Rekor, error) { } func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, - entryUUID string, trustedRoot *TrustedRoot) ( + entryUUID string, trustedRoot *sigstoreRoot.TrustedRoot) ( *models.LogEntryAnon, error, ) { params := entries.NewGetLogEntryByUUIDParamsWithContext(ctx) @@ -98,7 +104,7 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, // Verification includes verifying the SignedEntryTimestamp and, if verifyInclusion // is true, the inclusion proof along with the signed tree head. func verifyTlogEntry(ctx context.Context, e models.LogEntryAnon, - verifyInclusion bool, trustedRoot *TrustedRoot) ( + verifyInclusion bool, trustedRoot *sigstoreRoot.TrustedRoot) ( *models.LogEntryAnon, error, ) { // get the public key from sigstore-go @@ -233,7 +239,7 @@ func getUUIDsByArtifactDigest(rClient *client.Rekor, artifactHash string) ([]str // the full intoto attestation. // The attestation generated by the slsa-github-generator libraries contain a signing certificate. func GetValidSignedAttestationWithCert(rClient *client.Rekor, - provenance []byte, trustedRoot *TrustedRoot, + provenance []byte, trustedRoot *sigstoreRoot.TrustedRoot, ) (*SignedAttestation, error) { // Use intoto attestation to find rekor entry UUIDs. params := entries.NewSearchLogQueryParams() @@ -304,7 +310,7 @@ func GetValidSignedAttestationWithCert(rClient *client.Rekor, // SearchValidSignedAttestation searches for a valid signing certificate using the Rekor // Redis search index by using the artifact digest. func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte, - rClient *client.Rekor, trustedRoot *TrustedRoot, + rClient *client.Rekor, trustedRoot *sigstoreRoot.TrustedRoot, ) (*SignedAttestation, error) { // Get Rekor UUIDs by artifact digest. uuids, err := getUUIDsByArtifactDigest(rClient, artifactHash) @@ -369,7 +375,7 @@ func SearchValidSignedAttestation(ctx context.Context, artifactHash string, prov // The certificate is verified up to Fulcio, the signature is validated // using the certificate, and the signature generation time is checked // to be within the certificate validity period. -func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *TrustedRoot) error { +func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstoreRoot.TrustedRoot) error { cert := signedAtt.SigningCert attBytes, err := cjson.MarshalCanonical(signedAtt.Envelope) if err != nil { diff --git a/verifiers/internal/gha/trusted_root.go b/verifiers/internal/gha/trusted_root.go index d743a7049..568cbe9bf 100644 --- a/verifiers/internal/gha/trusted_root.go +++ b/verifiers/internal/gha/trusted_root.go @@ -18,7 +18,7 @@ var ( defaultCosignCheckOpts *cosign.CheckOpts // defaultCosignCheckOptsOnce is used for initializing the defaultCosignCheckOpts. - defaultCosignCheckOptsOnce sync.Once + defaultCosignCheckOptsOnce = new(sync.Once) ) // TrustedRoot struct that holds the verification material necessary @@ -49,26 +49,26 @@ func getDefaultCosignCheckOpts(ctx context.Context) (*cosign.CheckOpts, error) { rootCerts, err := fulcioroots.Get() if err != nil { err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) - defaultCosignCheckOptsOnce = sync.Once{} + defaultCosignCheckOptsOnce = new(sync.Once) return } intermediateCerts, err := fulcioroots.GetIntermediates() if err != nil { err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) - defaultCosignCheckOptsOnce = sync.Once{} + defaultCosignCheckOptsOnce = new(sync.Once) return } rekorPubKeys, err := cosign.GetRekorPubs(ctx) if err != nil { err = fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) - defaultCosignCheckOptsOnce = sync.Once{} + defaultCosignCheckOptsOnce = new(sync.Once) return } ctPubKeys, err := cosign.GetCTLogPubs(ctx) if err != nil { // this is unexpected, hold on to this error. err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) - defaultCosignCheckOptsOnce = sync.Once{} + defaultCosignCheckOptsOnce = new(sync.Once) return } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 3f53f48bf..5d4f7dd9b 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -220,7 +220,8 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, return nil, nil, err } - trustedRoot, err := TrustedRootSingleton(ctx) + // trustedRoot, err := utils.GetSigstoreTrustedRoot() + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { return nil, nil, err } @@ -324,7 +325,7 @@ func (v *GHAVerifier) VerifyNpmPackage(ctx context.Context, provenanceOpts *options.ProvenanceOpts, builderOpts *options.BuilderOpts, ) ([]byte, *utils.TrustedBuilderID, error) { - trustedRoot, err := TrustedRootSingleton(ctx) + trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { return nil, nil, err } diff --git a/verifiers/utils/sigstore_tuf.go b/verifiers/utils/sigstore_tuf.go index e0d276f63..fd27712c5 100644 --- a/verifiers/utils/sigstore_tuf.go +++ b/verifiers/utils/sigstore_tuf.go @@ -11,12 +11,12 @@ var ( // cache the default Sigstore TUF client. defaultSigstoreTUFClient *sigstoreTUF.Client // defaultSigstoreTUFClientOnce is used for initializing the defaultSigstoreTUFClient. - defaultSigstoreTUFClientOnce sync.Once + defaultSigstoreTUFClientOnce = new(sync.Once) // cache the trusted root. trustedRoot *sigstoreRoot.TrustedRoot // trustedRootOnce is used for initializing the trustedRoot. - trustedRootOnce sync.Once + trustedRootOnce = new(sync.Once) ) // SigstoreTUFClient is the interface for the Sigstore TUF client. @@ -32,7 +32,7 @@ func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { defaultSigstoreTUFClientOnce.Do(func() { defaultSigstoreTUFClient, err = sigstoreTUF.DefaultClient() if err != nil { - defaultSigstoreTUFClientOnce = sync.Once{} + defaultSigstoreTUFClientOnce = new(sync.Once) return } }) @@ -44,14 +44,17 @@ func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { // GetSigstoreTrustedRoot returns the trusted root for the Sigstore TUF client. func GetSigstoreTrustedRoot() (*sigstoreRoot.TrustedRoot, error) { - client, err := GetDefaultSigstoreTUFClient() - if err != nil { - return nil, err - } + var err error trustedRootOnce.Do(func() { + client, err := GetDefaultSigstoreTUFClient() + if err != nil { + trustedRootOnce = new(sync.Once) + return + } trustedRoot, err = sigstoreRoot.GetTrustedRoot(client) if err != nil { - trustedRootOnce = sync.Once{} + trustedRootOnce = new(sync.Once) + return } }) if err != nil { From a069b55601fb0f19fcf6937cfbaec1e59b417635 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 14:31:01 +0000 Subject: [PATCH 10/19] cleanup comment Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/rekor.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 609c8544c..73bdc9900 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -389,7 +389,7 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstore return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } - // 2. Verify signature using validated certificate. + // Verify signature using validated certificate. verifier, err := signature.LoadVerifier(cert.PublicKey, crypto.SHA256) verifier = dsseverifier.WrapVerifier(verifier) if err := verifier.VerifySignature(bytes.NewReader(attBytes), bytes.NewReader(attBytes)); err != nil { From 9648ed5d2a425b61aacb51edbb5eb1543e3af914 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 14:35:14 +0000 Subject: [PATCH 11/19] move getDefaultCosignCheckOpts() to cosign.go Signed-off-by: Ramon Petgrave --- .../gha/{trusted_root.go => cosign.go} | 20 ------------------- 1 file changed, 20 deletions(-) rename verifiers/internal/gha/{trusted_root.go => cosign.go} (74%) diff --git a/verifiers/internal/gha/trusted_root.go b/verifiers/internal/gha/cosign.go similarity index 74% rename from verifiers/internal/gha/trusted_root.go rename to verifiers/internal/gha/cosign.go index 568cbe9bf..5975fe0f5 100644 --- a/verifiers/internal/gha/trusted_root.go +++ b/verifiers/internal/gha/cosign.go @@ -5,10 +5,7 @@ import ( "fmt" "sync" - "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" - "github.com/sigstore/cosign/v2/pkg/cosign" - sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" "github.com/sigstore/sigstore/pkg/fulcioroots" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" ) @@ -21,23 +18,6 @@ var ( defaultCosignCheckOptsOnce = new(sync.Once) ) -// TrustedRoot struct that holds the verification material necessary -// to validate items. MUST be populated out of band. -type TrustedRoot struct { - *sigstoreRoot.TrustedRoot -} - -// getTrustedRoot returns a custom TrustedRoot embedded with a cached TrustedRoot from the default Sigstore TUF client. -func TrustedRootSingleton(ctx context.Context) (*TrustedRoot, error) { - sigstoreTrustedRoot, err := utils.GetSigstoreTrustedRoot() - if err != nil { - return nil, err - } - return &TrustedRoot{ - TrustedRoot: sigstoreTrustedRoot, - }, nil -} - // getDefaultCosignCheckOpts returns the default cosign check options. // This is cached in memory. // CheckOpts.RegistryClientOpts must be added by the receiver. From 5995c15c1845e2daa535acae15afb4527d25c32a Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 14:53:32 +0000 Subject: [PATCH 12/19] cleanup Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/sigstore.go | 91 ------------------------------ 1 file changed, 91 deletions(-) delete mode 100644 verifiers/internal/gha/sigstore.go diff --git a/verifiers/internal/gha/sigstore.go b/verifiers/internal/gha/sigstore.go deleted file mode 100644 index 50a52c9bf..000000000 --- a/verifiers/internal/gha/sigstore.go +++ /dev/null @@ -1,91 +0,0 @@ -package gha - -import ( - "context" - - "github.com/sigstore/sigstore-go/pkg/bundle" - "github.com/sigstore/sigstore-go/pkg/verify" - "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" - - protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" -) - -func verifySigstoreBundle(ctx context.Context, provenanceBytes []byte) (*SignedAttestation, error) { - sigstoreTrustedRoot, err := utils.GetSigstoreTrustedRoot() - if err != nil { - return nil, err - } - - verifier, err := verify.NewSignedEntityVerifier( - sigstoreTrustedRoot, - verify.WithSignedCertificateTimestamps(1), - verify.WithTransparencyLog(1), - verify.WithObserverTimestamps(1), - ) - if err != nil { - return nil, err - } - - // certID, err := verify.NewShortCertificateIdentity( - // "https://token.actions.githubusercontent.com", - // "", - // "", - // "^https://github.com/slsa-framework/example-package/", - // ) - // if err != nil { - // return nil, err - // } - - policy := verify.NewPolicy( - verify.WithoutArtifactUnsafe(), - // verify.WithCertificateIdentity(certID), - // WithCertificateIdentity() checks if the SAN matches with the given identity regex - // TODO: I think the SAN in the certificate is verified later on in the code, which allows the SAN - // to be any of the trusted builder IDs. - verify.WithoutIdentitiesUnsafe(), - ) - - bundle, err := loadBundleFromBytes(provenanceBytes) - if err != nil { - return nil, err - } - - _, err = verifier.Verify(bundle, policy) - if err != nil { - return nil, err - } - - return getSignedAttestationFromSigstoreBundle(ctx, bundle) -} - -func loadBundleFromBytes(provenanceBytes []byte) (*bundle.ProtobufBundle, error) { - var bundle bundle.ProtobufBundle - bundle.Bundle = new(protobundle.Bundle) - err := bundle.UnmarshalJSON(provenanceBytes) - if err != nil { - return nil, err - } - return &bundle, nil -} - -func getSignedAttestationFromSigstoreBundle(ctx context.Context, bundle *bundle.ProtobufBundle) (*SignedAttestation, error) { - envelope, err := getEnvelopeFromBundle(bundle.Bundle) - if err != nil { - return nil, err - } - - cert, err := getLeafCertFromBundle(bundle.Bundle) - if err != nil { - return nil, err - } - - publicKey := bundle.GetVerificationMaterial().GetPublicKey() - - signedAttestation := &SignedAttestation{ - Envelope: envelope, - SigningCert: cert, - // RekorEntry: nil, // no need to set this field, if we're not directly using rekor - PublicKey: publicKey, - } - return signedAttestation, nil -} From 20c3480731449d3b255ed809361ab4f7138f6409 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 15:50:39 +0000 Subject: [PATCH 13/19] lint Signed-off-by: Ramon Petgrave --- cli/slsa-verifier/main_regression_test.go | 1 - verifiers/internal/gha/cosign.go | 14 +++++++------- verifiers/internal/gha/rekor.go | 19 +++++++++++-------- verifiers/internal/gha/verifier.go | 1 - 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go index f502f0480..a7ade249f 100644 --- a/cli/slsa-verifier/main_regression_test.go +++ b/cli/slsa-verifier/main_regression_test.go @@ -523,7 +523,6 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) { noversion: true, }, } - // tests = tests[:1] for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below t.Run(tt.name, func(t *testing.T) { diff --git a/verifiers/internal/gha/cosign.go b/verifiers/internal/gha/cosign.go index 5975fe0f5..cd1aeb1e5 100644 --- a/verifiers/internal/gha/cosign.go +++ b/verifiers/internal/gha/cosign.go @@ -22,32 +22,32 @@ var ( // This is cached in memory. // CheckOpts.RegistryClientOpts must be added by the receiver. func getDefaultCosignCheckOpts(ctx context.Context) (*cosign.CheckOpts, error) { - var err error + var getErr error // Initialize the defaultCosignCheckOpts. // defaultCosignCheckOptsOnce is reinitialized upon error. defaultCosignCheckOptsOnce.Do(func() { rootCerts, err := fulcioroots.Get() if err != nil { - err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) defaultCosignCheckOptsOnce = new(sync.Once) return } intermediateCerts, err := fulcioroots.GetIntermediates() if err != nil { - err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) defaultCosignCheckOptsOnce = new(sync.Once) return } rekorPubKeys, err := cosign.GetRekorPubs(ctx) if err != nil { - err = fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) + getErr = fmt.Errorf("%w: %s", serrors.ErrorRekorPubKey, err) defaultCosignCheckOptsOnce = new(sync.Once) return } ctPubKeys, err := cosign.GetCTLogPubs(ctx) if err != nil { // this is unexpected, hold on to this error. - err = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) + getErr = fmt.Errorf("%w: %s", serrors.ErrorInternal, err) defaultCosignCheckOptsOnce = new(sync.Once) return } @@ -59,8 +59,8 @@ func getDefaultCosignCheckOpts(ctx context.Context) (*cosign.CheckOpts, error) { CTLogPubKeys: ctPubKeys, } }) - if err != nil { - return nil, err + if getErr != nil { + return nil, getErr } return defaultCosignCheckOpts, nil } diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 73bdc9900..5c2033191 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -16,7 +16,7 @@ import ( cjson "github.com/docker/go/canonical/json" "github.com/go-openapi/runtime" - "github.com/sigstore/rekor/pkg/generated/client" + rekorGenClient "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/client/entries" "github.com/sigstore/rekor/pkg/generated/client/index" "github.com/sigstore/rekor/pkg/generated/models" @@ -43,12 +43,12 @@ const ( ) var ( - defaultRekorClient *client.Rekor + defaultRekorClient *rekorGenClient.Rekor defaultRekorClientOnce = new(sync.Once) ) // getDefaultRekorClient returns a cached Rekor client. -func getDefaultRekorClient() (*client.Rekor, error) { +func getDefaultRekorClient() (*rekorGenClient.Rekor, error) { var err error defaultRekorClientOnce.Do(func() { defaultRekorClient, err = rekorClient.GetRekorClient(defaultRekorAddr) @@ -63,14 +63,14 @@ func getDefaultRekorClient() (*client.Rekor, error) { return defaultRekorClient, nil } -func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, +func verifyTlogEntryByUUID(ctx context.Context, client *rekorGenClient.Rekor, entryUUID string, trustedRoot *sigstoreRoot.TrustedRoot) ( *models.LogEntryAnon, error, ) { params := entries.NewGetLogEntryByUUIDParamsWithContext(ctx) params.EntryUUID = entryUUID - lep, err := rekorClient.Entries.GetLogEntryByUUID(params) + lep, err := client.Entries.GetLogEntryByUUID(params) if err != nil { return nil, err } @@ -219,7 +219,7 @@ func dsseEntry(certPem, provenance []byte) (models.ProposedEntry, error) { } // getUUIDsByArtifactDigest finds all entry UUIDs by the digest of the artifact binary. -func getUUIDsByArtifactDigest(rClient *client.Rekor, artifactHash string) ([]string, error) { +func getUUIDsByArtifactDigest(rClient *rekorGenClient.Rekor, artifactHash string) ([]string, error) { // Use search index to find rekor entry UUIDs that match Subject Digest. params := index.NewSearchIndexParams() params.Query = &models.SearchIndex{Hash: fmt.Sprintf("sha256:%v", artifactHash)} @@ -238,7 +238,7 @@ func getUUIDsByArtifactDigest(rClient *client.Rekor, artifactHash string) ([]str // GetValidSignedAttestationWithCert finds and validates the matching entry UUIDs with // the full intoto attestation. // The attestation generated by the slsa-github-generator libraries contain a signing certificate. -func GetValidSignedAttestationWithCert(rClient *client.Rekor, +func GetValidSignedAttestationWithCert(rClient *rekorGenClient.Rekor, provenance []byte, trustedRoot *sigstoreRoot.TrustedRoot, ) (*SignedAttestation, error) { // Use intoto attestation to find rekor entry UUIDs. @@ -310,7 +310,7 @@ func GetValidSignedAttestationWithCert(rClient *client.Rekor, // SearchValidSignedAttestation searches for a valid signing certificate using the Rekor // Redis search index by using the artifact digest. func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte, - rClient *client.Rekor, trustedRoot *sigstoreRoot.TrustedRoot, + rClient *rekorGenClient.Rekor, trustedRoot *sigstoreRoot.TrustedRoot, ) (*SignedAttestation, error) { // Get Rekor UUIDs by artifact digest. uuids, err := getUUIDsByArtifactDigest(rClient, artifactHash) @@ -391,6 +391,9 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstore // Verify signature using validated certificate. verifier, err := signature.LoadVerifier(cert.PublicKey, crypto.SHA256) + if err != nil { + return err + } verifier = dsseverifier.WrapVerifier(verifier) if err := verifier.VerifySignature(bytes.NewReader(attBytes), bytes.NewReader(attBytes)); err != nil { return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 5d4f7dd9b..b384df730 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -220,7 +220,6 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context, return nil, nil, err } - // trustedRoot, err := utils.GetSigstoreTrustedRoot() trustedRoot, err := utils.GetSigstoreTrustedRoot() if err != nil { return nil, nil, err From e48bc0b39d9a60af36e32b0f99ea3c82df8d18d0 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 18 Jul 2024 16:41:22 +0000 Subject: [PATCH 14/19] lint Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/builder.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 8023865dd..cebad42e5 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -22,9 +22,6 @@ var ( certOidcIssuer = "https://token.actions.githubusercontent.com" githubCom = "github.com/" httpsGithubCom = "https://" + githubCom - // This is used in cosign's CheckOpts for validating the certificate. We - // do specific builder verification after this. - certSubjectRegexp = httpsGithubCom + "*" ) var defaultArtifactTrustedReusableWorkflows = map[string]bool{ From ee473059f1580b47dd18b8ee0939d7d1d80f60f6 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 26 Jul 2024 20:22:28 +0000 Subject: [PATCH 15/19] upgrade sigstore-go 0.5.1 Signed-off-by: Ramon Petgrave --- go.mod | 47 ++++----- go.sum | 176 ++++++++++++++++---------------- verifiers/internal/gha/rekor.go | 2 +- 3 files changed, 113 insertions(+), 112 deletions(-) diff --git a/go.mod b/go.mod index ae76dc60c..28980877e 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/slsa-framework/slsa-verifier/v2 -go 1.21 - -toolchain go1.21.6 +go 1.22.0 require ( github.com/docker/go v1.5.1-1 @@ -12,18 +10,18 @@ require ( github.com/in-toto/in-toto-golang v0.9.0 github.com/secure-systems-lab/go-securesystemslib v0.8.0 github.com/sigstore/rekor v1.3.6 - github.com/sigstore/sigstore v1.8.3 + github.com/sigstore/sigstore v1.8.7 ) require ( - github.com/google/go-containerregistry v0.19.1 + github.com/google/go-containerregistry v0.20.0 github.com/gorilla/mux v1.8.1 github.com/in-toto/attestation v1.1.0 github.com/sigstore/cosign/v2 v2.2.4 - github.com/sigstore/sigstore-go v0.4.0 + github.com/sigstore/sigstore-go v0.5.1 github.com/slsa-framework/slsa-github-generator v1.9.0 - github.com/spf13/cobra v1.8.0 - golang.org/x/mod v0.18.0 + github.com/spf13/cobra v1.8.1 + golang.org/x/mod v0.19.0 sigs.k8s.io/release-utils v0.7.7 ) @@ -31,6 +29,7 @@ require ( github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dustin/go-humanize v1.0.1 // indirect + github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/google/uuid v1.6.0 // indirect @@ -39,12 +38,11 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/sourcegraph/conc v0.3.0 // indirect - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect - go.opentelemetry.io/otel/metric v1.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect + go.opentelemetry.io/otel/metric v1.27.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect ) require ( @@ -68,9 +66,8 @@ require ( github.com/go-openapi/loads v0.22.0 // indirect github.com/go-openapi/spec v0.21.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect - github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/google/certificate-transparency-go v1.1.8 // indirect + github.com/google/certificate-transparency-go v1.2.1 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect @@ -78,7 +75,7 @@ require ( github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/klauspost/compress v1.17.4 // indirect - github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect + github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -104,19 +101,19 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/vbatts/tar-split v0.11.5 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/otel v1.24.0 // indirect - go.opentelemetry.io/otel/trace v1.24.0 // indirect + go.opentelemetry.io/otel v1.27.0 // indirect + go.opentelemetry.io/otel/trace v1.27.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.25.0 // indirect golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 - golang.org/x/net v0.23.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - google.golang.org/grpc v1.62.1 // indirect - google.golang.org/protobuf v1.34.1 + golang.org/x/sys v0.22.0 // indirect + golang.org/x/term v0.22.0 // indirect + golang.org/x/text v0.16.0 // indirect + google.golang.org/grpc v1.64.1 // indirect + google.golang.org/protobuf v1.34.2 gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/go.sum b/go.sum index 089cd9731..acbfb616d 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,6 @@ cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU= -cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE= +cloud.google.com/go/compute v1.25.1 h1:ZRpHJedLtTpKgr3RV1Fx23NuaAEN1Zfx9hw1u4aJdjU= +cloud.google.com/go/compute v1.25.1/go.mod h1:oopOIR53ly6viBYxaDhBfJwzUAxf1zE//uf3IB011ls= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= @@ -85,38 +85,38 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= -github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= -github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= -github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= -github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= +github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8= +github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk= +github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c= +github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c= +github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8= github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= -github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= -github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -150,9 +150,9 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= -github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU= -github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= +github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= @@ -201,8 +201,8 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= -github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -230,9 +230,11 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= -github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= -github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= +github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= +github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= @@ -260,8 +262,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to= -github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8= +github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME= +github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -271,8 +273,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY= -github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg= +github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -312,6 +314,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU= github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE= @@ -348,8 +353,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= -github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 h1:WGrKdjHtWC67RX96eTkYD2f53NDHhrq/7robWTAfk4s= -github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491/go.mod h1:o158RFmdEbYyIZmXAbrvmJWesbyxlLKee6X64VPVuOc= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= +github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= @@ -377,8 +382,9 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY= +github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM= @@ -414,8 +420,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= -github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= @@ -455,10 +461,10 @@ github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWw github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA= github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= -github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= -github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= -github.com/sigstore/sigstore-go v0.4.0 h1:0BxofjPnd+1LzyiCgsFP0NviMg8l20ZMf4aitkvYEU8= -github.com/sigstore/sigstore-go v0.4.0/go.mod h1:KZQFwvDItf1sr5P8YhVIjjXBe1ZyeFuC4odn7/2Uie0= +github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg= +github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA= +github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y= +github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= @@ -481,8 +487,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= @@ -511,8 +517,8 @@ github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gt github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk= -github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= +github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs= +github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho= @@ -538,18 +544,18 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= -go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= -go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= -go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= -go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= -go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= -go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= -go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0= +go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg= +go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ= +go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik= +go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak= +go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI= +go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A= +go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw= +go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4= go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -561,13 +567,13 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= +golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY= golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -576,10 +582,10 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= -golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -602,18 +608,18 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= +golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= +golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -630,12 +636,12 @@ google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis= google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s= google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U= -google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 h1:oqta3O3AnlWbmIE3bFnWbu4bRxZjfbWCp0cKSuZh01E= -google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= -google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= -google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 h1:P8OJ/WCl/Xo4E4zoe4/bifHpSmmKwARqyqE4nW6J2GQ= +google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:RGnPtTG7r4i8sPlNyDeikXF99hMM+hN6QMm4ooG9g2g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 h1:Q2RxlXqh1cgzzUgV261vBO2jI5R/3DD1J2pM0nI4NhU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= +google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA= +google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -644,14 +650,12 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= -google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs= -gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 5c2033191..34bfd4704 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -384,7 +384,7 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstore signatureTimestamp := time.Unix(*signedAtt.RekorEntry.IntegratedTime, 0) // Verify the certificate chain, and that the certificate was valid at the time of signing. - if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, *cert, trustedRoot); err != nil { + if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, cert, trustedRoot); err != nil { fmt.Fprintf(os.Stderr, "error verifying leaf certificate with sisgtore-go: %v\n", err) return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } From 3d3666ad4b422c891ea94f12963d6e6a6aba0002 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 26 Jul 2024 20:49:39 +0000 Subject: [PATCH 16/19] add VerifySignedCertificateTimestamp Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/rekor.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 34bfd4704..00422d07c 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -385,7 +385,11 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstore // Verify the certificate chain, and that the certificate was valid at the time of signing. if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, cert, trustedRoot); err != nil { - fmt.Fprintf(os.Stderr, "error verifying leaf certificate with sisgtore-go: %v\n", err) + return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) + } + + // Verify the Signed Certificate Timestamps. + if err := sigstoreVerify.VerifySignedCertificateTimestamp(cert, 1, trustedRoot); err != nil { return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) } From 3817352c1b54f360ee9e98bb988d2e21e79b2a12 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 26 Jul 2024 21:18:31 +0000 Subject: [PATCH 17/19] verify the cert id information Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/builder.go | 3 +++ verifiers/internal/gha/rekor.go | 20 +++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index cebad42e5..dbe0479be 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -22,6 +22,9 @@ var ( certOidcIssuer = "https://token.actions.githubusercontent.com" githubCom = "github.com/" httpsGithubCom = "https://" + githubCom + // This is used in sigstore-go's NewShortCertificateIdentity for validating the certificate. We + // do specific builder verification after this. + certSubjectRegexp = httpsGithubCom + "*" ) var defaultArtifactTrustedReusableWorkflows = map[string]bool{ diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index 00422d07c..b4a79a7a1 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -33,6 +33,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/signing/envelope" rekorClient "github.com/sigstore/rekor/pkg/client" + sigstoreFulcioCertificate "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" sigstoreVerify "github.com/sigstore/sigstore-go/pkg/verify" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" @@ -385,12 +386,25 @@ func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstore // Verify the certificate chain, and that the certificate was valid at the time of signing. if err := sigstoreVerify.VerifyLeafCertificate(signatureTimestamp, cert, trustedRoot); err != nil { - return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) + return fmt.Errorf("%w: %s", serrors.ErrorInvalidCertificate, err) } - // Verify the Signed Certificate Timestamps. + // Verify the Signed Certificate Timestamps (SCTs). if err := sigstoreVerify.VerifySignedCertificateTimestamp(cert, 1, trustedRoot); err != nil { - return fmt.Errorf("%w: %s", serrors.ErrorInvalidSignature, err) + return fmt.Errorf("%w: %s", serrors.ErrorInvalidCertificate, err) + } + + // Verify the certificate identity information. + summary, err := sigstoreFulcioCertificate.SummarizeCertificate(cert) + if err != nil { + return fmt.Errorf("%w: %s", serrors.ErrorInvalidCertificate, err) + } + certID, err := sigstoreVerify.NewShortCertificateIdentity(certOidcIssuer, "", "", certSubjectRegexp) + if err != nil { + return fmt.Errorf("%w: %s", serrors.ErrorInvalidCertificate, err) + } + if err := certID.Verify(summary); err != nil { + return fmt.Errorf("%w: %s", serrors.ErrorInvalidCertificate, err) } // Verify signature using validated certificate. From d0f0a416f976e95f9dc5e99d5d64010520b8973d Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Fri, 26 Jul 2024 22:10:24 +0000 Subject: [PATCH 18/19] update linters Signed-off-by: Ramon Petgrave --- .github/workflows/pre-submit.lint.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index d91cd6158..565ef31ca 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -11,18 +11,18 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: "go.mod" # not needed but gets rid of warnings cache: false - - uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4 + - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 name: golangci-lint with: # Require: The version of golangci-lint to use. # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version. # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit. - version: v1.55.2 + version: v1.59.1 yamllint: runs-on: ubuntu-latest From e11223af0106f39d47ad85349528e077bd61e3ae Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 31 Jul 2024 15:35:50 +0000 Subject: [PATCH 19/19] change to LiveTrustedRoot Signed-off-by: Ramon Petgrave --- verifiers/internal/gha/bundle.go | 8 ++++---- verifiers/internal/gha/npm.go | 4 ++-- verifiers/internal/gha/provenance.go | 2 +- verifiers/internal/gha/rekor.go | 10 +++++----- verifiers/utils/sigstore_tuf.go | 12 ++++-------- 5 files changed, 16 insertions(+), 20 deletions(-) diff --git a/verifiers/internal/gha/bundle.go b/verifiers/internal/gha/bundle.go index 9a57e9b04..4b6ffec24 100644 --- a/verifiers/internal/gha/bundle.go +++ b/verifiers/internal/gha/bundle.go @@ -37,7 +37,7 @@ func IsSigstoreBundle(bytes []byte) bool { // verifyRekorEntryFromBundle extracts and verifies the Rekor entry from the Sigstore // bundle verification material, validating the SignedEntryTimestamp. func verifyRekorEntryFromBundle(ctx context.Context, tlogEntry *v1.TransparencyLogEntry, - trustedRoot *sigstoreRoot.TrustedRoot) ( + trustedRoot *sigstoreRoot.LiveTrustedRoot) ( *models.LogEntryAnon, error, ) { canonicalBody := tlogEntry.GetCanonicalizedBody() @@ -160,7 +160,7 @@ func matchRekorEntryWithEnvelope(tlogEntry *v1.TransparencyLogEntry, env *dsseli // returns the verified DSSE envelope containing the provenance // and the signing certificate given the provenance. func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte, - trustedRoot *sigstoreRoot.TrustedRoot) ( + trustedRoot *sigstoreRoot.LiveTrustedRoot) ( *SignedAttestation, error, ) { proposedSignedAtt, err := verifyBundleAndEntryFromBytes(ctx, bundleBytes, trustedRoot, true) @@ -177,7 +177,7 @@ func VerifyProvenanceBundle(ctx context.Context, bundleBytes []byte, // verifyBundleAndEntry validates the rekor entry inn the bundle // and that the entry (cert, signatures) matches the data in the bundle. func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle, - trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool, + trustedRoot *sigstoreRoot.LiveTrustedRoot, requireCert bool, ) (*SignedAttestation, error) { // We only expect one TLOG entry. If this changes in the future, we must iterate // for a matching one. @@ -227,7 +227,7 @@ func verifyBundleAndEntry(ctx context.Context, bundle *bundle_v1.Bundle, // verifyBundleAndEntryFromBytes validates the rekor entry inn the bundle // and that the entry (cert, signatures) matches the data in the bundle. func verifyBundleAndEntryFromBytes(ctx context.Context, bundleBytes []byte, - trustedRoot *sigstoreRoot.TrustedRoot, requireCert bool, + trustedRoot *sigstoreRoot.LiveTrustedRoot, requireCert bool, ) (*SignedAttestation, error) { // Extract the SigningCert, Envelope, and RekorEntry from the bundle. var bundle bundle_v1.Bundle diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go index a09b89bad..e8d7b1dee 100644 --- a/verifiers/internal/gha/npm.go +++ b/verifiers/internal/gha/npm.go @@ -51,7 +51,7 @@ func (b *BundleBytes) UnmarshalJSON(data []byte) error { type Npm struct { ctx context.Context - root *sigstoreRoot.TrustedRoot + root *sigstoreRoot.LiveTrustedRoot verifiedBuilderID *utils.TrustedBuilderID verifiedProvenanceAtt *SignedAttestation verifiedPublishAtt *SignedAttestation @@ -67,7 +67,7 @@ func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate { return n.verifiedProvenanceAtt.SigningCert } -func NpmNew(ctx context.Context, root *sigstoreRoot.TrustedRoot, attestationBytes []byte) (*Npm, error) { +func NpmNew(ctx context.Context, root *sigstoreRoot.LiveTrustedRoot, attestationBytes []byte) (*Npm, error) { var aSet attestationSet if err := json.Unmarshal(attestationBytes, &aSet); err != nil { return nil, fmt.Errorf("%w: json.Unmarshal: %v", errrorInvalidAttestations, err) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index df27e077f..ff3d47fb6 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -210,7 +210,7 @@ func verifyDigest(prov iface.Provenance, expectedHash string) error { // VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance // and the signing certificate given the provenance and artifact hash. -func VerifyProvenanceSignature(ctx context.Context, trustedRoot *sigstoreRoot.TrustedRoot, +func VerifyProvenanceSignature(ctx context.Context, trustedRoot *sigstoreRoot.LiveTrustedRoot, rClient *client.Rekor, provenance []byte, artifactHash string) ( *SignedAttestation, error, diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go index b4a79a7a1..4c3e17fb2 100644 --- a/verifiers/internal/gha/rekor.go +++ b/verifiers/internal/gha/rekor.go @@ -65,7 +65,7 @@ func getDefaultRekorClient() (*rekorGenClient.Rekor, error) { } func verifyTlogEntryByUUID(ctx context.Context, client *rekorGenClient.Rekor, - entryUUID string, trustedRoot *sigstoreRoot.TrustedRoot) ( + entryUUID string, trustedRoot *sigstoreRoot.LiveTrustedRoot) ( *models.LogEntryAnon, error, ) { params := entries.NewGetLogEntryByUUIDParamsWithContext(ctx) @@ -105,7 +105,7 @@ func verifyTlogEntryByUUID(ctx context.Context, client *rekorGenClient.Rekor, // Verification includes verifying the SignedEntryTimestamp and, if verifyInclusion // is true, the inclusion proof along with the signed tree head. func verifyTlogEntry(ctx context.Context, e models.LogEntryAnon, - verifyInclusion bool, trustedRoot *sigstoreRoot.TrustedRoot) ( + verifyInclusion bool, trustedRoot *sigstoreRoot.LiveTrustedRoot) ( *models.LogEntryAnon, error, ) { // get the public key from sigstore-go @@ -240,7 +240,7 @@ func getUUIDsByArtifactDigest(rClient *rekorGenClient.Rekor, artifactHash string // the full intoto attestation. // The attestation generated by the slsa-github-generator libraries contain a signing certificate. func GetValidSignedAttestationWithCert(rClient *rekorGenClient.Rekor, - provenance []byte, trustedRoot *sigstoreRoot.TrustedRoot, + provenance []byte, trustedRoot *sigstoreRoot.LiveTrustedRoot, ) (*SignedAttestation, error) { // Use intoto attestation to find rekor entry UUIDs. params := entries.NewSearchLogQueryParams() @@ -311,7 +311,7 @@ func GetValidSignedAttestationWithCert(rClient *rekorGenClient.Rekor, // SearchValidSignedAttestation searches for a valid signing certificate using the Rekor // Redis search index by using the artifact digest. func SearchValidSignedAttestation(ctx context.Context, artifactHash string, provenance []byte, - rClient *rekorGenClient.Rekor, trustedRoot *sigstoreRoot.TrustedRoot, + rClient *rekorGenClient.Rekor, trustedRoot *sigstoreRoot.LiveTrustedRoot, ) (*SignedAttestation, error) { // Get Rekor UUIDs by artifact digest. uuids, err := getUUIDsByArtifactDigest(rClient, artifactHash) @@ -376,7 +376,7 @@ func SearchValidSignedAttestation(ctx context.Context, artifactHash string, prov // The certificate is verified up to Fulcio, the signature is validated // using the certificate, and the signature generation time is checked // to be within the certificate validity period. -func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstoreRoot.TrustedRoot) error { +func verifySignedAttestation(signedAtt *SignedAttestation, trustedRoot *sigstoreRoot.LiveTrustedRoot) error { cert := signedAtt.SigningCert attBytes, err := cjson.MarshalCanonical(signedAtt.Envelope) if err != nil { diff --git a/verifiers/utils/sigstore_tuf.go b/verifiers/utils/sigstore_tuf.go index fd27712c5..f5c339a06 100644 --- a/verifiers/utils/sigstore_tuf.go +++ b/verifiers/utils/sigstore_tuf.go @@ -14,7 +14,7 @@ var ( defaultSigstoreTUFClientOnce = new(sync.Once) // cache the trusted root. - trustedRoot *sigstoreRoot.TrustedRoot + trustedRoot *sigstoreRoot.LiveTrustedRoot // trustedRootOnce is used for initializing the trustedRoot. trustedRootOnce = new(sync.Once) ) @@ -43,15 +43,11 @@ func GetDefaultSigstoreTUFClient() (*sigstoreTUF.Client, error) { } // GetSigstoreTrustedRoot returns the trusted root for the Sigstore TUF client. -func GetSigstoreTrustedRoot() (*sigstoreRoot.TrustedRoot, error) { +func GetSigstoreTrustedRoot() (*sigstoreRoot.LiveTrustedRoot, error) { var err error trustedRootOnce.Do(func() { - client, err := GetDefaultSigstoreTUFClient() - if err != nil { - trustedRootOnce = new(sync.Once) - return - } - trustedRoot, err = sigstoreRoot.GetTrustedRoot(client) + opts := sigstoreTUF.DefaultOptions() + trustedRoot, err = sigstoreRoot.NewLiveTrustedRoot(opts) if err != nil { trustedRootOnce = new(sync.Once) return