├── .gitattributes ├── .github ├── dependabot.yml └── workflows │ ├── build.yaml │ ├── codeql-analysis.yml │ ├── conformance-nightly.yml │ ├── conformance.yml │ ├── cosign-test.key │ ├── cosign-test.pub │ ├── cut-release.yml │ ├── depsreview.yml │ ├── donotsubmit.yaml │ ├── e2e-tests.yml │ ├── e2e-with-binary.yml │ ├── github-oidc.yaml │ ├── golangci-lint.yml │ ├── kind-verify-attestation.yaml │ ├── scorecard-action.yml │ ├── tests.yaml │ ├── validate-release.yml │ ├── verify-docgen.yaml │ └── whitespace.yaml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── .ko.yaml ├── ALUMNI.md ├── CHANGELOG.md ├── CLI.md ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── COPYRIGHT.txt ├── LICENSE ├── Makefile ├── README.md ├── VERSIONING.md ├── artifacthub-repo.yml ├── cmd ├── conformance │ └── main.go ├── cosign │ ├── cli │ │ ├── attach.go │ │ ├── attach │ │ │ ├── attach.go │ │ │ ├── sbom.go │ │ │ └── sig.go │ │ ├── attest.go │ │ ├── attest │ │ │ ├── attest.go │ │ │ ├── attest_blob.go │ │ │ ├── attest_blob_test.go │ │ │ ├── common.go │ │ │ └── common_test.go │ │ ├── attest_blob.go │ │ ├── bundle.go │ │ ├── bundle │ │ │ ├── bundle.go │ │ │ └── bundle_test.go │ │ ├── clean.go │ │ ├── commands.go │ │ ├── completion.go │ │ ├── copy.go │ │ ├── copy │ │ │ ├── copy.go │ │ │ └── copy_test.go │ │ ├── debug.go │ │ ├── debug │ │ │ └── provider.go │ │ ├── dockerfile.go │ │ ├── dockerfile │ │ │ ├── verify.go │ │ │ └── verify_test.go │ │ ├── download.go │ │ ├── download │ │ │ ├── attestation.go │ │ │ ├── sbom.go │ │ │ └── signature.go │ │ ├── env.go │ │ ├── env_test.go │ │ ├── fulcio │ │ │ ├── depcheck_test.go │ │ │ ├── fulcio.go │ │ │ ├── fulcio_test.go │ │ │ └── fulcioverifier │ │ │ │ └── fulcioverifier.go │ │ ├── generate.go │ │ ├── generate │ │ │ ├── generate.go │ │ │ ├── generate_key_pair.go │ │ │ └── generate_key_pair_test.go │ │ ├── generate_key_pair.go │ │ ├── import_key_pair.go │ │ ├── importkeypair │ │ │ ├── import_key_pair.go │ │ │ └── import_key_pair_test.go │ │ ├── initialize.go │ │ ├── initialize │ │ │ └── init.go │ │ ├── load.go │ │ ├── manifest.go │ │ ├── manifest │ │ │ ├── verify.go │ │ │ └── verify_test.go │ │ ├── options │ │ │ ├── annotations.go │ │ │ ├── annotations_test.go │ │ │ ├── attach.go │ │ │ ├── attest.go │ │ │ ├── attest_blob.go │ │ │ ├── bundle.go │ │ │ ├── certificate.go │ │ │ ├── clean.go │ │ │ ├── copy.go │ │ │ ├── deprecate.go │ │ │ ├── download.go │ │ │ ├── env.go │ │ │ ├── errors.go │ │ │ ├── experimental.go │ │ │ ├── files.go │ │ │ ├── flags.go │ │ │ ├── flags_test.go │ │ │ ├── fulcio.go │ │ │ ├── generate.go │ │ │ ├── generate_key_pair.go │ │ │ ├── import_key_pair.go │ │ │ ├── initialize.go │ │ │ ├── key.go │ │ │ ├── load.go │ │ │ ├── oidc.go │ │ │ ├── options.go │ │ │ ├── piv_tool.go │ │ │ ├── pkcs11_tool.go │ │ │ ├── predicate.go │ │ │ ├── public_key.go │ │ │ ├── reference.go │ │ │ ├── registry.go │ │ │ ├── registry_test.go │ │ │ ├── rekor.go │ │ │ ├── root.go │ │ │ ├── root_test.go │ │ │ ├── save.go │ │ │ ├── security_key.go │ │ │ ├── sign.go │ │ │ ├── signature_digest.go │ │ │ ├── signblob.go │ │ │ ├── tree.go │ │ │ ├── triangulate.go │ │ │ ├── trustedroot.go │ │ │ ├── upload.go │ │ │ ├── useragent.go │ │ │ └── verify.go │ │ ├── piv_tool.go │ │ ├── piv_tool_disabled.go │ │ ├── pivcli │ │ │ └── commands.go │ │ ├── pkcs11_tool.go │ │ ├── pkcs11_tool_disabled.go │ │ ├── pkcs11cli │ │ │ └── commands.go │ │ ├── public_key.go │ │ ├── publickey │ │ │ ├── public_key.go │ │ │ └── public_key_test.go │ │ ├── rekor │ │ │ ├── rekor.go │ │ │ └── rekor_test.go │ │ ├── save.go │ │ ├── sign.go │ │ ├── sign │ │ │ ├── privacy │ │ │ │ └── privacy.go │ │ │ ├── sign.go │ │ │ ├── sign_blob.go │ │ │ ├── sign_blob_test.go │ │ │ └── sign_test.go │ │ ├── signblob.go │ │ ├── templates │ │ │ ├── help_flags_printer.go │ │ │ ├── templater.go │ │ │ ├── templates.go │ │ │ └── term │ │ │ │ └── term_writer.go │ │ ├── tree.go │ │ ├── triangulate.go │ │ ├── triangulate │ │ │ └── triangulate.go │ │ ├── trustedroot.go │ │ ├── trustedroot │ │ │ ├── trustedroot.go │ │ │ └── trustedroot_test.go │ │ ├── upload.go │ │ ├── upload │ │ │ ├── blob.go │ │ │ └── wasm.go │ │ ├── verify.go │ │ ├── verify │ │ │ ├── verify.go │ │ │ ├── verify_attestation.go │ │ │ ├── verify_attestation_test.go │ │ │ ├── verify_blob.go │ │ │ ├── verify_blob_attestation.go │ │ │ ├── verify_blob_attestation_test.go │ │ │ ├── verify_blob_test.go │ │ │ ├── verify_bundle.go │ │ │ └── verify_test.go │ │ └── version_test.go │ ├── errors │ │ ├── error_wrap.go │ │ ├── error_wrap_test.go │ │ ├── errors.go │ │ ├── exit_code_lookup.go │ │ ├── exit_code_lookup_test.go │ │ ├── exit_codes.go │ │ └── generate_docs.go │ └── main.go ├── help │ ├── main.go │ └── verify.sh └── sample │ └── main.go ├── codecov.yml ├── doc ├── cosign.md ├── cosign_attach.md ├── cosign_attach_attestation.md ├── cosign_attach_sbom.md ├── cosign_attach_signature.md ├── cosign_attest-blob.md ├── cosign_attest.md ├── cosign_bundle.md ├── cosign_bundle_create.md ├── cosign_clean.md ├── cosign_completion.md ├── cosign_copy.md ├── cosign_dockerfile.md ├── cosign_dockerfile_verify.md ├── cosign_download.md ├── cosign_download_attestation.md ├── cosign_download_sbom.md ├── cosign_download_signature.md ├── cosign_env.md ├── cosign_exit_codes.md ├── cosign_generate-key-pair.md ├── cosign_generate.md ├── cosign_import-key-pair.md ├── cosign_initialize.md ├── cosign_load.md ├── cosign_login.md ├── cosign_manifest.md ├── cosign_manifest_verify.md ├── cosign_piv-tool.md ├── cosign_piv-tool_attestation.md ├── cosign_piv-tool_generate-key.md ├── cosign_piv-tool_reset.md ├── cosign_piv-tool_set-management-key.md ├── cosign_piv-tool_set-pin.md ├── cosign_piv-tool_set-puk.md ├── cosign_piv-tool_unblock.md ├── cosign_pkcs11-tool.md ├── cosign_pkcs11-tool_list-keys-uris.md ├── cosign_pkcs11-tool_list-tokens.md ├── cosign_public-key.md ├── cosign_save.md ├── cosign_sign-blob.md ├── cosign_sign.md ├── cosign_tree.md ├── cosign_triangulate.md ├── cosign_trusted-root.md ├── cosign_trusted-root_create.md ├── cosign_upload.md ├── cosign_upload_blob.md ├── cosign_upload_wasm.md ├── cosign_verify-attestation.md ├── cosign_verify-blob-attestation.md ├── cosign_verify-blob.md ├── cosign_verify.md └── cosign_version.md ├── go.mod ├── go.sum ├── hack ├── boilerplate │ └── boilerplate.go.txt ├── github-oidc-setup.sh └── update-deps.sh ├── images ├── dot │ └── signatures.dot └── signatures.dot.svg ├── internal ├── pkg │ ├── cosign │ │ ├── common.go │ │ ├── common_test.go │ │ ├── dsse.go │ │ ├── ephemeral │ │ │ ├── signer.go │ │ │ └── signer_test.go │ │ ├── fulcio │ │ │ ├── fulcioroots │ │ │ │ ├── fulcioroots.go │ │ │ │ └── fulcioroots_test.go │ │ │ ├── signer.go │ │ │ └── signer_test.go │ │ ├── payload │ │ │ ├── attestor.go │ │ │ ├── attestor_test.go │ │ │ ├── signer.go │ │ │ ├── signer_test.go │ │ │ └── size │ │ │ │ ├── errors.go │ │ │ │ ├── size.go │ │ │ │ └── size_test.go │ │ ├── rekor │ │ │ ├── mock │ │ │ │ └── mock_rekor_client.go │ │ │ ├── signer.go │ │ │ └── signer_test.go │ │ ├── sign.go │ │ └── tsa │ │ │ ├── client │ │ │ └── client.go │ │ │ ├── mock │ │ │ └── mock_tsa_client.go │ │ │ ├── signer.go │ │ │ ├── signer_test.go │ │ │ ├── utils.go │ │ │ └── utils_test.go │ ├── now │ │ └── now.go │ └── oci │ │ └── remote │ │ └── remote.go └── ui │ ├── env.go │ ├── log.go │ ├── log_test.go │ ├── prompt.go │ ├── prompt_test.go │ └── warnings.go ├── pkg ├── blob │ ├── load.go │ └── load_test.go ├── cosign │ ├── attestation │ │ ├── attestation.go │ │ └── fuzz_test.go │ ├── bundle │ │ ├── protobundle.go │ │ ├── protobundle_test.go │ │ ├── rekor.go │ │ ├── rekor_test.go │ │ ├── tsa.go │ │ └── tsa_test.go │ ├── certextensions.go │ ├── certextensions_test.go │ ├── common.go │ ├── ctlog.go │ ├── ctlog_test.go │ ├── cue │ │ ├── cue.go │ │ ├── cue_test.go │ │ └── fuzz_test.go │ ├── env │ │ ├── env.go │ │ └── env_test.go │ ├── errors.go │ ├── errors_test.go │ ├── fetch.go │ ├── fulcioverifier │ │ └── ctutil │ │ │ ├── ctutil.go │ │ │ └── ctutil_test.go │ ├── fuzz_test.go │ ├── git │ │ ├── git.go │ │ ├── github │ │ │ └── github.go │ │ └── gitlab │ │ │ └── gitlab.go │ ├── keys.go │ ├── keys_test.go │ ├── kubernetes │ │ ├── client.go │ │ ├── secret.go │ │ └── secret_test.go │ ├── obsolete.go │ ├── obsolete_test.go │ ├── pivkey │ │ ├── disabled.go │ │ ├── pivkey.go │ │ └── util.go │ ├── pkcs11key │ │ ├── disabled.go │ │ ├── pkcs11key.go │ │ └── util.go │ ├── rego │ │ ├── fuzz_test.go │ │ ├── rego.go │ │ └── rego_test.go │ ├── rekor_factory.go │ ├── remote │ │ ├── index.go │ │ ├── index_test.go │ │ ├── remote.go │ │ └── testdata │ │ │ ├── bar │ │ │ └── foo │ ├── testdata │ │ ├── garbage-there-are-limits │ │ ├── google │ │ ├── letsencrypt-testflume-2021 │ │ ├── oci-attestation.sigstore.json │ │ ├── rsa │ │ └── trusted_root_pgi.json │ ├── tlog.go │ ├── tlog_test.go │ ├── tsa.go │ ├── tsa_test.go │ ├── verifiers.go │ ├── verifiers_test.go │ ├── verify.go │ ├── verify_bundle.go │ ├── verify_bundle_test.go │ ├── verify_oci_test.go │ ├── verify_sct.go │ ├── verify_sct_test.go │ └── verify_test.go ├── oci │ ├── doc.go │ ├── empty │ │ ├── empty.go │ │ ├── empty_test.go │ │ ├── signed.go │ │ └── signed_test.go │ ├── errors.go │ ├── file.go │ ├── image.go │ ├── index.go │ ├── interface.go │ ├── internal │ │ └── signature │ │ │ ├── layer.go │ │ │ └── layer_test.go │ ├── layout │ │ ├── index.go │ │ ├── signatures.go │ │ ├── signatures_test.go │ │ ├── write.go │ │ └── write_test.go │ ├── mediatypes.go │ ├── mutate │ │ ├── map.go │ │ ├── map_test.go │ │ ├── mutate.go │ │ ├── mutate_test.go │ │ ├── options.go │ │ ├── signature.go │ │ ├── signature_test.go │ │ ├── signatures.go │ │ └── signatures_test.go │ ├── platform │ │ └── platform.go │ ├── remote │ │ ├── digest.go │ │ ├── digest_test.go │ │ ├── image.go │ │ ├── image_test.go │ │ ├── index.go │ │ ├── index_test.go │ │ ├── options.go │ │ ├── options_test.go │ │ ├── referrers.go │ │ ├── remote.go │ │ ├── remote_test.go │ │ ├── signatures.go │ │ ├── signatures_test.go │ │ ├── unknown.go │ │ ├── unknown_test.go │ │ ├── write.go │ │ └── write_test.go │ ├── signature │ │ ├── layer.go │ │ └── layer_test.go │ ├── signatures.go │ ├── signed │ │ ├── image.go │ │ ├── image_test.go │ │ ├── index.go │ │ └── index_test.go │ ├── static │ │ ├── file.go │ │ ├── file_test.go │ │ ├── options.go │ │ ├── options_test.go │ │ ├── signature.go │ │ └── signature_test.go │ └── walk │ │ ├── walk.go │ │ └── walk_test.go ├── policy │ ├── attestation.go │ ├── attestation_test.go │ ├── errors.go │ ├── eval.go │ ├── eval_test.go │ ├── fuzz_test.go │ └── testdata │ │ ├── malformed │ │ ├── custom │ │ └── vuln │ │ └── valid │ │ ├── custom │ │ └── vuln ├── providers │ ├── all │ │ └── all.go │ ├── buildkite │ │ ├── buildkite.go │ │ └── doc.go │ ├── doc.go │ ├── envvar │ │ ├── env.go │ │ └── env_test.go │ ├── filesystem │ │ ├── doc.go │ │ └── filesystem.go │ ├── github │ │ ├── doc.go │ │ └── github.go │ ├── google │ │ ├── doc.go │ │ └── google.go │ ├── interface.go │ └── spiffe │ │ ├── doc.go │ │ ├── spiffe.go │ │ └── spiffe_test.go ├── signature │ ├── annotations.go │ ├── keys.go │ └── keys_test.go └── types │ ├── media.go │ └── payload.go ├── release ├── README.md ├── cloudbuild.yaml ├── ko-sign-release-images.sh ├── release-cosign.pub └── release.mk ├── scripts └── sign-images-ci.sh ├── specs ├── ATTESTATION_SPEC.md ├── BUNDLE_SPEC.md ├── COSIGN_PREDICATE_SPEC.md ├── COSIGN_VULN_ATTESTATION_SPEC.md ├── SBOM_SPEC.md └── SIGNATURE_SPEC.md └── test ├── README.md ├── cert_utils.go ├── ci.mk ├── cmd └── getoidctoken │ └── main.go ├── config └── gettoken │ └── gettoken.yaml ├── e2e_attach_test.go ├── e2e_insecure_registry_test.go ├── e2e_kms_test.go ├── e2e_test.go ├── e2e_test.ps1 ├── e2e_test.sh ├── e2e_test_pkcs11.sh ├── e2e_tsa_test.go ├── fakeoidc ├── go.mod ├── go.sum └── main.go ├── fuzz ├── dictionaries │ ├── FuzzEvaluatePolicyAgainstJSON.dict │ └── FuzzImportKeyPairLoadPrivateKey.dict ├── oss_fuzz_build.sh └── seeds │ ├── FuzzEvaluatePolicyAgainstJSON_seed1 │ └── FuzzEvaluatePolicyAgainstJSON_seed2 ├── helpers.go ├── helpers_test.go ├── piv_test.go ├── pkcs11_test.go └── testdata ├── attestations └── vuln-predicate.json ├── bom-go-mod.cyclonedx.json ├── bom-go-mod.spdx ├── bom-go-mod.spdx.json ├── policies ├── cue-fails.cue ├── cue-vuln-fails.cue ├── cue-vuln-works.cue └── cue-works.cue ├── test-result.json └── test.wasm /.gitattributes: -------------------------------------------------------------------------------- 1 | # This file is documented at https://git-scm.com/docs/gitattributes. 2 | # Linguist-specific attributes are documented at 3 | # https://github.com/github/linguist. 4 | 5 | doc/cosign*.md linguist-generated=true 6 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2021 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | version: 2 17 | updates: 18 | - package-ecosystem: gomod 19 | directory: "/" 20 | schedule: 21 | interval: "weekly" 22 | open-pull-requests-limit: 10 23 | groups: 24 | gomod: 25 | update-types: 26 | - "patch" 27 | 28 | - package-ecosystem: "github-actions" 29 | directory: "/" 30 | schedule: 31 | interval: "weekly" 32 | open-pull-requests-limit: 10 33 | groups: 34 | actions: 35 | update-types: 36 | - "minor" 37 | - "patch" 38 | -------------------------------------------------------------------------------- /.github/workflows/conformance.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2024 The Sigstore Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: Conformance Tests 16 | 17 | on: 18 | push: 19 | branches: 20 | - main 21 | pull_request: 22 | branches: 23 | - main 24 | 25 | permissions: 26 | contents: read 27 | 28 | jobs: 29 | conformance: 30 | runs-on: ubuntu-latest 31 | steps: 32 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 33 | with: 34 | persist-credentials: false 35 | - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 36 | with: 37 | go-version-file: 'go.mod' 38 | check-latest: true 39 | 40 | - run: make cosign conformance 41 | 42 | - uses: sigstore/sigstore-conformance@fd90e6b0f3046f2276a6659481de6df495dea3b9 # v0.0.18 43 | with: 44 | entrypoint: ${{ github.workspace }}/conformance 45 | -------------------------------------------------------------------------------- /.github/workflows/cosign-test.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- 2 | eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 3 | OCwicCI6MX0sInNhbHQiOiJYcDVZWW5nRVBWNkR1Kzh0Qmdsbll1OEc2YTZOWGVJ 4 | L1M3bXo0VUYvWk1FPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 5 | Iiwibm9uY2UiOiIyT0YvUFJBQ09sKzRTVTJXVHpycTFHalFML2JlQzQvQiJ9LCJj 6 | aXBoZXJ0ZXh0IjoiMDV6eTlxaWVZWlVjZ0pCZHNndWhSNmd6ZmEvc1RrbnBCZTN0 7 | Z3VsdDlXK0g0bnE3UE9sODFvdUttT0xhY3g5bzhKekhLNDg5SFR5NnNBYnhiWUVX 8 | R3Ewam85RUtSS0x0SU9NTWJ3cVluc2Z3YnVHQzNSNm1CR29CZncwV1pUOEdlMDM1 9 | NEQ2MzlTR1NLSytLMW9IM0xCSVdDWFgxYkllWFFkaFRWQTR4UDExVDFIZzFLM0RY 10 | WXVsUGpydFB0Yk5BVk44YmZUY3VSbHoxTlE9PSJ9 11 | -----END ENCRYPTED COSIGN PRIVATE KEY----- 12 | -------------------------------------------------------------------------------- /.github/workflows/cosign-test.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZxAfzrQG1EbWyCI8LiSB7YgSFXoI 3 | FNGTyQGKHFc6/H8TQumT9VLS78pUwtv3w7EfKoyFZoP32KrO7nzUy2q6Cw== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /.github/workflows/cut-release.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2024 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Cut Release 17 | 18 | on: 19 | workflow_dispatch: 20 | inputs: 21 | release_tag: 22 | required: true 23 | type: string 24 | description: 'Release tag' 25 | key_ring: 26 | required: true 27 | type: string 28 | description: 'Key ring for cosign key' 29 | key_name: 30 | required: true 31 | type: string 32 | description: 'Key name for cosign key' 33 | 34 | concurrency: cut-release 35 | 36 | jobs: 37 | cut-release: 38 | name: Cut release 39 | uses: sigstore/community/.github/workflows/reusable-release.yml@main 40 | permissions: 41 | id-token: write 42 | contents: read 43 | with: 44 | release_tag: ${{ github.event.inputs.release_tag }} 45 | key_ring: ${{ github.event.inputs.key_ring }} 46 | key_name: ${{ github.event.inputs.key_name }} 47 | workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign' 48 | service_account: 'github-actions-cosign@projectsigstore.iam.gserviceaccount.com' 49 | repo: 'cosign' 50 | -------------------------------------------------------------------------------- /.github/workflows/depsreview.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | name: 'Dependency Review' 16 | on: [pull_request] 17 | 18 | permissions: {} 19 | 20 | jobs: 21 | dependency-review: 22 | name: License and Vulnerability Scan 23 | 24 | if: github.repository == 'sigstore/cosign' 25 | 26 | permissions: 27 | contents: read 28 | 29 | uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc 30 | -------------------------------------------------------------------------------- /.github/workflows/donotsubmit.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2024 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Do Not Submit 17 | 18 | on: 19 | pull_request: 20 | branches: 21 | - 'main' 22 | - 'release-*' 23 | 24 | permissions: {} 25 | 26 | jobs: 27 | donotsubmit: 28 | name: Do Not Submit 29 | runs-on: ubuntu-latest 30 | 31 | if: github.repository == 'sigstore/cosign' 32 | 33 | permissions: 34 | contents: read 35 | 36 | steps: 37 | - name: Check out code 38 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v2.4.0 39 | with: 40 | persist-credentials: false 41 | 42 | - name: Do Not Submit 43 | uses: chainguard-dev/actions/donotsubmit@ec48ea414c0cb207549029d8fe35f8f01e563219 # v1.0.8 44 | -------------------------------------------------------------------------------- /.github/workflows/verify-docgen.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2021 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Docgen 17 | 18 | on: 19 | workflow_dispatch: 20 | push: 21 | branches: 22 | - 'main' 23 | - 'release-*' 24 | pull_request: 25 | 26 | permissions: {} 27 | 28 | jobs: 29 | docgen: 30 | name: Verify Docgen 31 | runs-on: ubuntu-latest 32 | 33 | permissions: 34 | contents: read 35 | 36 | steps: 37 | - name: deps 38 | run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev 39 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 40 | with: 41 | persist-credentials: false 42 | - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 43 | with: 44 | go-version-file: 'go.mod' 45 | check-latest: true 46 | - run: ./cmd/help/verify.sh 47 | -------------------------------------------------------------------------------- /.github/workflows/whitespace.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2024 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | name: Whitespace 17 | 18 | on: 19 | pull_request: 20 | branches: 21 | - 'main' 22 | - 'release-*' 23 | 24 | permissions: {} 25 | 26 | jobs: 27 | 28 | whitespace: 29 | name: Check Whitespace 30 | runs-on: ubuntu-latest 31 | 32 | permissions: 33 | contents: read 34 | 35 | steps: 36 | - name: Check out code 37 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 38 | with: 39 | persist-credentials: false 40 | 41 | - uses: chainguard-dev/actions/trailing-space@ec48ea414c0cb207549029d8fe35f8f01e563219 # v1.0.8 42 | if: ${{ always() }} 43 | 44 | - uses: chainguard-dev/actions/eof-newline@ec48ea414c0cb207549029d8fe35f8f01e563219 # v1.0.8 45 | if: ${{ always() }} 46 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | .DS_STORE 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | 9 | # Test binary, built with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Dependency directories (remove the comment below to include it) 16 | # vendor/ 17 | 18 | # cosign stuff 19 | /cosign* 20 | .vscode 21 | .idea 22 | 23 | # fuzzing artifacts 24 | *.libfuzzer 25 | *fuzz.a 26 | 27 | bin* 28 | dist/ 29 | cosignImagerefs 30 | bundle 31 | signature 32 | certificate 33 | sigstore-conformance 34 | conformance 35 | 36 | **verify-experimental* 37 | -------------------------------------------------------------------------------- /.ko.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2021 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | defaultBaseImage: gcr.io/distroless/static-debian12:nonroot 17 | 18 | builds: 19 | - id: cosign 20 | dir: . 21 | main: ./cmd/cosign 22 | env: 23 | - CGO_ENABLED=0 24 | flags: 25 | - -trimpath 26 | - -tags 27 | - "{{ .Env.GIT_HASH }}" 28 | - -tags 29 | - "{{ .Env.GIT_VERSION }}" 30 | ldflags: 31 | - -extldflags "-static" 32 | - "{{ .Env.LDFLAGS }}" 33 | -------------------------------------------------------------------------------- /ALUMNI.md: -------------------------------------------------------------------------------- 1 | # Alumni 2 | 3 | Thanks to the following folks who used to maintain Cosign (please keep this 4 | list sorted)! 5 | 6 | - [**@asraa**](https://github.com/asraa) 7 | - [**@dlorenc**](https://github.com/dlorenc) 8 | - [**@font**](https://github.com/font) 9 | - [**@loosebazooka**](https://github.com/loosebazooka) 10 | - [**@luhring**](https://github.com/luhring) 11 | - [**@lukehinds**](https://github.com/lukehinds) 12 | - [**@n3wscott**](https://github.com/n3wscott) 13 | - [**@vaikas**](https://github.com/vaikas) 14 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @sigstore/cosign-codeowners 2 | 3 | /.github/ @sigstore/dep-maintainers 4 | /release/ @sigstore/dep-maintainers 5 | go.mod @sigstore/dep-maintainers 6 | go.sum @sigstore/dep-maintainers 7 | -------------------------------------------------------------------------------- /COPYRIGHT.txt: -------------------------------------------------------------------------------- 1 | 2 | Copyright 2021 The Sigstore Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | -------------------------------------------------------------------------------- /artifacthub-repo.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | repositoryID: 0344601c-282a-4857-a852-d9207291ccfe 17 | owners: 18 | - name: cpanato 19 | email: ctadeu@gmail.com 20 | - name: dlorenc 21 | email: lorenc.d@gmail.com 22 | -------------------------------------------------------------------------------- /cmd/cosign/cli/attest/common.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package attest 16 | 17 | import ( 18 | "encoding/base64" 19 | "encoding/json" 20 | "fmt" 21 | "io" 22 | "os" 23 | 24 | "github.com/secure-systems-lab/go-securesystemslib/dsse" 25 | ) 26 | 27 | func predicateReader(predicatePath string) (io.ReadCloser, error) { 28 | if predicatePath == "-" { 29 | fmt.Fprintln(os.Stderr, "Using payload from: standard input") 30 | return os.Stdin, nil 31 | } 32 | 33 | fmt.Fprintln(os.Stderr, "Using payload from:", predicatePath) 34 | f, err := os.Open(predicatePath) 35 | if err != nil { 36 | return nil, err 37 | } 38 | return f, nil 39 | } 40 | 41 | func getEnvelopeSigBytes(envelopeBytes []byte) ([]byte, error) { 42 | var envelope dsse.Envelope 43 | err := json.Unmarshal(envelopeBytes, &envelope) 44 | if err != nil { 45 | return nil, err 46 | } 47 | if len(envelope.Signatures) == 0 { 48 | return nil, fmt.Errorf("envelope has no signatures") 49 | } 50 | return base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) 51 | } 52 | -------------------------------------------------------------------------------- /cmd/cosign/cli/debug.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cli 16 | 17 | import ( 18 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/debug" 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | func Debug() *cobra.Command { 23 | cmd := &cobra.Command{ 24 | Use: "debug", 25 | Hidden: true, 26 | RunE: func(cmd *cobra.Command, _ []string) error { 27 | return cmd.Help() 28 | }, 29 | } 30 | cmd.AddCommand(debugProviders()) 31 | return cmd 32 | } 33 | 34 | func debugProviders() *cobra.Command { 35 | cmd := &cobra.Command{ 36 | Use: "providers", 37 | Short: "Show enabled/disabled OIDC providers.", 38 | RunE: func(cmd *cobra.Command, _ []string) error { 39 | return debug.ProviderCmd(cmd.Context(), cmd.OutOrStdout()) 40 | }, 41 | } 42 | return cmd 43 | } 44 | -------------------------------------------------------------------------------- /cmd/cosign/cli/debug/provider.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package debug 16 | 17 | import ( 18 | "context" 19 | "fmt" 20 | "io" 21 | 22 | "github.com/sigstore/cosign/v2/pkg/providers" 23 | ) 24 | 25 | func ProviderCmd(ctx context.Context, w io.Writer) error { 26 | for _, p := range providers.Providers() { 27 | fmt.Fprintf(w, "%s: %t\n", p.Name, p.Provider.Enabled(ctx)) 28 | } 29 | return nil 30 | } 31 | -------------------------------------------------------------------------------- /cmd/cosign/cli/download/signature.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package download 17 | 18 | import ( 19 | "context" 20 | "encoding/json" 21 | "fmt" 22 | 23 | "github.com/google/go-containerregistry/pkg/name" 24 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 25 | "github.com/sigstore/cosign/v2/pkg/cosign" 26 | ) 27 | 28 | func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string) error { 29 | ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) 30 | if err != nil { 31 | return err 32 | } 33 | ociremoteOpts, err := regOpts.ClientOpts(ctx) 34 | if err != nil { 35 | return err 36 | } 37 | signatures, err := cosign.FetchSignaturesForReference(ctx, ref, ociremoteOpts...) 38 | if err != nil { 39 | return err 40 | } 41 | for _, sig := range signatures { 42 | b, err := json.Marshal(sig) 43 | if err != nil { 44 | return err 45 | } 46 | fmt.Println(string(b)) 47 | } 48 | return nil 49 | } 50 | -------------------------------------------------------------------------------- /cmd/cosign/cli/fulcio/depcheck_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package fulcio_test 17 | 18 | import ( 19 | "testing" 20 | 21 | "github.com/depcheck-test/depcheck-test/depcheck" 22 | ) 23 | 24 | func TestNoDeps(t *testing.T) { 25 | depcheck.AssertNoDependency(t, map[string][]string{ 26 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio": { 27 | // Avoid pulling in a variety of things that are massive dependencies. 28 | "github.com/google/trillian", 29 | "github.com/envoyproxy/go-control-plane", 30 | "github.com/gogo/protobuf/protoc-gen-gogo", 31 | "github.com/grpc-ecosystem/go-grpc-middleware", 32 | "github.com/jhump/protoreflect", 33 | }, 34 | }) 35 | } 36 | -------------------------------------------------------------------------------- /cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package fulcioverifier 17 | 18 | import ( 19 | "context" 20 | "fmt" 21 | 22 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" 23 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 24 | "github.com/sigstore/cosign/v2/internal/ui" 25 | "github.com/sigstore/cosign/v2/pkg/cosign" 26 | "github.com/sigstore/sigstore/pkg/signature" 27 | ) 28 | 29 | func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerVerifier) (*fulcio.Signer, error) { 30 | fs, err := fulcio.NewSigner(ctx, ko, signer) 31 | if err != nil { 32 | return nil, err 33 | } 34 | 35 | // Grab the PublicKeys for the CTFE, either from tuf or env. 36 | pubKeys, err := cosign.GetCTLogPubs(ctx) 37 | if err != nil { 38 | return nil, fmt.Errorf("getting CTFE public keys: %w", err) 39 | } 40 | 41 | // verify the sct 42 | if err := cosign.VerifySCT(ctx, fs.Cert, fs.Chain, fs.SCT, pubKeys); err != nil { 43 | return nil, fmt.Errorf("verifying SCT: %w", err) 44 | } 45 | ui.Infof(ctx, "Successfully verified SCT...") 46 | 47 | return fs, nil 48 | } 49 | -------------------------------------------------------------------------------- /cmd/cosign/cli/generate/generate.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package generate 17 | 18 | import ( 19 | "context" 20 | "io" 21 | 22 | "github.com/google/go-containerregistry/pkg/name" 23 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 24 | ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" 25 | "github.com/sigstore/sigstore/pkg/signature/payload" 26 | ) 27 | 28 | // nolint 29 | func GenerateCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string, annotations map[string]interface{}, w io.Writer) error { 30 | ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) 31 | if err != nil { 32 | return err 33 | } 34 | ociremoteOpts, err := regOpts.ClientOpts(ctx) 35 | if err != nil { 36 | return err 37 | } 38 | digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...) 39 | if err != nil { 40 | return err 41 | } 42 | // Overwrite "ref" with a digest to avoid a race where we use a tag 43 | // multiple times, and it potentially points to different things at 44 | // each access. 45 | ref = digest 46 | 47 | json, err := (&payload.Cosign{Image: digest, Annotations: annotations}).MarshalJSON() 48 | if err != nil { 49 | return err 50 | } 51 | w.Write(json) 52 | return nil 53 | } 54 | -------------------------------------------------------------------------------- /cmd/cosign/cli/import_key_pair.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cli 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | 21 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/importkeypair" 22 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 23 | ) 24 | 25 | func ImportKeyPair() *cobra.Command { 26 | o := &options.ImportKeyPairOptions{} 27 | 28 | cmd := &cobra.Command{ 29 | Use: "import-key-pair", 30 | Short: "Imports a PEM-encoded RSA or EC private key.", 31 | Long: "Imports a PEM-encoded RSA or EC private key for signing.", 32 | Example: ` cosign import-key-pair --key openssl.key --output-key-prefix my-key 33 | 34 | # import PEM-encoded RSA or EC private key and write to import-cosign.key and import-cosign.pub files 35 | cosign import-key-pair --key 36 | 37 | # import PEM-encoded RSA or EC private key and write to my-key.key and my-key.pub files 38 | cosign import-key-pair --key --output-key-prefix my-key 39 | 40 | CAVEATS: 41 | This command interactively prompts for a password. You can use 42 | the COSIGN_PASSWORD environment variable to provide one.`, 43 | PersistentPreRun: options.BindViper, 44 | RunE: func(cmd *cobra.Command, args []string) error { 45 | return importkeypair.ImportKeyPairCmd(cmd.Context(), *o, args) 46 | }, 47 | } 48 | 49 | o.AddFlags(cmd) 50 | return cmd 51 | } 52 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/annotations.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "fmt" 20 | "strings" 21 | 22 | sigs "github.com/sigstore/cosign/v2/pkg/signature" 23 | "github.com/spf13/cobra" 24 | ) 25 | 26 | // AnnotationOptions is the top level wrapper for the annotations. 27 | type AnnotationOptions struct { 28 | Annotations []string 29 | } 30 | 31 | var _ Interface = (*AnnotationOptions)(nil) 32 | 33 | func (o *AnnotationOptions) AnnotationsMap() (sigs.AnnotationsMap, error) { 34 | ann := sigs.AnnotationsMap{} 35 | for _, a := range o.Annotations { 36 | kv := strings.Split(a, "=") 37 | if len(kv) != 2 { 38 | return ann, fmt.Errorf("unable to parse annotation: %s", a) 39 | } 40 | if ann.Annotations == nil { 41 | ann.Annotations = map[string]interface{}{} 42 | } 43 | ann.Annotations[kv[0]] = kv[1] 44 | } 45 | return ann, nil 46 | } 47 | 48 | // AddFlags implements Interface 49 | func (o *AnnotationOptions) AddFlags(cmd *cobra.Command) { 50 | cmd.Flags().StringSliceVarP(&o.Annotations, "annotations", "a", nil, 51 | "extra key=value pairs to sign") 52 | _ = cmd.RegisterFlagCompletionFunc("annotations", cobra.NoFileCompletions) 53 | } 54 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/copy.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // CopyOptions is the top level wrapper for the copy command. 23 | type CopyOptions struct { 24 | CopyOnly []string 25 | SignatureOnly bool 26 | Force bool 27 | Platform string 28 | Registry RegistryOptions 29 | } 30 | 31 | var _ Interface = (*CopyOptions)(nil) 32 | 33 | // AddFlags implements Interface 34 | func (o *CopyOptions) AddFlags(cmd *cobra.Command) { 35 | o.Registry.AddFlags(cmd) 36 | 37 | cmd.Flags().StringSliceVar(&o.CopyOnly, "only", []string{}, 38 | "custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom") 39 | 40 | cmd.Flags().BoolVar(&o.SignatureOnly, "sig-only", false, 41 | "[DEPRECATED] only copy the image signature") 42 | 43 | cmd.Flags().BoolVarP(&o.Force, "force", "f", false, 44 | "overwrite destination image(s), if necessary") 45 | 46 | cmd.Flags().StringVar(&o.Platform, "platform", "", 47 | "only copy container image and its signatures for a specific platform image") 48 | } 49 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/deprecate.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | const SBOMAttachmentDeprecation = "WARNING: SBOM attachments are deprecated " + 19 | "and support will be removed in a Cosign release soon after 2024-02-22 " + 20 | "(see https://github.com/sigstore/cosign/issues/2755). " + 21 | "Instead, please use SBOM attestations." 22 | 23 | const RootWithoutChecksumDeprecation = "WARNING: Fetching initial root from URL " + 24 | "without providing its checksum is deprecated and will be disallowed in " + 25 | "a future Cosign release. Please provide the initial root checksum " + 26 | "via the --root-checksum argument." 27 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/download.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import "github.com/spf13/cobra" 19 | 20 | // DownloadOptions is the struct for control 21 | type SBOMDownloadOptions struct { 22 | Platform string // Platform to download sboms 23 | } 24 | 25 | type AttestationDownloadOptions struct { 26 | PredicateType string // Predicate type of attestation to retrieve 27 | Platform string // Platform to download attestations 28 | } 29 | 30 | var _ Interface = (*SBOMDownloadOptions)(nil) 31 | 32 | var _ Interface = (*AttestationDownloadOptions)(nil) 33 | 34 | // AddFlags implements Interface 35 | func (o *SBOMDownloadOptions) AddFlags(cmd *cobra.Command) { 36 | cmd.Flags().StringVar(&o.Platform, "platform", "", 37 | "download SBOM for a specific platform image") 38 | } 39 | 40 | // AddFlags implements Interface 41 | func (o *AttestationDownloadOptions) AddFlags(cmd *cobra.Command) { 42 | cmd.Flags().StringVar(&o.PredicateType, "predicate-type", "", 43 | "download attestation with matching predicateType") 44 | cmd.Flags().StringVar(&o.Platform, "platform", "", 45 | "download attestation for a specific platform image") 46 | } 47 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/env.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // EnvOptions is the top level wrapper for the env command. 23 | type EnvOptions struct { 24 | ShowDescriptions bool 25 | ShowSensitiveValues bool 26 | } 27 | 28 | var _ Interface = (*EnvOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *EnvOptions) AddFlags(cmd *cobra.Command) { 32 | cmd.Flags().BoolVar(&o.ShowDescriptions, "show-descriptions", true, 33 | "show descriptions for environment variables") 34 | 35 | cmd.Flags().BoolVar(&o.ShowSensitiveValues, "show-sensitive-values", false, 36 | "show values of sensitive environment variables") 37 | } 38 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/errors.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | // KeyParseError is an error returned when an incorrect set of key flags 19 | // are parsed by the CLI 20 | type KeyParseError struct{} 21 | 22 | // PubKeyParseError is an error returned when an incorrect set of public key 23 | // flags are parsed by the CLI 24 | type PubKeyParseError struct{} 25 | 26 | func (e *KeyParseError) Error() string { 27 | return "exactly one of: key reference (--key), or hardware token (--sk) must be provided" 28 | } 29 | 30 | func (e *PubKeyParseError) Error() string { 31 | return "exactly one of: key reference (--key), certificate (--cert) or hardware token (--sk) must be provided" 32 | } 33 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/experimental.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package options 16 | 17 | import ( 18 | "strconv" 19 | 20 | "github.com/sigstore/cosign/v2/pkg/cosign/env" 21 | ) 22 | 23 | func EnableExperimental() bool { 24 | if b, err := strconv.ParseBool(env.Getenv(env.VariableExperimental)); err == nil { 25 | return b 26 | } 27 | return false 28 | } 29 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/files.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "fmt" 20 | "strings" 21 | 22 | cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" 23 | "github.com/spf13/cobra" 24 | ) 25 | 26 | // FilesOptions is the wrapper for the files. 27 | type FilesOptions struct { 28 | Files []string 29 | } 30 | 31 | var _ Interface = (*FilesOptions)(nil) 32 | 33 | func (o *FilesOptions) Parse() ([]cremote.File, error) { 34 | fs := cremote.FilesFromFlagList(o.Files) 35 | 36 | // If we have multiple files, each file must have a platform. 37 | if len(fs) > 1 { 38 | for _, f := range fs { 39 | if f.Platform() == nil { 40 | return nil, fmt.Errorf("each file must include a unique platform, %s had no platform", f.Path()) 41 | } 42 | } 43 | } 44 | 45 | return fs, nil 46 | } 47 | 48 | func (o *FilesOptions) String() string { 49 | return strings.Join(o.Files, ",") 50 | } 51 | 52 | // AddFlags implements Interface 53 | func (o *FilesOptions) AddFlags(cmd *cobra.Command) { 54 | cmd.Flags().StringSliceVarP(&o.Files, "files", "f", nil, 55 | ":[platform/arch]") 56 | // _ = cmd.MarkFlagFilename("files") // no typical extensions 57 | } 58 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/flags.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "reflect" 20 | ) 21 | 22 | // OneOf ensures that only one of the supplied interfaces is set to a non-zero value. 23 | func OneOf(args ...interface{}) bool { 24 | return NOf(args...) == 1 25 | } 26 | 27 | // NOf returns how many of the fields are non-zero 28 | func NOf(args ...interface{}) int { 29 | n := 0 30 | for _, arg := range args { 31 | if !reflect.ValueOf(arg).IsZero() { 32 | n++ 33 | } 34 | } 35 | return n 36 | } 37 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/generate.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // GenerateOptions is the top level wrapper for the generate command. 23 | type GenerateOptions struct { 24 | AnnotationOptions 25 | Registry RegistryOptions 26 | } 27 | 28 | var _ Interface = (*GenerateOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *GenerateOptions) AddFlags(cmd *cobra.Command) { 32 | o.AnnotationOptions.AddFlags(cmd) 33 | o.Registry.AddFlags(cmd) 34 | } 35 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/generate_key_pair.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // GenerateKeyPairOptions is the top level wrapper for the generate-key-pair command. 23 | type GenerateKeyPairOptions struct { 24 | // KMS Key Management Service 25 | KMS string 26 | OutputKeyPrefix string 27 | } 28 | 29 | var _ Interface = (*GenerateKeyPairOptions)(nil) 30 | 31 | // AddFlags implements Interface 32 | func (o *GenerateKeyPairOptions) AddFlags(cmd *cobra.Command) { 33 | cmd.Flags().StringVar(&o.KMS, "kms", "", 34 | "create key pair in KMS service to use for signing") 35 | cmd.Flags().StringVar(&o.OutputKeyPrefix, "output-key-prefix", "cosign", 36 | "name used for generated .pub and .key files (defaults to `cosign`)") 37 | } 38 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/import_key_pair.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // ImportKeyPairOptions is the top level wrapper for the import-key-pair command. 23 | type ImportKeyPairOptions struct { 24 | // Local key file generated by external program such as OpenSSL 25 | Key string 26 | 27 | // Filename used for outputted keys 28 | OutputKeyPrefix string 29 | 30 | SkipConfirmation bool 31 | } 32 | 33 | var _ Interface = (*ImportKeyPairOptions)(nil) 34 | 35 | // AddFlags implements Interface 36 | func (o *ImportKeyPairOptions) AddFlags(cmd *cobra.Command) { 37 | cmd.Flags().StringVarP(&o.Key, "key", "k", "", 38 | "import key pair to use for signing") 39 | _ = cmd.MarkFlagFilename("key", privateKeyExts...) 40 | 41 | cmd.Flags().StringVarP(&o.OutputKeyPrefix, "output-key-prefix", "o", "import-cosign", 42 | "name used for outputted key pairs") 43 | // _ = cmd.MarkFlagFilename("output-key-prefix") // no typical extensions 44 | 45 | cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false, 46 | "skip confirmation prompts for overwriting existing key") 47 | } 48 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/initialize.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/sigstore/sigstore/pkg/tuf" 20 | "github.com/spf13/cobra" 21 | ) 22 | 23 | // InitializeOptions is the top level wrapper for the initialize command. 24 | type InitializeOptions struct { 25 | Mirror string 26 | Root string 27 | RootChecksum string 28 | } 29 | 30 | var _ Interface = (*InitializeOptions)(nil) 31 | 32 | // AddFlags implements Interface 33 | func (o *InitializeOptions) AddFlags(cmd *cobra.Command) { 34 | cmd.Flags().StringVar(&o.Mirror, "mirror", tuf.DefaultRemoteRoot, 35 | "GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap)") 36 | 37 | cmd.Flags().StringVar(&o.Root, "root", "", 38 | "path to trusted initial root. defaults to embedded root") 39 | _ = cmd.MarkFlagDirname("root") 40 | 41 | cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "", 42 | "checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:") 43 | } 44 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/load.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // LoadOptions is the top level wrapper for the load command. 23 | type LoadOptions struct { 24 | Directory string 25 | Registry RegistryOptions 26 | } 27 | 28 | var _ Interface = (*LoadOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *LoadOptions) AddFlags(cmd *cobra.Command) { 32 | o.Registry.AddFlags(cmd) 33 | cmd.Flags().StringVar(&o.Directory, "dir", "", 34 | "path to directory where the signed image is stored on disk") 35 | _ = cmd.MarkFlagDirname("dir") 36 | _ = cmd.MarkFlagRequired("dir") 37 | } 38 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/options.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import "github.com/spf13/cobra" 19 | 20 | type Interface interface { 21 | // AddFlags adds this options' flags to the cobra command. 22 | AddFlags(cmd *cobra.Command) 23 | } 24 | 25 | var bundleExts = []string{ 26 | "bundle", 27 | } 28 | var certificateExts = []string{ 29 | "cert", 30 | "crt", 31 | "pem", 32 | } 33 | var logExts = []string{ 34 | "log", 35 | } 36 | var moduleExts = []string{ 37 | "dll", 38 | "dylib", 39 | "so", 40 | } 41 | var privateKeyExts = []string{ 42 | "key", 43 | } 44 | var publicKeyExts = []string{ 45 | "pub", 46 | } 47 | var sbomExts = []string{ 48 | "json", 49 | "xml", 50 | "spdx", 51 | } 52 | var signatureExts = []string{ 53 | "sig", 54 | } 55 | var wasmExts = []string{ 56 | "wasm", 57 | } 58 | 59 | var rekorEntryTypes = []string{ 60 | "dsse", // first one is the default 61 | "intoto", 62 | } 63 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/public_key.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // PublicKeyOptions is the top level wrapper for the public-key command. 23 | type PublicKeyOptions struct { 24 | Key string 25 | SecurityKey SecurityKeyOptions 26 | OutFile string 27 | } 28 | 29 | var _ Interface = (*PublicKeyOptions)(nil) 30 | 31 | // AddFlags implements Interface 32 | func (o *PublicKeyOptions) AddFlags(cmd *cobra.Command) { 33 | o.SecurityKey.AddFlags(cmd) 34 | 35 | cmd.Flags().StringVar(&o.Key, "key", "", 36 | "path to the private key file, KMS URI or Kubernetes Secret") 37 | _ = cmd.MarkFlagFilename("key", privateKeyExts...) 38 | 39 | cmd.Flags().StringVar(&o.OutFile, "outfile", "", 40 | "path to a payload file to use rather than generating one") 41 | _ = cmd.MarkFlagFilename("outfile", publicKeyExts...) 42 | } 43 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/reference.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // ReferenceOptions is a wrapper for image reference options. 23 | type ReferenceOptions struct { 24 | TagPrefix string 25 | } 26 | 27 | var _ Interface = (*ReferenceOptions)(nil) 28 | 29 | // AddFlags implements Interface 30 | func (o *ReferenceOptions) AddFlags(cmd *cobra.Command) { 31 | cmd.Flags().StringVar(&o.TagPrefix, "attachment-tag-prefix", "", "optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`") 32 | } 33 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/rekor.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | const DefaultRekorURL = "https://rekor.sigstore.dev" 23 | 24 | // RekorOptions is the wrapper for Rekor related options. 25 | type RekorOptions struct { 26 | URL string 27 | } 28 | 29 | var _ Interface = (*RekorOptions)(nil) 30 | 31 | // AddFlags implements Interface 32 | func (o *RekorOptions) AddFlags(cmd *cobra.Command) { 33 | cmd.Flags().StringVar(&o.URL, "rekor-url", DefaultRekorURL, 34 | "address of rekor STL server") 35 | } 36 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/root_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "testing" 20 | 21 | "github.com/google/go-cmp/cmp" 22 | ) 23 | 24 | func TestFlagToEnv(t *testing.T) { 25 | testCases := []struct { 26 | flag string 27 | expected string 28 | }{ 29 | { 30 | flag: "rekor-url", 31 | expected: "COSIGN_REKOR_URL", 32 | }, 33 | { 34 | flag: "certificate", 35 | expected: "COSIGN_CERTIFICATE", 36 | }, 37 | { 38 | flag: "k8s-keychain", 39 | expected: "COSIGN_K8S_KEYCHAIN", 40 | }, 41 | { 42 | flag: "output-file", 43 | expected: "COSIGN_OUTPUT_FILE", 44 | }, 45 | { 46 | flag: "sbom", 47 | expected: "COSIGN_SBOM", 48 | }, 49 | } 50 | 51 | for _, tc := range testCases { 52 | t.Run(tc.flag, func(t *testing.T) { 53 | result := flagToEnvVar(tc.flag) 54 | if diff := cmp.Diff(result, tc.expected); diff != "" { 55 | t.Fatal(diff) 56 | } 57 | }) 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/save.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // SaveOptions is the top level wrapper for the load command. 23 | type SaveOptions struct { 24 | Directory string 25 | Registry RegistryOptions 26 | } 27 | 28 | var _ Interface = (*SaveOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *SaveOptions) AddFlags(cmd *cobra.Command) { 32 | o.Registry.AddFlags(cmd) 33 | cmd.Flags().StringVar(&o.Directory, "dir", "", 34 | "path to dir where the signed image should be stored on disk") 35 | _ = cmd.MarkFlagDirname("dir") 36 | _ = cmd.MarkFlagRequired("dir") 37 | } 38 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/security_key.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // SecurityKeyOptions is the wrapper for security key related options. 23 | type SecurityKeyOptions struct { 24 | Use bool 25 | Slot string 26 | } 27 | 28 | var _ Interface = (*SecurityKeyOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *SecurityKeyOptions) AddFlags(cmd *cobra.Command) { 32 | cmd.Flags().BoolVar(&o.Use, "sk", false, 33 | "whether to use a hardware security key") 34 | 35 | cmd.Flags().StringVar(&o.Slot, "slot", "", 36 | "security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)") 37 | } 38 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/tree.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package options 16 | 17 | import "github.com/spf13/cobra" 18 | 19 | type TreeOptions struct { 20 | Registry RegistryOptions 21 | CleanType string 22 | } 23 | 24 | var _ Interface = (*TreeOptions)(nil) 25 | 26 | func (c *TreeOptions) AddFlags(cmd *cobra.Command) { 27 | c.Registry.AddFlags(cmd) 28 | } 29 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/triangulate.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package options 17 | 18 | import ( 19 | "github.com/spf13/cobra" 20 | ) 21 | 22 | // TriangulateOptions is the top level wrapper for the triangulate command. 23 | type TriangulateOptions struct { 24 | Type string 25 | Registry RegistryOptions 26 | } 27 | 28 | var _ Interface = (*TriangulateOptions)(nil) 29 | 30 | // AddFlags implements Interface 31 | func (o *TriangulateOptions) AddFlags(cmd *cobra.Command) { 32 | o.Registry.AddFlags(cmd) 33 | 34 | cmd.Flags().StringVar(&o.Type, "type", "signature", 35 | "related attachment to triangulate (attestation|sbom|signature|digest), default signature (sbom is deprecated)") 36 | } 37 | -------------------------------------------------------------------------------- /cmd/cosign/cli/options/useragent.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package options 16 | 17 | import ( 18 | "fmt" 19 | "runtime" 20 | 21 | "sigs.k8s.io/release-utils/version" 22 | ) 23 | 24 | var ( 25 | // uaString is meant to resemble the User-Agent sent by browsers with requests. 26 | // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent 27 | uaString = fmt.Sprintf("cosign/%s (%s; %s)", version.GetVersionInfo().GitVersion, runtime.GOOS, runtime.GOARCH) 28 | ) 29 | 30 | // UserAgent returns the User-Agent string which `cosign` should send with HTTP requests.ß 31 | func UserAgent() string { 32 | return uaString 33 | } 34 | -------------------------------------------------------------------------------- /cmd/cosign/cli/piv_tool_disabled.go: -------------------------------------------------------------------------------- 1 | //go:build !pivkey || !cgo 2 | // +build !pivkey !cgo 3 | 4 | // Copyright 2021 The Sigstore Authors 5 | // 6 | // Licensed under the Apache License, Version 2.0 (the "License"); 7 | // you may not use this file except in compliance with the License. 8 | // You may obtain a copy of the License at 9 | // 10 | // http://www.apache.org/licenses/LICENSE-2.0 11 | // 12 | // Unless required by applicable law or agreed to in writing, software 13 | // distributed under the License is distributed on an "AS IS" BASIS, 14 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | // See the License for the specific language governing permissions and 16 | // limitations under the License. 17 | 18 | package cli 19 | 20 | import ( 21 | "github.com/spf13/cobra" 22 | ) 23 | 24 | func PIVTool() *cobra.Command { 25 | return &cobra.Command{ 26 | Use: "piv-tool", 27 | Short: "This cosign was not built with piv-tool support!", 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/cosign/cli/pkcs11_tool_disabled.go: -------------------------------------------------------------------------------- 1 | //go:build !pkcs11key 2 | // +build !pkcs11key 3 | 4 | // Copyright 2021 The Sigstore Authors 5 | // 6 | // Licensed under the Apache License, Version 2.0 (the "License"); 7 | // you may not use this file except in compliance with the License. 8 | // You may obtain a copy of the License at 9 | // 10 | // http://www.apache.org/licenses/LICENSE-2.0 11 | // 12 | // Unless required by applicable law or agreed to in writing, software 13 | // distributed under the License is distributed on an "AS IS" BASIS, 14 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | // See the License for the specific language governing permissions and 16 | // limitations under the License. 17 | 18 | package cli 19 | 20 | import ( 21 | "github.com/spf13/cobra" 22 | ) 23 | 24 | func PKCS11Tool() *cobra.Command { 25 | return &cobra.Command{ 26 | Use: "pkcs11-tool", 27 | Short: "This cosign was not built with pkcs11-tool support!", 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/cosign/cli/rekor/rekor.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package rekor 16 | 17 | import ( 18 | rekor "github.com/sigstore/rekor/pkg/client" 19 | "github.com/sigstore/rekor/pkg/generated/client" 20 | 21 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 22 | ) 23 | 24 | func NewClient(rekorURL string) (*client.Rekor, error) { 25 | rekorClient, err := rekor.GetRekorClient(rekorURL, rekor.WithUserAgent(options.UserAgent())) 26 | if err != nil { 27 | return nil, err 28 | } 29 | return rekorClient, nil 30 | } 31 | -------------------------------------------------------------------------------- /cmd/cosign/cli/rekor/rekor_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package rekor 16 | 17 | import ( 18 | "net/http" 19 | "net/http/httptest" 20 | "testing" 21 | 22 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 23 | ) 24 | 25 | func TestNewClient(t *testing.T) { 26 | t.Parallel() 27 | expectedUserAgent := options.UserAgent() 28 | requestReceived := false 29 | testServer := httptest.NewServer(http.HandlerFunc( 30 | func(w http.ResponseWriter, r *http.Request) { 31 | requestReceived = true 32 | file := []byte{} 33 | 34 | got := r.UserAgent() 35 | if got != expectedUserAgent { 36 | t.Errorf("wanted User-Agent %q, got %q", expectedUserAgent, got) 37 | } 38 | w.WriteHeader(http.StatusOK) 39 | _, _ = w.Write(file) 40 | })) 41 | defer testServer.Close() 42 | 43 | client, err := NewClient(testServer.URL) 44 | if err != nil { 45 | t.Error(err) 46 | } 47 | _, _ = client.Tlog.GetLogInfo(nil) 48 | 49 | if !requestReceived { 50 | t.Fatal("no requests were received") 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /cmd/cosign/cli/sign/privacy/privacy.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package privacy 16 | 17 | import "sync" 18 | 19 | const ( 20 | // spacing is intentional to have this indented 21 | Statement = ` 22 | The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. 23 | Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. 24 | This may include the email address associated with the account with which you authenticate your contractual Agreement. 25 | This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. 26 | ` 27 | 28 | StatementConfirmation = "By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above." 29 | ) 30 | 31 | var ( 32 | StatementOnce sync.Once 33 | ) 34 | -------------------------------------------------------------------------------- /cmd/cosign/cli/triangulate.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cli 17 | 18 | import ( 19 | "flag" 20 | 21 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 22 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/triangulate" 23 | "github.com/spf13/cobra" 24 | ) 25 | 26 | func Triangulate() *cobra.Command { 27 | o := &options.TriangulateOptions{} 28 | 29 | cmd := &cobra.Command{ 30 | Use: "triangulate", 31 | Short: "Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type.", 32 | Example: " cosign triangulate ", 33 | PersistentPreRun: options.BindViper, 34 | RunE: func(cmd *cobra.Command, args []string) error { 35 | if len(args) != 1 { 36 | return flag.ErrHelp 37 | } 38 | return triangulate.MungeCmd(cmd.Context(), o.Registry, args[0], o.Type) 39 | }, 40 | } 41 | 42 | o.AddFlags(cmd) 43 | return cmd 44 | } 45 | -------------------------------------------------------------------------------- /cmd/cosign/cli/upload/wasm.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package upload 17 | 18 | import ( 19 | "context" 20 | "fmt" 21 | "os" 22 | 23 | "github.com/google/go-containerregistry/pkg/name" 24 | "github.com/google/go-containerregistry/pkg/v1/remote" 25 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 26 | "github.com/sigstore/cosign/v2/pkg/oci/static" 27 | "github.com/sigstore/cosign/v2/pkg/types" 28 | ) 29 | 30 | func WasmCmd(ctx context.Context, regOpts options.RegistryOptions, wasmPath, imageRef string) error { 31 | b, err := os.ReadFile(wasmPath) 32 | if err != nil { 33 | return err 34 | } 35 | 36 | ref, err := name.ParseReference(imageRef, regOpts.NameOptions()...) 37 | if err != nil { 38 | return err 39 | } 40 | fmt.Fprintf(os.Stderr, "Uploading wasm file from [%s] to [%s].\n", wasmPath, ref.Name()) 41 | img, err := static.NewFile(b, static.WithLayerMediaType(types.WasmLayerMediaType), static.WithConfigMediaType(types.WasmConfigMediaType)) 42 | if err != nil { 43 | return err 44 | } 45 | return remote.Write(ref, img, regOpts.GetRegistryClientOpts(ctx)...) 46 | } 47 | -------------------------------------------------------------------------------- /cmd/cosign/cli/verify/verify_attestation_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 the Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package verify 16 | 17 | import ( 18 | "context" 19 | "testing" 20 | 21 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 22 | ) 23 | 24 | func TestVerifyAttestationMissingSubject(t *testing.T) { 25 | ctx := context.Background() 26 | 27 | verifyAttestation := VerifyAttestationCommand{ 28 | CertRef: "cert.pem", 29 | CertVerifyOptions: options.CertVerifyOptions{ 30 | CertOidcIssuer: "issuer", 31 | }, 32 | } 33 | 34 | err := verifyAttestation.Exec(ctx, []string{"foo", "bar", "baz"}) 35 | if err == nil { 36 | t.Fatal("verifyAttestation expected 'need --certificate-identity'") 37 | } 38 | } 39 | 40 | func TestVerifyAttestationMissingIssuer(t *testing.T) { 41 | ctx := context.Background() 42 | 43 | verifyAttestation := VerifyAttestationCommand{ 44 | CertRef: "cert.pem", 45 | CertVerifyOptions: options.CertVerifyOptions{ 46 | CertIdentity: "subject", 47 | }, 48 | } 49 | 50 | err := verifyAttestation.Exec(ctx, []string{"foo", "bar", "baz"}) 51 | if err == nil { 52 | t.Fatal("verifyAttestation expected 'need --certificate-oidc-issuer'") 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /cmd/cosign/errors/error_wrap.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package errors 17 | 18 | // WrapError takes an error type and depending on the type of error 19 | // passed, will access it's error message and errorType (and return 20 | // the associated exitCode) and wrap them in a generic `CosignError`. 21 | // If no custom error has been found, then it will still return a 22 | // `CosignError` with an error message, but the `exitCode` will be `1`. 23 | func WrapError(err error) error { 24 | // return default cosign error with error message and default exit code 25 | return &CosignError{ 26 | Message: err.Error(), 27 | Code: LookupExitCodeForError(err), 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /cmd/cosign/errors/error_wrap_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package errors 17 | 18 | import ( 19 | "errors" 20 | "testing" 21 | ) 22 | 23 | func TestWrapWithGenericCosignError(t *testing.T) { 24 | errorText := "i am a generic cosign error" 25 | err := WrapError(errors.New(errorText)) 26 | 27 | var cosignError *CosignError 28 | if errors.As(err, &cosignError) { 29 | if cosignError.ExitCode() == 1 && cosignError.Message == errorText { 30 | t.Logf("generic cosign error successfully returned") 31 | return 32 | } 33 | t.Fatalf("generic cosign error unsuccessfully returned") 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /cmd/cosign/errors/errors.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package errors 17 | 18 | type CosignError struct { 19 | Message string 20 | Code int 21 | } 22 | 23 | func Error(cosignError CosignError) error { 24 | return &CosignError{ 25 | Message: cosignError.Message, 26 | Code: cosignError.Code, 27 | } 28 | } 29 | 30 | // Assert that we implement error at build time. 31 | var _ error = (*CosignError)(nil) 32 | 33 | // Error implements error 34 | func (ce *CosignError) Error() string { 35 | return ce.Message 36 | } 37 | 38 | func (ce *CosignError) ExitCode() int { 39 | return ce.Code 40 | } 41 | -------------------------------------------------------------------------------- /cmd/cosign/errors/exit_code_lookup_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package errors 17 | 18 | import ( 19 | "fmt" 20 | "testing" 21 | 22 | pkgError "github.com/sigstore/cosign/v2/pkg/cosign" 23 | ) 24 | 25 | func TestDefaultExitCodeReturnIfErrorTypeToExitCodeMappingDoesNotExist(t *testing.T) { 26 | exitCode := LookupExitCodeForError(fmt.Errorf("I do not exist as an error type")) 27 | if exitCode != 1 { 28 | t.Fatalf("default exit code not returned when an error type doesn't exist. default should be 1") 29 | } 30 | t.Logf("Correct default exit code returned") 31 | } 32 | 33 | func TestDefaultExitCodeReturnIfErrorTypeToExitCodeMappingExists(t *testing.T) { 34 | // We test with any error that is not a generic CosignError. 35 | // In this case, ErrNoMatchingSignatures 36 | exitCode := LookupExitCodeForError(&pkgError.ErrNoMatchingSignatures{}) 37 | if exitCode != NoMatchingSignature { 38 | t.Fatalf("NoMatchingSignature exit code not returned when error is thrown") 39 | } 40 | t.Logf("Correct default exit code returned") 41 | } 42 | -------------------------------------------------------------------------------- /cmd/cosign/errors/exit_codes.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package errors 17 | 18 | // Exit codes for cosign. 19 | // To allow for document generation of exit codes the following convention is 20 | // to be followed. 21 | // Convention: 22 | // | // comment that explains the error 23 | // | const NamedConstant = ERRORCODE 24 | // 25 | // This is so when `make docgen` is run, the cosign_exit-codes.md doc is automatically 26 | // generated inside of the docs dir following the format of "Exit Code : Comment". 27 | 28 | // Error verifying image due to no signature 29 | const ImageWithoutSignature = 10 30 | 31 | // Error verifying image due to non-existent tag 32 | const NonExistentTag = 11 33 | 34 | // Error verifying image due to no matching signature 35 | const NoMatchingSignature = 12 36 | 37 | // Error verifying image due to no certificate found on signature 38 | const NoCertificateFoundOnSignature = 13 39 | -------------------------------------------------------------------------------- /cmd/help/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "fmt" 19 | "os" 20 | 21 | "github.com/sigstore/cosign/v2/cmd/cosign/cli" 22 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/templates" 23 | errors "github.com/sigstore/cosign/v2/cmd/cosign/errors" 24 | "github.com/spf13/cobra" 25 | "github.com/spf13/cobra/doc" 26 | ) 27 | 28 | func main() { 29 | var dir string 30 | root := &cobra.Command{ 31 | Use: "gendoc", 32 | Short: "Generate cosign's help docs", 33 | SilenceUsage: true, 34 | Args: cobra.NoArgs, 35 | RunE: func(*cobra.Command, []string) error { 36 | err := errors.GenerateExitCodeDocs(dir) 37 | if err != nil { 38 | fmt.Println(err) 39 | os.Exit(1) 40 | } 41 | return doc.GenMarkdownTree(cli.New(), dir) 42 | }, 43 | } 44 | root.Flags().StringVarP(&dir, "dir", "d", "doc", "Path to directory in which to generate docs") 45 | 46 | templates.SetCustomUsageFunc(root) 47 | 48 | if err := root.Execute(); err != nil { 49 | fmt.Println(err) 50 | os.Exit(1) 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /cmd/help/verify.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2021 The Sigstore Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -e 18 | 19 | # Verify that generated Markdown docs are up-to-date. 20 | tmpdir=$(mktemp -d) 21 | go run -tags pivkey,pkcs11key,cgo cmd/help/main.go --dir "$tmpdir" 22 | echo "###########################################" 23 | echo "If diffs are found, run: make docgen" 24 | echo "###########################################" 25 | diff -Naur "$tmpdir" doc/ 26 | -------------------------------------------------------------------------------- /cmd/sample/main.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package main 17 | 18 | import "log" 19 | 20 | func main() { 21 | log.Printf("Hello, World!") 22 | } 23 | -------------------------------------------------------------------------------- /codecov.yml: -------------------------------------------------------------------------------- 1 | # Copyright 2023 The Sigstore Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | coverage: 16 | status: 17 | project: off 18 | patch: off 19 | -------------------------------------------------------------------------------- /doc/cosign_attach.md: -------------------------------------------------------------------------------- 1 | ## cosign attach 2 | 3 | Provides utilities for attaching artifacts to other artifacts in a registry 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for attach 9 | ``` 10 | 11 | ### Options inherited from parent commands 12 | 13 | ``` 14 | --output-file string log output to a file 15 | -t, --timeout duration timeout for commands (default 3m0s) 16 | -d, --verbose log debug output 17 | ``` 18 | 19 | ### SEE ALSO 20 | 21 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 22 | * [cosign attach attestation](cosign_attach_attestation.md) - Attach attestation to the supplied container image 23 | * [cosign attach sbom](cosign_attach_sbom.md) - DEPRECATED: Attach sbom to the supplied container image 24 | * [cosign attach signature](cosign_attach_signature.md) - Attach signatures to the supplied container image 25 | 26 | -------------------------------------------------------------------------------- /doc/cosign_bundle.md: -------------------------------------------------------------------------------- 1 | ## cosign bundle 2 | 3 | Interact with a Sigstore protobuf bundle 4 | 5 | ### Synopsis 6 | 7 | Tools for interacting with a Sigstore protobuf bundle 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for bundle 13 | ``` 14 | 15 | ### Options inherited from parent commands 16 | 17 | ``` 18 | --output-file string log output to a file 19 | -t, --timeout duration timeout for commands (default 3m0s) 20 | -d, --verbose log debug output 21 | ``` 22 | 23 | ### SEE ALSO 24 | 25 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 26 | * [cosign bundle create](cosign_bundle_create.md) - Create a Sigstore protobuf bundle 27 | 28 | -------------------------------------------------------------------------------- /doc/cosign_bundle_create.md: -------------------------------------------------------------------------------- 1 | ## cosign bundle create 2 | 3 | Create a Sigstore protobuf bundle 4 | 5 | ### Synopsis 6 | 7 | Create a Sigstore protobuf bundle by supplying signed material 8 | 9 | ``` 10 | cosign bundle create [flags] 11 | ``` 12 | 13 | ### Options 14 | 15 | ``` 16 | --artifact string path to artifact FILE 17 | --attestation string path to attestation FILE 18 | --bundle string path to old format bundle FILE 19 | --certificate string path to the signing certificate, likely from Fulco. 20 | -h, --help help for create 21 | --ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. 22 | --key string path to the public key file, KMS URI or Kubernetes Secret 23 | --out string path to output bundle 24 | --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") 25 | --rfc3161-timestamp string path to RFC3161 timestamp FILE 26 | --signature string path to base64-encoded signature over attestation in DSSE format 27 | --sk whether to use a hardware security key 28 | --slot string security key slot to use for generated key (authentication|signature|card-authentication|key-management) (default "signature") 29 | ``` 30 | 31 | ### Options inherited from parent commands 32 | 33 | ``` 34 | --output-file string log output to a file 35 | -t, --timeout duration timeout for commands (default 3m0s) 36 | -d, --verbose log debug output 37 | ``` 38 | 39 | ### SEE ALSO 40 | 41 | * [cosign bundle](cosign_bundle.md) - Interact with a Sigstore protobuf bundle 42 | 43 | -------------------------------------------------------------------------------- /doc/cosign_completion.md: -------------------------------------------------------------------------------- 1 | ## cosign completion 2 | 3 | Generate completion script 4 | 5 | ### Synopsis 6 | 7 | To load completions: 8 | Bash: 9 | $ source <(cosign completion bash) 10 | # To load completions for each session, execute once: 11 | # Linux: 12 | $ cosign completion bash > /etc/bash_completion.d/cosign 13 | # macOS: 14 | $ cosign completion bash > /usr/local/etc/bash_completion.d/cosign 15 | Zsh: 16 | # If shell completion is not already enabled in your environment, 17 | # you will need to enable it. You can execute the following once: 18 | $ echo "autoload -U compinit; compinit" >> ~/.zshrc 19 | # To load completions for each session, execute once: 20 | $ cosign completion zsh > "${fpath[1]}/_cosign" 21 | # You will need to start a new shell for this setup to take effect. 22 | fish: 23 | $ cosign completion fish | source 24 | # To load completions for each session, execute once: 25 | $ cosign completion fish > ~/.config/fish/completions/cosign.fish 26 | PowerShell: 27 | PS> cosign completion powershell | Out-String | Invoke-Expression 28 | # To load completions for every new session, run: 29 | PS> cosign completion powershell > cosign.ps1 30 | # and source this file from your PowerShell profile. 31 | 32 | 33 | ``` 34 | cosign completion [bash|zsh|fish|powershell] 35 | ``` 36 | 37 | ### Options 38 | 39 | ``` 40 | -h, --help help for completion 41 | ``` 42 | 43 | ### Options inherited from parent commands 44 | 45 | ``` 46 | --output-file string log output to a file 47 | -t, --timeout duration timeout for commands (default 3m0s) 48 | -d, --verbose log debug output 49 | ``` 50 | 51 | ### SEE ALSO 52 | 53 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 54 | 55 | -------------------------------------------------------------------------------- /doc/cosign_dockerfile.md: -------------------------------------------------------------------------------- 1 | ## cosign dockerfile 2 | 3 | Provides utilities for discovering images in and performing operations on Dockerfiles 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for dockerfile 9 | ``` 10 | 11 | ### Options inherited from parent commands 12 | 13 | ``` 14 | --output-file string log output to a file 15 | -t, --timeout duration timeout for commands (default 3m0s) 16 | -d, --verbose log debug output 17 | ``` 18 | 19 | ### SEE ALSO 20 | 21 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 22 | * [cosign dockerfile verify](cosign_dockerfile_verify.md) - Verify a signature on the base image specified in the Dockerfile 23 | 24 | -------------------------------------------------------------------------------- /doc/cosign_download.md: -------------------------------------------------------------------------------- 1 | ## cosign download 2 | 3 | Provides utilities for downloading artifacts and attached artifacts in a registry 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for download 9 | ``` 10 | 11 | ### Options inherited from parent commands 12 | 13 | ``` 14 | --output-file string log output to a file 15 | -t, --timeout duration timeout for commands (default 3m0s) 16 | -d, --verbose log debug output 17 | ``` 18 | 19 | ### SEE ALSO 20 | 21 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 22 | * [cosign download attestation](cosign_download_attestation.md) - Download in-toto attestations from the supplied container image 23 | * [cosign download sbom](cosign_download_sbom.md) - DEPRECATED: Download SBOMs from the supplied container image 24 | * [cosign download signature](cosign_download_signature.md) - Download signatures from the supplied container image 25 | 26 | -------------------------------------------------------------------------------- /doc/cosign_env.md: -------------------------------------------------------------------------------- 1 | ## cosign env 2 | 3 | Prints Cosign environment variables 4 | 5 | ``` 6 | cosign env [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for env 13 | --show-descriptions show descriptions for environment variables (default true) 14 | --show-sensitive-values show values of sensitive environment variables 15 | ``` 16 | 17 | ### Options inherited from parent commands 18 | 19 | ``` 20 | --output-file string log output to a file 21 | -t, --timeout duration timeout for commands (default 3m0s) 22 | -d, --verbose log debug output 23 | ``` 24 | 25 | ### SEE ALSO 26 | 27 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 28 | 29 | -------------------------------------------------------------------------------- /doc/cosign_exit_codes.md: -------------------------------------------------------------------------------- 1 | # Exit codes for cosign CLI 2 | 3 | > The following exit codes may be subject to change 4 | 5 | | Exit code | Meaning | 6 | | :----: | :---- | 7 | | 10 | Error verifying image due to no signature| 8 | | 11 | Error verifying image due to non-existent tag| 9 | | 12 | Error verifying image due to no matching signature| 10 | | 13 | Error verifying image due to no certificate found on signature| 11 | -------------------------------------------------------------------------------- /doc/cosign_import-key-pair.md: -------------------------------------------------------------------------------- 1 | ## cosign import-key-pair 2 | 3 | Imports a PEM-encoded RSA or EC private key. 4 | 5 | ### Synopsis 6 | 7 | Imports a PEM-encoded RSA or EC private key for signing. 8 | 9 | ``` 10 | cosign import-key-pair [flags] 11 | ``` 12 | 13 | ### Examples 14 | 15 | ``` 16 | cosign import-key-pair --key openssl.key --output-key-prefix my-key 17 | 18 | # import PEM-encoded RSA or EC private key and write to import-cosign.key and import-cosign.pub files 19 | cosign import-key-pair --key 20 | 21 | # import PEM-encoded RSA or EC private key and write to my-key.key and my-key.pub files 22 | cosign import-key-pair --key --output-key-prefix my-key 23 | 24 | CAVEATS: 25 | This command interactively prompts for a password. You can use 26 | the COSIGN_PASSWORD environment variable to provide one. 27 | ``` 28 | 29 | ### Options 30 | 31 | ``` 32 | -h, --help help for import-key-pair 33 | -k, --key string import key pair to use for signing 34 | -o, --output-key-prefix string name used for outputted key pairs (default "import-cosign") 35 | -y, --yes skip confirmation prompts for overwriting existing key 36 | ``` 37 | 38 | ### Options inherited from parent commands 39 | 40 | ``` 41 | --output-file string log output to a file 42 | -t, --timeout duration timeout for commands (default 3m0s) 43 | -d, --verbose log debug output 44 | ``` 45 | 46 | ### SEE ALSO 47 | 48 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 49 | 50 | -------------------------------------------------------------------------------- /doc/cosign_login.md: -------------------------------------------------------------------------------- 1 | ## cosign login 2 | 3 | Log in to a registry 4 | 5 | ``` 6 | cosign login [OPTIONS] [SERVER] [flags] 7 | ``` 8 | 9 | ### Examples 10 | 11 | ``` 12 | # Log in to reg.example.com 13 | cosign login reg.example.com -u AzureDiamond -p hunter2 14 | ``` 15 | 16 | ### Options 17 | 18 | ``` 19 | -h, --help help for login 20 | -p, --password string Password 21 | --password-stdin Take the password from stdin 22 | -u, --username string Username 23 | ``` 24 | 25 | ### Options inherited from parent commands 26 | 27 | ``` 28 | --output-file string log output to a file 29 | -t, --timeout duration timeout for commands (default 3m0s) 30 | -d, --verbose log debug output 31 | ``` 32 | 33 | ### SEE ALSO 34 | 35 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 36 | 37 | -------------------------------------------------------------------------------- /doc/cosign_manifest.md: -------------------------------------------------------------------------------- 1 | ## cosign manifest 2 | 3 | Provides utilities for discovering images in and performing operations on Kubernetes manifests 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for manifest 9 | ``` 10 | 11 | ### Options inherited from parent commands 12 | 13 | ``` 14 | --output-file string log output to a file 15 | -t, --timeout duration timeout for commands (default 3m0s) 16 | -d, --verbose log debug output 17 | ``` 18 | 19 | ### SEE ALSO 20 | 21 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 22 | * [cosign manifest verify](cosign_manifest_verify.md) - Verify all signatures of images specified in the manifest 23 | 24 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool 2 | 3 | Provides utilities for managing a hardware token 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for piv-tool 9 | -f, --no-input skip warnings and confirmations 10 | ``` 11 | 12 | ### Options inherited from parent commands 13 | 14 | ``` 15 | --output-file string log output to a file 16 | -t, --timeout duration timeout for commands (default 3m0s) 17 | -d, --verbose log debug output 18 | ``` 19 | 20 | ### SEE ALSO 21 | 22 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 23 | * [cosign piv-tool attestation](cosign_piv-tool_attestation.md) - attestation contains commands to manage a hardware token 24 | * [cosign piv-tool generate-key](cosign_piv-tool_generate-key.md) - generate-key generates a new signing key on the hardware token 25 | * [cosign piv-tool reset](cosign_piv-tool_reset.md) - reset resets the hardware token completely 26 | * [cosign piv-tool set-management-key](cosign_piv-tool_set-management-key.md) - sets the management key of a hardware token 27 | * [cosign piv-tool set-pin](cosign_piv-tool_set-pin.md) - sets the PIN on a hardware token 28 | * [cosign piv-tool set-puk](cosign_piv-tool_set-puk.md) - sets the PUK on a hardware token 29 | * [cosign piv-tool unblock](cosign_piv-tool_unblock.md) - unblocks the hardware token, sets a new PIN 30 | 31 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_attestation.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool attestation 2 | 3 | attestation contains commands to manage a hardware token 4 | 5 | ``` 6 | cosign piv-tool attestation [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for attestation 13 | -o, --output string format to output attestation information in. (text|json) (default "text") 14 | --slot string Slot to use for generated key (authentication|signature|card-authentication|key-management) 15 | ``` 16 | 17 | ### Options inherited from parent commands 18 | 19 | ``` 20 | -f, --no-input skip warnings and confirmations 21 | --output-file string log output to a file 22 | -t, --timeout duration timeout for commands (default 3m0s) 23 | -d, --verbose log debug output 24 | ``` 25 | 26 | ### SEE ALSO 27 | 28 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 29 | 30 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_generate-key.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool generate-key 2 | 3 | generate-key generates a new signing key on the hardware token 4 | 5 | ``` 6 | cosign piv-tool generate-key [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for generate-key 13 | --management-key string management key, uses default if empty 14 | --pin-policy string PIN policy for slot (never|once|always) 15 | --random-management-key if set to true, generates a new random management key and deletes it after 16 | --slot string Slot to use for generated key (authentication|signature|card-authentication|key-management) 17 | --touch-policy string Touch policy for slot (never|always|cached) 18 | ``` 19 | 20 | ### Options inherited from parent commands 21 | 22 | ``` 23 | -f, --no-input skip warnings and confirmations 24 | --output-file string log output to a file 25 | -t, --timeout duration timeout for commands (default 3m0s) 26 | -d, --verbose log debug output 27 | ``` 28 | 29 | ### SEE ALSO 30 | 31 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 32 | 33 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_reset.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool reset 2 | 3 | reset resets the hardware token completely 4 | 5 | ``` 6 | cosign piv-tool reset [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for reset 13 | ``` 14 | 15 | ### Options inherited from parent commands 16 | 17 | ``` 18 | -f, --no-input skip warnings and confirmations 19 | --output-file string log output to a file 20 | -t, --timeout duration timeout for commands (default 3m0s) 21 | -d, --verbose log debug output 22 | ``` 23 | 24 | ### SEE ALSO 25 | 26 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 27 | 28 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_set-management-key.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool set-management-key 2 | 3 | sets the management key of a hardware token 4 | 5 | ``` 6 | cosign piv-tool set-management-key [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for set-management-key 13 | --new-key string new management key, uses default if empty 14 | --old-key string existing management key, uses default if empty 15 | --random-management-key if set to true, generates a new random management key and deletes it after 16 | ``` 17 | 18 | ### Options inherited from parent commands 19 | 20 | ``` 21 | -f, --no-input skip warnings and confirmations 22 | --output-file string log output to a file 23 | -t, --timeout duration timeout for commands (default 3m0s) 24 | -d, --verbose log debug output 25 | ``` 26 | 27 | ### SEE ALSO 28 | 29 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 30 | 31 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_set-pin.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool set-pin 2 | 3 | sets the PIN on a hardware token 4 | 5 | ``` 6 | cosign piv-tool set-pin [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for set-pin 13 | --new-pin string new PIN, uses default if empty 14 | --old-pin string existing PIN, uses default if empty 15 | ``` 16 | 17 | ### Options inherited from parent commands 18 | 19 | ``` 20 | -f, --no-input skip warnings and confirmations 21 | --output-file string log output to a file 22 | -t, --timeout duration timeout for commands (default 3m0s) 23 | -d, --verbose log debug output 24 | ``` 25 | 26 | ### SEE ALSO 27 | 28 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 29 | 30 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_set-puk.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool set-puk 2 | 3 | sets the PUK on a hardware token 4 | 5 | ``` 6 | cosign piv-tool set-puk [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for set-puk 13 | --new-puk string new PUK, uses default if empty 14 | --old-puk string existing PUK, uses default if empty 15 | ``` 16 | 17 | ### Options inherited from parent commands 18 | 19 | ``` 20 | -f, --no-input skip warnings and confirmations 21 | --output-file string log output to a file 22 | -t, --timeout duration timeout for commands (default 3m0s) 23 | -d, --verbose log debug output 24 | ``` 25 | 26 | ### SEE ALSO 27 | 28 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 29 | 30 | -------------------------------------------------------------------------------- /doc/cosign_piv-tool_unblock.md: -------------------------------------------------------------------------------- 1 | ## cosign piv-tool unblock 2 | 3 | unblocks the hardware token, sets a new PIN 4 | 5 | ``` 6 | cosign piv-tool unblock [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for unblock 13 | --new-PIN string new PIN, uses default if empty 14 | --puk string existing PUK, uses default if empty 15 | ``` 16 | 17 | ### Options inherited from parent commands 18 | 19 | ``` 20 | -f, --no-input skip warnings and confirmations 21 | --output-file string log output to a file 22 | -t, --timeout duration timeout for commands (default 3m0s) 23 | -d, --verbose log debug output 24 | ``` 25 | 26 | ### SEE ALSO 27 | 28 | * [cosign piv-tool](cosign_piv-tool.md) - Provides utilities for managing a hardware token 29 | 30 | -------------------------------------------------------------------------------- /doc/cosign_pkcs11-tool.md: -------------------------------------------------------------------------------- 1 | ## cosign pkcs11-tool 2 | 3 | Provides utilities for retrieving information from a PKCS11 token. 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for pkcs11-tool 9 | -f, --no-input skip warnings and confirmations 10 | ``` 11 | 12 | ### Options inherited from parent commands 13 | 14 | ``` 15 | --output-file string log output to a file 16 | -t, --timeout duration timeout for commands (default 3m0s) 17 | -d, --verbose log debug output 18 | ``` 19 | 20 | ### SEE ALSO 21 | 22 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 23 | * [cosign pkcs11-tool list-keys-uris](cosign_pkcs11-tool_list-keys-uris.md) - list-keys-uris lists URIs of all keys in a PKCS11 token 24 | * [cosign pkcs11-tool list-tokens](cosign_pkcs11-tool_list-tokens.md) - list-tokens lists all PKCS11 tokens linked to a PKCS11 module 25 | 26 | -------------------------------------------------------------------------------- /doc/cosign_pkcs11-tool_list-keys-uris.md: -------------------------------------------------------------------------------- 1 | ## cosign pkcs11-tool list-keys-uris 2 | 3 | list-keys-uris lists URIs of all keys in a PKCS11 token 4 | 5 | ``` 6 | cosign pkcs11-tool list-keys-uris [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for list-keys-uris 13 | --module-path string absolute path to the PKCS11 module 14 | --pin string pin of the PKCS11 slot, uses environment variable COSIGN_PKCS11_PIN if empty 15 | --slot-id uint id of the PKCS11 slot, uses 0 if empty 16 | ``` 17 | 18 | ### Options inherited from parent commands 19 | 20 | ``` 21 | -f, --no-input skip warnings and confirmations 22 | --output-file string log output to a file 23 | -t, --timeout duration timeout for commands (default 3m0s) 24 | -d, --verbose log debug output 25 | ``` 26 | 27 | ### SEE ALSO 28 | 29 | * [cosign pkcs11-tool](cosign_pkcs11-tool.md) - Provides utilities for retrieving information from a PKCS11 token. 30 | 31 | -------------------------------------------------------------------------------- /doc/cosign_pkcs11-tool_list-tokens.md: -------------------------------------------------------------------------------- 1 | ## cosign pkcs11-tool list-tokens 2 | 3 | list-tokens lists all PKCS11 tokens linked to a PKCS11 module 4 | 5 | ``` 6 | cosign pkcs11-tool list-tokens [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for list-tokens 13 | --module-path string absolute path to the PKCS11 module 14 | ``` 15 | 16 | ### Options inherited from parent commands 17 | 18 | ``` 19 | -f, --no-input skip warnings and confirmations 20 | --output-file string log output to a file 21 | -t, --timeout duration timeout for commands (default 3m0s) 22 | -d, --verbose log debug output 23 | ``` 24 | 25 | ### SEE ALSO 26 | 27 | * [cosign pkcs11-tool](cosign_pkcs11-tool.md) - Provides utilities for retrieving information from a PKCS11 token. 28 | 29 | -------------------------------------------------------------------------------- /doc/cosign_trusted-root.md: -------------------------------------------------------------------------------- 1 | ## cosign trusted-root 2 | 3 | Interact with a Sigstore protobuf trusted root 4 | 5 | ### Synopsis 6 | 7 | Tools for interacting with a Sigstore protobuf trusted root 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for trusted-root 13 | ``` 14 | 15 | ### Options inherited from parent commands 16 | 17 | ``` 18 | --output-file string log output to a file 19 | -t, --timeout duration timeout for commands (default 3m0s) 20 | -d, --verbose log debug output 21 | ``` 22 | 23 | ### SEE ALSO 24 | 25 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 26 | * [cosign trusted-root create](cosign_trusted-root_create.md) - Create a Sigstore protobuf trusted root 27 | 28 | -------------------------------------------------------------------------------- /doc/cosign_trusted-root_create.md: -------------------------------------------------------------------------------- 1 | ## cosign trusted-root create 2 | 3 | Create a Sigstore protobuf trusted root 4 | 5 | ### Synopsis 6 | 7 | Create a Sigstore protobuf trusted root by supplying verification material 8 | 9 | ``` 10 | cosign trusted-root create [flags] 11 | ``` 12 | 13 | ### Options 14 | 15 | ``` 16 | --certificate-chain stringArray path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. 17 | --ctfe-key stringArray path to a PEM-encoded public key used by certificate authority for certificate transparency log. 18 | --ctfe-start-time stringArray RFC 3339 string describing validity start time for key use by certificate transparency log. 19 | -h, --help help for create 20 | --out string path to output trusted root 21 | --rekor-key stringArray path to a PEM-encoded public key used by transparency log like Rekor. 22 | --rekor-start-time stringArray RFC 3339 string describing validity start time for key use by transparency log like Rekor. 23 | --timestamp-certificate-chain stringArray path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates 24 | ``` 25 | 26 | ### Options inherited from parent commands 27 | 28 | ``` 29 | --output-file string log output to a file 30 | -t, --timeout duration timeout for commands (default 3m0s) 31 | -d, --verbose log debug output 32 | ``` 33 | 34 | ### SEE ALSO 35 | 36 | * [cosign trusted-root](cosign_trusted-root.md) - Interact with a Sigstore protobuf trusted root 37 | 38 | -------------------------------------------------------------------------------- /doc/cosign_upload.md: -------------------------------------------------------------------------------- 1 | ## cosign upload 2 | 3 | Provides utilities for uploading artifacts to a registry 4 | 5 | ### Options 6 | 7 | ``` 8 | -h, --help help for upload 9 | ``` 10 | 11 | ### Options inherited from parent commands 12 | 13 | ``` 14 | --output-file string log output to a file 15 | -t, --timeout duration timeout for commands (default 3m0s) 16 | -d, --verbose log debug output 17 | ``` 18 | 19 | ### SEE ALSO 20 | 21 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 22 | * [cosign upload blob](cosign_upload_blob.md) - Upload one or more blobs to the supplied container image address. 23 | * [cosign upload wasm](cosign_upload_wasm.md) - Upload a wasm module to the supplied container image reference 24 | 25 | -------------------------------------------------------------------------------- /doc/cosign_version.md: -------------------------------------------------------------------------------- 1 | ## cosign version 2 | 3 | Prints the version 4 | 5 | ``` 6 | cosign version [flags] 7 | ``` 8 | 9 | ### Options 10 | 11 | ``` 12 | -h, --help help for version 13 | --json print JSON instead of text 14 | ``` 15 | 16 | ### Options inherited from parent commands 17 | 18 | ``` 19 | --output-file string log output to a file 20 | -t, --timeout duration timeout for commands (default 3m0s) 21 | -d, --verbose log debug output 22 | ``` 23 | 24 | ### SEE ALSO 25 | 26 | * [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. 27 | 28 | -------------------------------------------------------------------------------- /hack/boilerplate/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | -------------------------------------------------------------------------------- /hack/update-deps.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2022 The Sigstore Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | pushd $(dirname "$0")/.. 22 | 23 | go get ./... 24 | go mod tidy 25 | -------------------------------------------------------------------------------- /images/dot/signatures.dot: -------------------------------------------------------------------------------- 1 | digraph { 2 | compound=true; 3 | rankdir="LR"; 4 | ordering = in; 5 | 6 | subgraph cluster_registry { 7 | label = "registry"; 8 | 9 | subgraph cluster_tags { 10 | label = "/v2/.../tags/list"; 11 | 12 | tag [label="tag", shape="rect"]; 13 | tag2 [label="tag", shape="rect"]; 14 | } 15 | 16 | subgraph cluster_manifests { 17 | label = "/v2/.../manifests/"; 18 | 19 | subgraph cluster_image { 20 | label = "image"; 21 | 22 | mconfig [label="config", shape="rect"]; 23 | layers [label="layers", shape="rect"]; 24 | } 25 | 26 | subgraph cluster_index { 27 | label = "signature index"; 28 | 29 | imanifest [label="manifests", shape="rect"]; 30 | } 31 | } 32 | 33 | subgraph cluster_blobs { 34 | label = "/v2/.../blobs/"; 35 | 36 | bconfig [label="config", shape="hexagon"]; 37 | 38 | l1 [label="layer", shape="folder"]; 39 | l2 [label="layer", shape="folder"]; 40 | desc1 [label="descriptor", shape="rect", color="green"]; 41 | desc2 [label="descriptor", shape="rect", color="green"]; 42 | } 43 | 44 | layers -> l1; 45 | layers -> l2; 46 | 47 | mconfig -> bconfig; 48 | 49 | imanifest -> desc1 [color="green"]; 50 | imanifest -> desc2 [color="green"]; 51 | 52 | desc1 -> mconfig [lhead=cluster_image, color="green"]; 53 | desc2 -> mconfig [lhead=cluster_image, color="green"]; 54 | 55 | tag -> mconfig [style="dashed", lhead=cluster_image]; 56 | tag2 -> imanifest [style="dashed", lhead=cluster_index]; 57 | } 58 | } -------------------------------------------------------------------------------- /internal/pkg/cosign/dsse.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cosign 16 | 17 | import ( 18 | "context" 19 | "crypto" 20 | "io" 21 | 22 | "github.com/sigstore/cosign/v2/pkg/oci" 23 | ) 24 | 25 | // DSSEAttestor creates attestations in the form of `oci.Signature`s 26 | type DSSEAttestor interface { 27 | // Attest creates an attestation, in the form of an `oci.Signature`, from the given payload. 28 | // The signature and payload are stored as a DSSE envelope in `osi.Signature.Payload()` 29 | DSSEAttest(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error) 30 | } 31 | -------------------------------------------------------------------------------- /internal/pkg/cosign/ephemeral/signer_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package ephemeral 16 | 17 | import ( 18 | "bytes" 19 | "context" 20 | "crypto" 21 | "strings" 22 | "testing" 23 | 24 | "github.com/sigstore/sigstore/pkg/signature" 25 | ) 26 | 27 | func TestEphemeralSigner(t *testing.T) { 28 | testSigner, err := NewSigner() 29 | if err != nil { 30 | t.Fatalf("NewSigner() returned error: %v", err) 31 | } 32 | 33 | testPayload := "test payload" 34 | 35 | ociSig, pub, err := testSigner.Sign(context.Background(), strings.NewReader(testPayload)) 36 | if err != nil { 37 | t.Fatalf("Sign() returned error: %v", err) 38 | } 39 | 40 | verifier, err := signature.LoadVerifier(pub, crypto.SHA256) 41 | if err != nil { 42 | t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err) 43 | } 44 | 45 | sig, err := ociSig.Signature() 46 | if err != nil { 47 | t.Fatalf("ociSig.Signature() returned error: %v", err) 48 | } 49 | 50 | err = verifier.VerifySignature(bytes.NewReader(sig), strings.NewReader(testPayload)) 51 | if err != nil { 52 | t.Fatalf("VerifySignature() returned error: %v", err) 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /internal/pkg/cosign/payload/size/errors.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package payload 16 | 17 | import "fmt" 18 | 19 | // MaxLayerSizeExceeded is an error indicating that the layer is too big to read into memory and cosign should abort processing it. 20 | type MaxLayerSizeExceeded struct { 21 | value uint64 22 | maximum uint64 23 | } 24 | 25 | func NewMaxLayerSizeExceeded(value, maximum uint64) *MaxLayerSizeExceeded { 26 | return &MaxLayerSizeExceeded{value, maximum} 27 | } 28 | 29 | func (e *MaxLayerSizeExceeded) Error() string { 30 | return fmt.Sprintf("size of layer (%d) exceeded the limit (%d)", e.value, e.maximum) 31 | } 32 | -------------------------------------------------------------------------------- /internal/pkg/cosign/payload/size/size.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package payload 16 | 17 | import ( 18 | "github.com/dustin/go-humanize" 19 | "github.com/sigstore/cosign/v2/pkg/cosign/env" 20 | ) 21 | 22 | const defaultMaxSize = uint64(134217728) // 128MiB 23 | 24 | func CheckSize(size uint64) error { 25 | maxSize := defaultMaxSize 26 | maxSizeOverride, exists := env.LookupEnv(env.VariableMaxAttachmentSize) 27 | if exists { 28 | var err error 29 | maxSize, err = humanize.ParseBytes(maxSizeOverride) 30 | if err != nil { 31 | maxSize = defaultMaxSize 32 | } 33 | } 34 | if size > maxSize { 35 | return NewMaxLayerSizeExceeded(size, maxSize) 36 | } 37 | return nil 38 | } 39 | -------------------------------------------------------------------------------- /internal/pkg/cosign/sign.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cosign 16 | 17 | import ( 18 | "context" 19 | "crypto" 20 | "io" 21 | 22 | "github.com/sigstore/cosign/v2/pkg/oci" 23 | ) 24 | 25 | // Signer signs payloads in the form of `oci.Signature`s 26 | type Signer interface { 27 | // Sign signs the given payload, returning the results as an `oci.Signature` which can be verified using the returned `crypto.PublicKey`. 28 | Sign(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error) 29 | } 30 | -------------------------------------------------------------------------------- /internal/pkg/cosign/tsa/utils.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package tsa 16 | 17 | import ( 18 | "bytes" 19 | "crypto/x509" 20 | 21 | "github.com/sigstore/sigstore/pkg/cryptoutils" 22 | ) 23 | 24 | // SplitPEMCertificateChain returns a list of leaf (non-CA) certificates, a certificate pool for 25 | // intermediate CA certificates, and a certificate pool for root CA certificates 26 | func SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) { 27 | certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pem) 28 | if err != nil { 29 | return nil, nil, nil, err 30 | } 31 | 32 | for _, cert := range certs { 33 | if !cert.IsCA { 34 | leaves = append(leaves, cert) 35 | } else { 36 | // root certificates are self-signed 37 | if bytes.Equal(cert.RawSubject, cert.RawIssuer) { 38 | roots = append(roots, cert) 39 | } else { 40 | intermediates = append(intermediates, cert) 41 | } 42 | } 43 | } 44 | 45 | return leaves, intermediates, roots, nil 46 | } 47 | -------------------------------------------------------------------------------- /internal/pkg/now/now.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package now 17 | 18 | import ( 19 | "fmt" 20 | "os" 21 | "strconv" 22 | "time" 23 | ) 24 | 25 | // Now returns SOURCE_DATE_EPOCH or time.Now(). 26 | func Now() (time.Time, error) { 27 | // nolint 28 | epoch := os.Getenv("SOURCE_DATE_EPOCH") 29 | if epoch == "" { 30 | return time.Now(), nil 31 | } 32 | 33 | seconds, err := strconv.ParseInt(epoch, 10, 64) 34 | if err != nil { 35 | return time.Now(), fmt.Errorf("SOURCE_DATE_EPOCH should be the number of seconds since January 1st 1970, 00:00 UTC, got: %w", err) 36 | } 37 | return time.Unix(seconds, 0), nil 38 | } 39 | -------------------------------------------------------------------------------- /internal/pkg/oci/remote/remote.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package remote 17 | 18 | import ( 19 | "fmt" 20 | ) 21 | 22 | // ArtifactType converts a attachment name (sig/sbom/att/etc.) into a valid artifactType (OCI 1.1+). 23 | func ArtifactType(attName string) string { 24 | return fmt.Sprintf("application/vnd.dev.cosign.artifact.%s.v1+json", attName) 25 | } 26 | -------------------------------------------------------------------------------- /internal/ui/log.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | package ui 15 | 16 | import ( 17 | "context" 18 | "fmt" 19 | ) 20 | 21 | func (w *Env) infof(msg string, a ...any) { 22 | msg = fmt.Sprintf(msg, a...) 23 | fmt.Fprintln(w.Stderr, msg) 24 | } 25 | 26 | // Infof logs an informational message. It works like fmt.Printf, except that it 27 | // always has a trailing newline. 28 | func Infof(ctx context.Context, msg string, a ...any) { 29 | getEnv(ctx).infof(msg, a...) 30 | } 31 | 32 | func (w *Env) warnf(msg string, a ...any) { 33 | msg = fmt.Sprintf(msg, a...) 34 | fmt.Fprintf(w.Stderr, "WARNING: %s\n", msg) 35 | } 36 | 37 | // Warnf logs a warning message (prefixed by "WARNING:"). It works like 38 | // fmt.Printf, except that it always has a trailing newline. 39 | func Warnf(ctx context.Context, msg string, a ...any) { 40 | getEnv(ctx).warnf(msg, a...) 41 | } 42 | -------------------------------------------------------------------------------- /internal/ui/log_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | package ui_test 15 | 16 | import ( 17 | "context" 18 | "testing" 19 | 20 | "github.com/sigstore/cosign/v2/internal/ui" 21 | "github.com/stretchr/testify/assert" 22 | ) 23 | 24 | type testCase struct { 25 | name string 26 | input string 27 | args []any 28 | expected string 29 | } 30 | 31 | func TestInfof(t *testing.T) { 32 | cases := []testCase{ 33 | {"basic", "foo", nil, "foo\n"}, 34 | {"multiline", "foo\nbar", nil, "foo\nbar\n"}, 35 | {"fmt", "foo: %v", []any{"bar"}, "foo: bar\n"}, 36 | } 37 | for _, tc := range cases { 38 | stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) { 39 | ui.Infof(ctx, tc.input, tc.args...) 40 | }) 41 | assert.Equal(t, tc.expected, stderr, "Bad output to STDERR") 42 | } 43 | } 44 | 45 | func TestWarnf(t *testing.T) { 46 | cases := []testCase{ 47 | {"basic", "foo", nil, "WARNING: foo\n"}, 48 | {"multiline", "foo\nbar", nil, "WARNING: foo\nbar\n"}, 49 | {"fmt", "bar: %v", []any{"baz"}, "WARNING: bar: baz\n"}, 50 | } 51 | for _, tc := range cases { 52 | stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) { 53 | ui.Warnf(ctx, tc.input, tc.args...) 54 | }) 55 | assert.Equal(t, tc.expected, stderr, "Bad output to STDERR") 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /internal/ui/warnings.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package ui 16 | 17 | const TagReferenceMessage string = `Image reference %s uses a tag, not a digest, to identify the image to sign. 18 | This can lead you to sign a different image than the intended one. Please use a 19 | digest (example.com/ubuntu@sha256:abc123...) rather than tag 20 | (example.com/ubuntu:latest) for the input to cosign. The ability to refer to 21 | images by tag will be removed in a future release. 22 | ` 23 | -------------------------------------------------------------------------------- /pkg/cosign/attestation/fuzz_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2024 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package attestation 17 | 18 | import ( 19 | "bytes" 20 | "testing" 21 | ) 22 | 23 | func FuzzGenerateStatement(f *testing.F) { 24 | f.Fuzz(func(_ *testing.T, predicate []byte, digest, repo string, stmttType int) { 25 | var statementType string 26 | switch stmttType % 9 { 27 | case 0: 28 | statementType = "slsaprovenance" 29 | case 1: 30 | statementType = "slsaprovenance02" 31 | case 2: 32 | statementType = "slsaprovenance1" 33 | case 3: 34 | statementType = "spdx" 35 | case 4: 36 | statementType = "spdxjson" 37 | case 5: 38 | statementType = "cyclonedx" 39 | case 6: 40 | statementType = "link" 41 | case 7: 42 | statementType = "vuln" 43 | case 8: 44 | statementType = "openvex" 45 | default: 46 | statementType = "" 47 | } 48 | opts := GenerateOpts{ 49 | Predicate: bytes.NewReader(predicate), 50 | Type: statementType, 51 | Digest: digest, 52 | Repo: repo, 53 | } 54 | GenerateStatement(opts) 55 | }) 56 | } 57 | -------------------------------------------------------------------------------- /pkg/cosign/bundle/rekor.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package bundle 16 | 17 | import ( 18 | "github.com/sigstore/rekor/pkg/generated/models" 19 | ) 20 | 21 | // RekorBundle holds metadata about recording a Signature's ephemeral key to 22 | // a Rekor transparency log. 23 | type RekorBundle struct { 24 | SignedEntryTimestamp []byte 25 | Payload RekorPayload 26 | } 27 | 28 | type RekorPayload struct { 29 | Body interface{} `json:"body"` 30 | IntegratedTime int64 `json:"integratedTime"` 31 | LogIndex int64 `json:"logIndex"` 32 | LogID string `json:"logID"` 33 | } 34 | 35 | func EntryToBundle(entry *models.LogEntryAnon) *RekorBundle { 36 | if entry.Verification == nil { 37 | return nil 38 | } 39 | return &RekorBundle{ 40 | SignedEntryTimestamp: entry.Verification.SignedEntryTimestamp, 41 | Payload: RekorPayload{ 42 | Body: entry.Body, 43 | IntegratedTime: *entry.IntegratedTime, 44 | LogIndex: *entry.LogIndex, 45 | LogID: *entry.LogID, 46 | }, 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /pkg/cosign/bundle/tsa.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package bundle 16 | 17 | // RFC3161Timestamp holds metadata about timestamp RFC3161 verification data. 18 | type RFC3161Timestamp struct { 19 | // SignedRFC3161Timestamp contains a DER encoded TimeStampResponse. 20 | // See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2 21 | // Clients MUST verify the hashed message in the message imprint, 22 | // typically using the artifact signature. 23 | SignedRFC3161Timestamp []byte 24 | } 25 | 26 | // TimestampToRFC3161Timestamp receives a base64 encoded RFC3161 timestamp. 27 | func TimestampToRFC3161Timestamp(timestampRFC3161 []byte) *RFC3161Timestamp { 28 | if timestampRFC3161 != nil { 29 | return &RFC3161Timestamp{ 30 | SignedRFC3161Timestamp: timestampRFC3161, 31 | } 32 | } 33 | return nil 34 | } 35 | -------------------------------------------------------------------------------- /pkg/cosign/bundle/tsa_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package bundle 16 | 17 | import ( 18 | "reflect" 19 | "testing" 20 | 21 | "github.com/go-openapi/strfmt" 22 | ) 23 | 24 | func TestRFC3161Timestamp(t *testing.T) { 25 | testCases := []struct { 26 | name string 27 | timestampRFC3161Entry []byte 28 | expectedRFC3161Timestamp *RFC3161Timestamp 29 | }{{ 30 | name: "nil timestamp entry", 31 | timestampRFC3161Entry: nil, 32 | expectedRFC3161Timestamp: nil, 33 | }, { 34 | name: "timestamp entry", 35 | timestampRFC3161Entry: strfmt.Base64([]byte("signature")), 36 | expectedRFC3161Timestamp: &RFC3161Timestamp{ 37 | SignedRFC3161Timestamp: strfmt.Base64([]byte("signature")), 38 | }, 39 | }} 40 | for _, tc := range testCases { 41 | t.Run(tc.name, func(t *testing.T) { 42 | gotBundle := TimestampToRFC3161Timestamp(tc.timestampRFC3161Entry) 43 | if !reflect.DeepEqual(gotBundle, tc.expectedRFC3161Timestamp) { 44 | t.Errorf("TimestampToRFC3161Timestamp returned %v, wanted %v", gotBundle, tc.expectedRFC3161Timestamp) 45 | } 46 | }) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /pkg/cosign/common.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cosign 17 | 18 | import ( 19 | "errors" 20 | "fmt" 21 | "os" 22 | "syscall" 23 | 24 | "golang.org/x/term" 25 | ) 26 | 27 | // TODO(jason): Move this to an internal package. 28 | func GetPassFromTerm(confirm bool) ([]byte, error) { 29 | fmt.Fprint(os.Stderr, "Enter password for private key: ") 30 | // Unnecessary convert of syscall.Stdin on *nix, but Windows is a uintptr 31 | // nolint:unconvert 32 | pw1, err := term.ReadPassword(int(syscall.Stdin)) 33 | if err != nil { 34 | return nil, err 35 | } 36 | fmt.Fprintln(os.Stderr) 37 | if !confirm { 38 | return pw1, nil 39 | } 40 | fmt.Fprint(os.Stderr, "Enter password for private key again: ") 41 | // Unnecessary convert of syscall.Stdin on *nix, but Windows is a uintptr 42 | // nolint:unconvert 43 | confirmpw, err := term.ReadPassword(int(syscall.Stdin)) 44 | fmt.Fprintln(os.Stderr) 45 | if err != nil { 46 | return nil, err 47 | } 48 | 49 | if string(pw1) != string(confirmpw) { 50 | return nil, errors.New("passwords do not match") 51 | } 52 | return pw1, nil 53 | } 54 | 55 | // TODO(jason): Move this to an internal package. 56 | func IsTerminal() bool { 57 | stat, _ := os.Stdin.Stat() 58 | return (stat.Mode() & os.ModeCharDevice) != 0 59 | } 60 | -------------------------------------------------------------------------------- /pkg/cosign/cue/cue.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cue 17 | 18 | import ( 19 | "cuelang.org/go/cue/cuecontext" 20 | "cuelang.org/go/cue/load" 21 | cuejson "cuelang.org/go/encoding/json" 22 | ) 23 | 24 | func ValidateJSON(jsonBody []byte, entrypoints []string) error { 25 | ctx := cuecontext.New() 26 | bis := load.Instances(entrypoints, nil) 27 | 28 | for _, bi := range bis { 29 | if bi.Err != nil { 30 | return bi.Err 31 | } 32 | 33 | value := ctx.BuildInstance(bi) 34 | if value.Err() != nil { 35 | return value.Err() 36 | } 37 | 38 | err := cuejson.Validate(jsonBody, value) 39 | if err != nil { 40 | return err 41 | } 42 | } 43 | 44 | return nil 45 | } 46 | -------------------------------------------------------------------------------- /pkg/cosign/cue/fuzz_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2024 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cue 17 | 18 | import ( 19 | "testing" 20 | ) 21 | 22 | func FuzzValidateJSON(f *testing.F) { 23 | f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) { 24 | ValidateJSON(jsonBody, []string{entrypoint}) 25 | }) 26 | } 27 | -------------------------------------------------------------------------------- /pkg/cosign/errors_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package cosign 16 | 17 | import ( 18 | "errors" 19 | "fmt" 20 | "testing" 21 | ) 22 | 23 | func TestErrors(t *testing.T) { 24 | for _, want := range []error{ 25 | &VerificationFailure{fmt.Errorf("not a constant %d", 3)}, 26 | &VerificationFailure{fmt.Errorf("not a string %s", "i am a string")}, 27 | } { 28 | t.Run(want.Error(), func(t *testing.T) { 29 | verr := &VerificationFailure{} 30 | if !errors.As(want, &verr) { 31 | t.Errorf("%v is not a %T", want, &VerificationFailure{}) 32 | } 33 | 34 | // Check that Is sees it as the same error through multiple 35 | // levels of wrapping. 36 | wrapped := want 37 | for i := 0; i < 5; i++ { 38 | if !errors.Is(wrapped, want) { 39 | t.Errorf("%v is not %v", wrapped, want) 40 | } 41 | wrapped = fmt.Errorf("wrapper: %w", wrapped) 42 | } 43 | }) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /pkg/cosign/git/git.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package git 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/sigstore/cosign/v2/pkg/cosign" 22 | "github.com/sigstore/cosign/v2/pkg/cosign/git/github" 23 | "github.com/sigstore/cosign/v2/pkg/cosign/git/gitlab" 24 | ) 25 | 26 | var providerMap = map[string]Git{ 27 | github.ReferenceScheme: github.New(), 28 | gitlab.ReferenceScheme: gitlab.New(), 29 | } 30 | 31 | type Git interface { 32 | PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) error 33 | GetSecret(ctx context.Context, ref string, key string) (string, error) 34 | } 35 | 36 | func GetProvider(provider string) Git { 37 | return providerMap[provider] 38 | } 39 | -------------------------------------------------------------------------------- /pkg/cosign/obsolete.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cosign 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/google/go-containerregistry/pkg/name" 22 | "github.com/sigstore/cosign/v2/internal/ui" 23 | "github.com/sigstore/sigstore/pkg/signature/payload" 24 | ) 25 | 26 | // ObsoletePayload returns the implied payload that some commands expect to match 27 | // the signature if no payload is provided by the user. 28 | // DO NOT ADD ANY NEW CALLERS OF THIS. 29 | func ObsoletePayload(ctx context.Context, digestedImage name.Digest) ([]byte, error) { 30 | blob, err := (&payload.Cosign{Image: digestedImage}).MarshalJSON() 31 | if err != nil { 32 | return nil, err 33 | } 34 | ui.Warnf(ctx, "using obsolete implied signature payload data (with digested reference %s); specify it explicitly with --payload instead", 35 | digestedImage.Name()) 36 | return blob, nil 37 | } 38 | -------------------------------------------------------------------------------- /pkg/cosign/obsolete_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cosign 17 | 18 | import ( 19 | "context" 20 | "testing" 21 | 22 | "github.com/google/go-containerregistry/pkg/name" 23 | "github.com/sigstore/cosign/v2/internal/ui" 24 | "github.com/stretchr/testify/assert" 25 | "github.com/stretchr/testify/require" 26 | ) 27 | 28 | func TestObsoletePayload(t *testing.T) { 29 | // This looks like a smoke test, but the property of generating _exactly_ the same string as previous versions is 30 | // essential. 31 | digestedImg, err := name.NewDigest("docker.io/namespace/image@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec") 32 | require.NoError(t, err) 33 | var res []byte 34 | stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) { 35 | r, err := ObsoletePayload(ctx, digestedImg) 36 | require.NoError(t, err) 37 | res = r 38 | }) 39 | assert.Contains(t, stderr, "obsolete implied signature payload") 40 | assert.Equal(t, []byte(`{"critical":{"identity":{"docker-reference":"index.docker.io/namespace/image"},"image":{"docker-manifest-digest":"sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec"},"type":"cosign container image signature"},"optional":null}`), res) 41 | } 42 | -------------------------------------------------------------------------------- /pkg/cosign/rego/fuzz_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2024 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package rego 17 | 18 | import ( 19 | "testing" 20 | ) 21 | 22 | func FuzzValidateJSON(f *testing.F) { 23 | f.Fuzz(func(_ *testing.T, jsonBody []byte, entrypoint string) { 24 | ValidateJSON(jsonBody, []string{entrypoint}) 25 | }) 26 | } 27 | -------------------------------------------------------------------------------- /pkg/cosign/rekor_factory.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2022 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cosign 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/sigstore/rekor/pkg/generated/client" 22 | ) 23 | 24 | // key is used for associating the Rekor client client inside the 25 | // context.Context. 26 | type key struct{} 27 | 28 | // TODO(jason): Rename this to something better than pkg/cosign.Set. 29 | func Set(ctx context.Context, rekorClient *client.Rekor) context.Context { 30 | return context.WithValue(ctx, key{}, rekorClient) 31 | } 32 | 33 | // Get extracts the Rekor client from the context. 34 | // TODO(jason): Rename this to something better than pkg/cosign.Get. 35 | func Get(ctx context.Context) *client.Rekor { 36 | untyped := ctx.Value(key{}) 37 | if untyped == nil { 38 | return nil 39 | } 40 | return untyped.(*client.Rekor) 41 | } 42 | -------------------------------------------------------------------------------- /pkg/cosign/remote/testdata/bar: -------------------------------------------------------------------------------- 1 | bar 2 | -------------------------------------------------------------------------------- /pkg/cosign/remote/testdata/foo: -------------------------------------------------------------------------------- 1 | foo 2 | -------------------------------------------------------------------------------- /pkg/cosign/testdata/garbage-there-are-limits: -------------------------------------------------------------------------------- 1 | yeah so we don't just parse whatever 2 | -------------------------------------------------------------------------------- /pkg/cosign/testdata/google: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsu0BHGnQ++W2CTdyZyxv 3 | HHRALOZPlnu/VMVgo2m+JZ8MNbAOH2cgXb8mvOj8flsX/qPMuKIaauO+PwROMjiq 4 | fUpcFm80Kl7i97ZQyBDYKm3MkEYYpGN+skAR2OebX9G2DfDqFY8+jUpOOWtBNr3L 5 | rmVcwx+FcFdMjGDlrZ5JRmoJ/SeGKiORkbbu9eY1Wd0uVhz/xI5bQb0OgII7hEj+ 6 | i/IPbJqOHgB8xQ5zWAJJ0DmG+FM6o7gk403v6W3S8qRYiR84c50KppGwe4YqSMkF 7 | bLDleGQWLoaDSpEWtESisb4JiLaY4H+Kk0EyAhPSb+49JfUozYl+lf7iFN3qRq/S 8 | IXXTh6z0S7Qa8EYDhKGCrpI03/+qprwy+my6fpWHi6aUIk4holUCmWvFxZDfixox 9 | K0RlqbFDl2JXMBquwlQpm8u5wrsic1ksIv9z8x9zh4PJqNpCah0ciemI3YGRQqSe 10 | /mRRXBiSn9YQBUPcaeqCYan+snGADFwHuXCd9xIAdFBolw9R9HTedHGUfVXPJDiF 11 | 4VusfX6BRR/qaadB+bqEArF/TzuDUr6FvOR4o8lUUxgLuZ/7HO+bHnaPFKYHHSm+ 12 | +z1lVDhhYuSZ8ax3T0C3FZpb7HMjZtpEorSV5ElKJEJwrhrBCMOD8L01EoSPrGlS 13 | 1w22i9uGHMn/uGQKo28u7AsCAwEAAQ== 14 | -----END PUBLIC KEY----- 15 | -------------------------------------------------------------------------------- /pkg/cosign/testdata/letsencrypt-testflume-2021: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/cosign/c03e2a8f883d54b0bfbadbac8497e6efcf6fb364/pkg/cosign/testdata/letsencrypt-testflume-2021 -------------------------------------------------------------------------------- /pkg/cosign/testdata/rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PUBLIC KEY----- 2 | MIICCgKCAgEAsxbYrZKRAi25BJrhgUTaLcy0eN22zAKC2iLP99BobGRKLxIsvNJj 3 | mV+TjFDe7KH+VwEeByJI7IpKu/j73JkDAWG2T16sjveLzVZHi+xgInG9HTensmo9 4 | nYKpOGAfuAeCyWbuoNpMoxNMVBn4WyM/gPLg5RKD4BSMS/QwJzbg6pS+2O5ckBZW 5 | TSMouK5lO71PsJE9mFt8TJfOTFMXZsfwFPkJqhVDL+2Xm5+4TZdhXiA0196xYd1A 6 | VJLG3gQ1nWv0wd9l3pGxaLQfTClm6iQX6VhWwqH+27Udqh212FYVIe5WRjOUMNj4 7 | 2EohgjkXSjlIii2jeNbRv8yJwASIiY+cshEEF8U0DcUgCTer2e8jKe9OrsjbrYDD 8 | v8EgqkBUNpMZrveZtOH1+SHI1BeWw+SMjR0VtoCGcb7ZGJ4URKJSpe0stBStfJFa 9 | 7+zfdjz1dKqJHLkgpaWsdSh1/pnniASOQ5WzpB3vJA673yY3ZuZW6Cr3XL3S4uzn 10 | c0wSlc/NiseNOCmCACPWG3oju3hyc1L4PigeqocGqXintJR0YXRBLcO46vAyBkiR 11 | EXK0ZZ+oYZk2Qlx5nVz9tGA9+9LcDhx+yzbDNJQwf4KHNBfg7J9j1Igi0CcCVWOR 12 | iO/3lv6wd+tqwbAlxFgAXEn0+PH3Q1BtT3Ydu+9zoEAJtfy4AKcHwVkCAwEAAQ== 13 | -----END RSA PUBLIC KEY----- 14 | -------------------------------------------------------------------------------- /pkg/cosign/verify_bundle.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2025 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package cosign 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/sigstore/sigstore-go/pkg/verify" 22 | ) 23 | 24 | // VerifyNewBundle verifies a SigstoreBundle with the given parameters 25 | func VerifyNewBundle(_ context.Context, co *CheckOpts, artifactPolicyOption verify.ArtifactPolicyOption, bundle verify.SignedEntity) (*verify.VerificationResult, error) { 26 | trustedMaterial, verifierOptions, policyOptions, err := co.verificationOptions() 27 | if err != nil { 28 | return nil, err 29 | } 30 | verifier, err := verify.NewSignedEntityVerifier(trustedMaterial, verifierOptions...) 31 | if err != nil { 32 | return nil, err 33 | } 34 | return verifier.Verify(bundle, verify.NewPolicy(artifactPolicyOption, policyOptions...)) 35 | } 36 | -------------------------------------------------------------------------------- /pkg/oci/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package oci holds functions and types intended to align and compose with 17 | // github.com/google/go-containerregistry. 18 | package oci 19 | -------------------------------------------------------------------------------- /pkg/oci/empty/empty.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package empty 17 | 18 | import ( 19 | v1 "github.com/google/go-containerregistry/pkg/v1" 20 | "github.com/google/go-containerregistry/pkg/v1/empty" 21 | "github.com/google/go-containerregistry/pkg/v1/mutate" 22 | "github.com/google/go-containerregistry/pkg/v1/types" 23 | 24 | "github.com/sigstore/cosign/v2/pkg/oci" 25 | ) 26 | 27 | // Signatures constructs an empty oci.Signatures. 28 | func Signatures() oci.Signatures { 29 | base := empty.Image 30 | if !oci.DockerMediaTypes() { 31 | base = mutate.MediaType(base, types.OCIManifestSchema1) 32 | base = mutate.ConfigMediaType(base, types.OCIConfigJSON) 33 | } 34 | return &emptyImage{ 35 | Image: base, 36 | } 37 | } 38 | 39 | type emptyImage struct { 40 | v1.Image 41 | } 42 | 43 | var _ oci.Signatures = (*emptyImage)(nil) 44 | 45 | // Get implements oci.Signatures 46 | func (*emptyImage) Get() ([]oci.Signature, error) { 47 | return nil, nil 48 | } 49 | -------------------------------------------------------------------------------- /pkg/oci/errors.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package oci 16 | 17 | import "fmt" 18 | 19 | // MaxLayersExceeded is an error indicating that the artifact has too many layers and cosign should abort processing it. 20 | type MaxLayersExceeded struct { 21 | value int64 22 | maximum int64 23 | } 24 | 25 | func NewMaxLayersExceeded(value, maximum int64) *MaxLayersExceeded { 26 | return &MaxLayersExceeded{value, maximum} 27 | } 28 | 29 | func (e *MaxLayersExceeded) Error() string { 30 | return fmt.Sprintf("number of layers (%d) exceeded the limit (%d)", e.value, e.maximum) 31 | } 32 | -------------------------------------------------------------------------------- /pkg/oci/file.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package oci 17 | 18 | import "github.com/google/go-containerregistry/pkg/v1/types" 19 | 20 | // File is a degenerate form of SignedImage that stores a single file as a v1.Layer 21 | type File interface { 22 | SignedImage 23 | 24 | // FileMediaType retrieves the media type of the File 25 | FileMediaType() (types.MediaType, error) 26 | 27 | // Payload fetches the opaque data that is being signed. 28 | // This will always return data when there is no error. 29 | Payload() ([]byte, error) 30 | } 31 | -------------------------------------------------------------------------------- /pkg/oci/image.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package oci 17 | 18 | import v1 "github.com/google/go-containerregistry/pkg/v1" 19 | 20 | // SignedImage represents an OCI Image, complemented with accessors 21 | // for retrieving signed metadata associated with that image. 22 | type SignedImage interface { 23 | v1.Image 24 | SignedEntity 25 | } 26 | -------------------------------------------------------------------------------- /pkg/oci/index.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package oci 17 | 18 | import v1 "github.com/google/go-containerregistry/pkg/v1" 19 | 20 | // SignedIndex represents an OCI ImageIndex, complemented with accessors 21 | // for retrieving signed metadata associated with that ImageIndex. 22 | type SignedImageIndex interface { 23 | v1.ImageIndex 24 | SignedEntity 25 | 26 | // SignedImage is the same as Image, but provides accessors for the nested 27 | // image's signed metadata. 28 | SignedImage(v1.Hash) (SignedImage, error) 29 | 30 | // SignedImageIndex is the same as ImageIndex, but provides accessors for 31 | // the nested image index's signed metadata. 32 | SignedImageIndex(v1.Hash) (SignedImageIndex, error) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/oci/interface.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package oci 17 | 18 | import v1 "github.com/google/go-containerregistry/pkg/v1" 19 | 20 | type SignedEntity interface { 21 | // Digest returns the sha256 of this image's manifest. 22 | Digest() (v1.Hash, error) 23 | 24 | // Signatures returns the set of signatures currently associated with this 25 | // entity, or the empty equivalent if none are found. 26 | Signatures() (Signatures, error) 27 | 28 | // Attestations returns the set of attestations currently associated with this 29 | // entity, or the empty equivalent if none are found. 30 | // Attestations are just like a Signature, but they do not contain 31 | // Base64Signature because it's baked into the payload. 32 | Attestations() (Signatures, error) 33 | 34 | // Attachment returns a named entity associated with this entity, or error if not found. 35 | Attachment(name string) (File, error) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/oci/layout/signatures.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package layout 17 | 18 | import ( 19 | v1 "github.com/google/go-containerregistry/pkg/v1" 20 | "github.com/sigstore/cosign/v2/pkg/oci" 21 | "github.com/sigstore/cosign/v2/pkg/oci/internal/signature" 22 | ) 23 | 24 | const maxLayers = 1000 25 | 26 | type sigs struct { 27 | v1.Image 28 | } 29 | 30 | var _ oci.Signatures = (*sigs)(nil) 31 | 32 | // Get implements oci.Signatures 33 | func (s *sigs) Get() ([]oci.Signature, error) { 34 | manifest, err := s.Manifest() 35 | if err != nil { 36 | return nil, err 37 | } 38 | numLayers := int64(len(manifest.Layers)) 39 | if numLayers > maxLayers { 40 | return nil, oci.NewMaxLayersExceeded(numLayers, maxLayers) 41 | } 42 | signatures := make([]oci.Signature, 0, numLayers) 43 | for _, desc := range manifest.Layers { 44 | l, err := s.LayerByDigest(desc.Digest) 45 | if err != nil { 46 | return nil, err 47 | } 48 | signatures = append(signatures, signature.New(l, desc)) 49 | } 50 | return signatures, nil 51 | } 52 | -------------------------------------------------------------------------------- /pkg/oci/layout/signatures_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package layout 16 | 17 | import ( 18 | "errors" 19 | "testing" 20 | 21 | v1 "github.com/google/go-containerregistry/pkg/v1" 22 | "github.com/google/go-containerregistry/pkg/v1/fake" 23 | ) 24 | 25 | func TestGet(t *testing.T) { 26 | tests := []struct { 27 | name string 28 | layers int 29 | wantError error 30 | }{ 31 | { 32 | name: "within limit", 33 | layers: 23, 34 | wantError: nil, 35 | }, 36 | { 37 | name: "exceeds limit", 38 | layers: 4242, 39 | wantError: errors.New("number of layers (4242) exceeded the limit (1000)"), 40 | }, 41 | } 42 | for _, test := range tests { 43 | t.Run(test.name, func(t *testing.T) { 44 | s := sigs{ 45 | Image: &fake.FakeImage{ 46 | ManifestStub: func() (*v1.Manifest, error) { 47 | return &v1.Manifest{ 48 | Layers: make([]v1.Descriptor, test.layers), 49 | }, nil 50 | }, 51 | }, 52 | } 53 | _, err := s.Get() 54 | if test.wantError != nil && test.wantError.Error() != err.Error() { 55 | t.Fatalf("Get() = %v, wanted %v", err, test.wantError) 56 | } 57 | if test.wantError == nil && err != nil { 58 | t.Fatalf("Get() = %v, wanted %v", err, test.wantError) 59 | } 60 | }) 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /pkg/oci/mediatypes.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package oci 17 | 18 | import ( 19 | "strconv" 20 | 21 | "github.com/sigstore/cosign/v2/pkg/cosign/env" 22 | ) 23 | 24 | const ( 25 | // Deprecated: use `pkg/cosign/env/VariableDockerMediaTypes` instead. 26 | DockerMediaTypesEnv = env.VariableDockerMediaTypes 27 | ) 28 | 29 | func DockerMediaTypes() bool { 30 | if b, err := strconv.ParseBool(env.Getenv(env.VariableDockerMediaTypes)); err == nil { 31 | return b 32 | } 33 | return false 34 | } 35 | -------------------------------------------------------------------------------- /pkg/oci/remote/digest.go: -------------------------------------------------------------------------------- 1 | // Copyright 2021 The Sigstore Authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package remote 16 | 17 | import ( 18 | "github.com/google/go-containerregistry/pkg/name" 19 | ) 20 | 21 | // ResolveDigest returns the digest of the image at the reference. 22 | // 23 | // If the reference is by digest already, it simply extracts the digest. 24 | // Otherwise, it looks up the digest from the registry. 25 | func ResolveDigest(ref name.Reference, opts ...Option) (name.Digest, error) { 26 | o := makeOptions(ref.Context(), opts...) 27 | if d, ok := ref.(name.Digest); ok { 28 | return d, nil 29 | } 30 | desc, err := remoteGet(ref, o.ROpt...) 31 | if err != nil { 32 | return name.Digest{}, err 33 | } 34 | return ref.Context().Digest(desc.Digest.String()), nil 35 | } 36 | -------------------------------------------------------------------------------- /pkg/oci/remote/referrers.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package remote 17 | 18 | import ( 19 | "github.com/google/go-containerregistry/pkg/name" 20 | v1 "github.com/google/go-containerregistry/pkg/v1" 21 | "github.com/google/go-containerregistry/pkg/v1/remote" 22 | ) 23 | 24 | // Referrers fetches references using registry options. 25 | func Referrers(d name.Digest, artifactType string, opts ...Option) (*v1.IndexManifest, error) { 26 | o := makeOptions(name.Repository{}, opts...) 27 | rOpt := o.ROpt 28 | if artifactType != "" { 29 | rOpt = append(rOpt, remote.WithFilter("artifactType", artifactType)) 30 | } 31 | idx, err := remote.Referrers(d, rOpt...) 32 | if err != nil { 33 | return nil, err 34 | } 35 | return idx.IndexManifest() 36 | } 37 | -------------------------------------------------------------------------------- /pkg/oci/signed/image.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package signed 17 | 18 | import ( 19 | "errors" 20 | 21 | v1 "github.com/google/go-containerregistry/pkg/v1" 22 | 23 | "github.com/sigstore/cosign/v2/pkg/oci" 24 | "github.com/sigstore/cosign/v2/pkg/oci/empty" 25 | ) 26 | 27 | // Image returns an oci.SignedImage form of the v1.Image with no signatures. 28 | func Image(i v1.Image) oci.SignedImage { 29 | return &image{ 30 | Image: i, 31 | } 32 | } 33 | 34 | type image struct { 35 | v1.Image 36 | } 37 | 38 | var _ oci.SignedImage = (*image)(nil) 39 | 40 | // Signatures implements oci.SignedImage 41 | func (*image) Signatures() (oci.Signatures, error) { 42 | return empty.Signatures(), nil 43 | } 44 | 45 | // Attestations implements oci.SignedImage 46 | func (*image) Attestations() (oci.Signatures, error) { 47 | return empty.Signatures(), nil 48 | } 49 | 50 | // Attestations implements oci.SignedImage 51 | func (*image) Attachment(name string) (oci.File, error) { //nolint: revive 52 | return nil, errors.New("unimplemented") 53 | } 54 | -------------------------------------------------------------------------------- /pkg/oci/signed/image_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package signed 17 | 18 | import ( 19 | "testing" 20 | 21 | "github.com/google/go-containerregistry/pkg/v1/random" 22 | ) 23 | 24 | func TestImage(t *testing.T) { 25 | i, err := random.Image(300 /* bytes */, 5 /* layers */) 26 | if err != nil { 27 | t.Fatalf("random.Image() = %v", err) 28 | } 29 | 30 | si := Image(i) 31 | 32 | sigs, err := si.Signatures() 33 | if err != nil { 34 | t.Fatalf("Signatures() = %v", err) 35 | } 36 | 37 | if sl, err := sigs.Get(); err != nil { 38 | t.Errorf("Get() = %v", err) 39 | } else if got, want := len(sl), 0; got != want { 40 | t.Errorf("len(Get()) = %d, wanted %d", got, want) 41 | } 42 | 43 | atts, err := si.Attestations() 44 | if err != nil { 45 | t.Fatalf("Attestations() = %v", err) 46 | } 47 | 48 | if al, err := atts.Get(); err != nil { 49 | t.Errorf("Get() = %v", err) 50 | } else if got, want := len(al), 0; got != want { 51 | t.Errorf("len(Get()) = %d, wanted %d", got, want) 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /pkg/oci/walk/walk.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package walk 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/sigstore/cosign/v2/pkg/oci" 22 | "github.com/sigstore/cosign/v2/pkg/oci/mutate" 23 | ) 24 | 25 | // Fn is the signature of the callback supplied to SignedEntity. 26 | // The oci.SignedEntity is either an oci.SignedImageIndex or an oci.SignedImage. 27 | // This callback is called on oci.SignedImageIndex *before* its children. 28 | type Fn func(context.Context, oci.SignedEntity) error 29 | 30 | // SignedEntity calls `fn` on the signed entity and each of its constituent entities 31 | // (`SignedImageIndex` or `SignedImage`) transitively. 32 | // Any errors returned by an `fn` are returned by `Walk`. 33 | func SignedEntity(ctx context.Context, parent oci.SignedEntity, fn Fn) error { 34 | _, err := mutate.Map(ctx, parent, func(ctx context.Context, se oci.SignedEntity) (oci.SignedEntity, error) { 35 | if err := fn(ctx, se); err != nil { 36 | return nil, err 37 | } 38 | return se, nil 39 | }) 40 | return err 41 | } 42 | -------------------------------------------------------------------------------- /pkg/policy/errors.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package policy 16 | 17 | type EvaluationFailure struct { 18 | err error 19 | } 20 | 21 | func (e *EvaluationFailure) Error() string { 22 | return e.err.Error() 23 | } 24 | 25 | func (e *EvaluationFailure) Unwrap() error { 26 | return e.err 27 | } 28 | -------------------------------------------------------------------------------- /pkg/policy/fuzz_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2024 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package policy 17 | 18 | /* disabling since this effectively just fuzzes rego & cue vs something in cosign 19 | import ( 20 | "context" 21 | "runtime" 22 | "testing" 23 | ) 24 | 25 | var policyTypes = []string{"cue", "rego"} 26 | 27 | func catchPanics() { 28 | if r := recover(); r != nil { 29 | var errStr string 30 | switch err := r.(type) { 31 | case string: 32 | errStr = err 33 | case runtime.Error: 34 | errStr = err.Error() 35 | case error: 36 | errStr = err.Error() 37 | } 38 | switch { 39 | case errStr == "freeNode: nodeContext out of sync": 40 | return 41 | case errStr == "unreachable": 42 | return 43 | default: 44 | panic(errStr) 45 | } 46 | } 47 | } 48 | 49 | func FuzzEvaluatePolicyAgainstJSON(f *testing.F) { 50 | f.Fuzz(func(_ *testing.T, name, policyBody string, jsonBytes []byte, policyType uint8) { 51 | defer catchPanics() 52 | choosePolicyType := policyTypes[int(policyType)%len(policyTypes)] 53 | EvaluatePolicyAgainstJSON(context.Background(), name, choosePolicyType, policyBody, jsonBytes) 54 | }) 55 | } 56 | */ 57 | -------------------------------------------------------------------------------- /pkg/policy/testdata/malformed/custom: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6InJlZ2lzdHJ5LmxvY2FsOjUwMDAva25hdGl2ZS9kZW1vIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjZjNmZkNmE0MTE1YzZlOTk4ZmYzNTdjZDkxNDY4MDkzMWJiOWE2YzFhN2NkNWY1Y2IyZjVlMWMwOTMyYWI2ZWQifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6ImZvb2JhciB0ZXN0IGF0dGVzdGF0aW9uIiwiVGltZXN0YW1wIjoiMjAyMi0wNC0wN1QxOToyMjoyNVoifX0=","signatures":[{"keyid":"","sig":"MEUCIQC/slGQVpRKgw4Jo8tcbgo85WNG/FOJfxcvQFvTEnG9swIgP4LeOmID+biUNwLLeylBQpAEgeV6GVcEpyG6r8LVnfY="}]} 2 | -------------------------------------------------------------------------------- /pkg/policy/testdata/malformed/vuln: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicmVnaXN0cnkubG9jYWw6NTAwMC9rbmF0aXZlL2RlbW8iLCJkaWdlc3QiOnsic2hhMjU2IjoiM2MxOWFhOTgwYTljNTcwOWEyYzk2YzJkMDc3OWZlYmY2ZTVlNDUzYjkyYjE3MmNlODRjYjg1ZmRhZjY5NTM3MyJ9fV0sInByZWRpY2F0ZSI6eyJpbnZvY2F0aW9uIjp7InBhcmFtZXRlcnMiOm51bGwsInVyaSI6IiIsImV2ZW50X2lkIjoiIiwiYnVpbGRlci5pZCI6IiJ9LCJzY2FubmVyIjp7InVyaSI6IiIsInZlcnNpb24iOiIiLCJkYiI6eyJ1cmkiOiIiLCJ2ZXJzaW9uIjoiIn0sInJlc3VsdCI6bnVsbH0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiIsInNjYW5GaW5pc2hlZE9uIjoiMDAwMS0wMS0wMVQwMDowMDowMFoifX19","signatures":[{"keyid":"","sig":"MEUCIHE9QkUy+d6uFwae0LSH2Fgy99na3jQvaYMU6qj5dzbFAiEA0uKmqGY1ZHoQZsd0BR4Ug0c8d+sHT0hPcxA61o4DKlM="}]} 2 | -------------------------------------------------------------------------------- /pkg/policy/testdata/valid/custom: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2Nvc2lnbi5zaWdzdG9yZS5kZXYvYXR0ZXN0YXRpb24vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicmVnaXN0cnkubG9jYWw6NTAwMC9rbmF0aXZlL2RlbW8iLCJkaWdlc3QiOnsic2hhMjU2IjoiNmM2ZmQ2YTQxMTVjNmU5OThmZjM1N2NkOTE0NjgwOTMxYmI5YTZjMWE3Y2Q1ZjVjYjJmNWUxYzA5MzJhYjZlZCJ9fV0sInByZWRpY2F0ZSI6eyJEYXRhIjoiZm9vYmFyIHRlc3QgYXR0ZXN0YXRpb24iLCJUaW1lc3RhbXAiOiIyMDIyLTA0LTA3VDE5OjIyOjI1WiJ9fQ==","signatures":[{"keyid":"","sig":"MEUCIQC/slGQVpRKgw4Jo8tcbgo85WNG/FOJfxcvQFvTEnG9swIgP4LeOmID+biUNwLLeylBQpAEgeV6GVcEpyG6r8LVnfY="}]} 2 | -------------------------------------------------------------------------------- /pkg/policy/testdata/valid/vuln: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2Nvc2lnbi5zaWdzdG9yZS5kZXYvYXR0ZXN0YXRpb24vdnVsbi92MSIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL2tuYXRpdmUvZGVtbyIsImRpZ2VzdCI6eyJzaGEyNTYiOiIzYzE5YWE5ODBhOWM1NzA5YTJjOTZjMmQwNzc5ZmViZjZlNWU0NTNiOTJiMTcyY2U4NGNiODVmZGFmNjk1MzczIn19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiIiwiZXZlbnRfaWQiOiIiLCJidWlsZGVyLmlkIjoiIn0sInNjYW5uZXIiOnsidXJpIjoiIiwidmVyc2lvbiI6IiIsImRiIjp7InVyaSI6IiIsInZlcnNpb24iOiIifSwicmVzdWx0IjpudWxsfSwibWV0YWRhdGEiOnsic2NhblN0YXJ0ZWRPbiI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwic2NhbkZpbmlzaGVkT24iOiIwMDAxLTAxLTAxVDAwOjAwOjAwWiJ9fX0=","signatures":[{"keyid":"","sig":"MEUCIHE9QkUy+d6uFwae0LSH2Fgy99na3jQvaYMU6qj5dzbFAiEA0uKmqGY1ZHoQZsd0BR4Ug0c8d+sHT0hPcxA61o4DKlM="}]} 2 | -------------------------------------------------------------------------------- /pkg/providers/all/all.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package all 17 | 18 | import ( 19 | "github.com/sigstore/cosign/v2/pkg/providers" 20 | 21 | // Link in all of the providers. 22 | // Link the GitHub one first, since we might be running in a GitHub self-hosted 23 | // runner running in one of the other environments, and we should prefer GitHub 24 | // credentials if we can find them. 25 | _ "github.com/sigstore/cosign/v2/pkg/providers/github" 26 | 27 | // Link in the rest of the providers. 28 | _ "github.com/sigstore/cosign/v2/pkg/providers/buildkite" 29 | _ "github.com/sigstore/cosign/v2/pkg/providers/envvar" 30 | _ "github.com/sigstore/cosign/v2/pkg/providers/filesystem" 31 | _ "github.com/sigstore/cosign/v2/pkg/providers/google" 32 | _ "github.com/sigstore/cosign/v2/pkg/providers/spiffe" 33 | ) 34 | 35 | // Alias these methods, so that folks can import this to get all providers. 36 | var ( 37 | Enabled = providers.Enabled 38 | Provide = providers.Provide 39 | ProvideFrom = providers.ProvideFrom 40 | ) 41 | -------------------------------------------------------------------------------- /pkg/providers/buildkite/doc.go: -------------------------------------------------------------------------------- 1 | // Copyright 2023 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package buildkite 16 | -------------------------------------------------------------------------------- /pkg/providers/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package providers defines the APIs for providers to detect their relevance 17 | // and register themselves to furnish OIDC tokens within a given environment. 18 | package providers 19 | -------------------------------------------------------------------------------- /pkg/providers/envvar/env.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package envvar 17 | 18 | import ( 19 | "context" 20 | 21 | "github.com/sigstore/cosign/v2/pkg/cosign/env" 22 | "github.com/sigstore/cosign/v2/pkg/providers" 23 | ) 24 | 25 | func init() { 26 | providers.Register("envvar", &envvar{}) 27 | } 28 | 29 | type envvar struct{} 30 | 31 | var _ providers.Interface = (*envvar)(nil) 32 | 33 | // Enabled implements providers.Interface 34 | func (p *envvar) Enabled(context.Context) bool { 35 | _, ok := env.LookupEnv(env.VariableSigstoreIDToken) 36 | return ok 37 | } 38 | 39 | // Provide implements providers.Interface 40 | func (p *envvar) Provide(context.Context, string) (string, error) { 41 | return env.Getenv(env.VariableSigstoreIDToken), nil 42 | } 43 | -------------------------------------------------------------------------------- /pkg/providers/envvar/env_test.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2023 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package envvar 17 | 18 | import ( 19 | "context" 20 | "fmt" 21 | "testing" 22 | 23 | "github.com/sigstore/cosign/v2/pkg/cosign/env" 24 | ) 25 | 26 | func TestEnvVar(t *testing.T) { 27 | ctx := context.Background() 28 | token := "tacocat" 29 | 30 | for _, tc := range []struct { 31 | envmap map[string]string 32 | want bool 33 | }{ 34 | { 35 | envmap: map[string]string{ 36 | env.VariableSigstoreIDToken.String(): token, 37 | }, 38 | want: true, 39 | }, 40 | { 41 | want: false, 42 | }, 43 | } { 44 | t.Run(fmt.Sprint(tc.want), func(t *testing.T) { 45 | for k, v := range tc.envmap { 46 | t.Setenv(k, v) 47 | } 48 | e := &envvar{} 49 | 50 | if enabled := e.Enabled(ctx); enabled != tc.want { 51 | t.Errorf("Enabled: want %t, got %t", tc.want, enabled) 52 | } 53 | 54 | got, err := e.Provide(ctx, "") 55 | if err != nil { 56 | t.Fatalf("Provide: %v", err) 57 | } 58 | want := "" 59 | if tc.want { 60 | want = token 61 | } 62 | if got != want { 63 | t.Fatalf("Provide: want %s, got %s", want, got) 64 | } 65 | }) 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /pkg/providers/filesystem/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package filesystem defines an implementation of the providers.Interface 17 | // that reads identity tokens from a well-known filesystem location. 18 | // This is intended for use with Kubernetes Service Account Projected Volumes, 19 | // but nothing is stopping other systems from placing identity tokens in 20 | // the same place. 21 | package filesystem 22 | -------------------------------------------------------------------------------- /pkg/providers/filesystem/filesystem.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package filesystem 17 | 18 | import ( 19 | "context" 20 | "os" 21 | 22 | "github.com/sigstore/cosign/v2/pkg/providers" 23 | ) 24 | 25 | func init() { 26 | providers.Register("filesystem", &filesystem{}) 27 | } 28 | 29 | type filesystem struct{} 30 | 31 | var _ providers.Interface = (*filesystem)(nil) 32 | 33 | const ( 34 | // FilesystemTokenPath is the path to where we read an OIDC 35 | // token from the filesystem. 36 | // nolint 37 | FilesystemTokenPath = "/var/run/sigstore/cosign/oidc-token" 38 | ) 39 | 40 | // Enabled implements providers.Interface 41 | func (ga *filesystem) Enabled(_ context.Context) bool { 42 | // If we can stat the file without error then this is enabled. 43 | _, err := os.Stat(FilesystemTokenPath) 44 | return err == nil 45 | } 46 | 47 | // Provide implements providers.Interface 48 | func (ga *filesystem) Provide(ctx context.Context, audience string) (string, error) { //nolint: revive 49 | b, err := os.ReadFile(FilesystemTokenPath) 50 | if err != nil { 51 | return "", err 52 | } 53 | return string(b), nil 54 | } 55 | -------------------------------------------------------------------------------- /pkg/providers/github/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package github defines a github implementation of the providers.Interface. 17 | package github 18 | -------------------------------------------------------------------------------- /pkg/providers/google/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package google defines a google implementation of the providers.Interface. 17 | package google 18 | -------------------------------------------------------------------------------- /pkg/providers/spiffe/doc.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | // Package spiffe defines a SPIFFE/SPIRE implementation of the providers.Interface. 17 | package spiffe 18 | -------------------------------------------------------------------------------- /pkg/providers/spiffe/spiffe_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 The Sigstore Authors. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package spiffe 16 | 17 | import ( 18 | "os" 19 | 20 | "testing" 21 | ) 22 | 23 | const nonDefault = "/run/sockets/spire" 24 | 25 | func TestGetSocketPath(t *testing.T) { 26 | if got := getSocketPath(); got != defaultSocketPath { 27 | t.Errorf("Expected %s got %s", defaultSocketPath, got) 28 | } 29 | os.Setenv("SPIFFE_ENDPOINT_SOCKET", nonDefault) 30 | if got := getSocketPath(); got != nonDefault { 31 | t.Errorf("Expected %s got %s", nonDefault, got) 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /pkg/signature/annotations.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package signature 17 | 18 | import ( 19 | _ "crypto/sha256" // for `crypto.SHA256` 20 | "fmt" 21 | "strings" 22 | ) 23 | 24 | type AnnotationsMap struct { 25 | Annotations map[string]interface{} 26 | } 27 | 28 | func (a *AnnotationsMap) Set(s string) error { 29 | if a.Annotations == nil { 30 | a.Annotations = map[string]interface{}{} 31 | } 32 | kvp := strings.SplitN(s, "=", 2) 33 | if len(kvp) != 2 { 34 | return fmt.Errorf("invalid flag: %s, expected key=value", s) 35 | } 36 | 37 | a.Annotations[kvp[0]] = kvp[1] 38 | return nil 39 | } 40 | 41 | func (a *AnnotationsMap) String() string { 42 | s := []string{} 43 | for k, v := range a.Annotations { 44 | s = append(s, fmt.Sprintf("%s=%s", k, v)) 45 | } 46 | return strings.Join(s, ",") 47 | } 48 | -------------------------------------------------------------------------------- /pkg/types/media.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package types 17 | 18 | const ( 19 | JSONInputFormat = "json" 20 | XMLInputFormat = "xml" 21 | TextInputFormat = "text" 22 | ) 23 | 24 | const ( 25 | CycloneDXXMLMediaType = "application/vnd.cyclonedx+xml" 26 | CycloneDXJSONMediaType = "application/vnd.cyclonedx+json" 27 | SyftMediaType = "application/vnd.syft+json" 28 | SimpleSigningMediaType = "application/vnd.dev.cosign.simplesigning.v1+json" 29 | SPDXMediaType = "text/spdx" 30 | SPDXJSONMediaType = "text/spdx+json" 31 | WasmLayerMediaType = "application/vnd.wasm.content.layer.v1+wasm" 32 | WasmConfigMediaType = "application/vnd.wasm.config.v1+json" 33 | ) 34 | -------------------------------------------------------------------------------- /pkg/types/payload.go: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright 2021 The Sigstore Authors. 3 | // 4 | // Licensed under the Apache License, Version 2.0 (the "License"); 5 | // you may not use this file except in compliance with the License. 6 | // You may obtain a copy of the License at 7 | // 8 | // http://www.apache.org/licenses/LICENSE-2.0 9 | // 10 | // Unless required by applicable law or agreed to in writing, software 11 | // distributed under the License is distributed on an "AS IS" BASIS, 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | // See the License for the specific language governing permissions and 14 | // limitations under the License. 15 | 16 | package types 17 | 18 | const ( 19 | DssePayloadType = "application/vnd.dsse.envelope.v1+json" 20 | IntotoPayloadType = "application/vnd.in-toto+json" 21 | ) 22 | -------------------------------------------------------------------------------- /release/release-cosign.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt 3 | IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /release/release.mk: -------------------------------------------------------------------------------- 1 | ################## 2 | # release section 3 | ################## 4 | # used when releasing together with GCP CloudBuild 5 | .PHONY: release 6 | release: 7 | LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --clean --timeout 120m 8 | 9 | ###################### 10 | # sign section 11 | ###################### 12 | 13 | .PHONY: sign-release-images 14 | sign-release-images: ko 15 | GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ 16 | ./release/ko-sign-release-images.sh 17 | 18 | # used when need to validate the goreleaser 19 | .PHONY: snapshot 20 | snapshot: 21 | LDFLAGS="$(LDFLAGS)" goreleaser release --skip=sign,publish --snapshot --clean --timeout 120m --parallelism 1 22 | 23 | #################### 24 | # copy image to GHCR 25 | #################### 26 | 27 | .PHONY: copy-signed-release-to-ghcr 28 | copy-signed-release-to-ghcr: 29 | cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) 30 | cosign copy $(GHCR_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:latest 31 | cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION)-dev $(GHCR_PREFIX)/cosign:$(GIT_VERSION)-dev 32 | cosign copy $(GHCR_PREFIX)/cosign:$(GIT_VERSION)-dev $(GHCR_PREFIX)/cosign:latest-dev 33 | -------------------------------------------------------------------------------- /scripts/sign-images-ci.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2022 The Sigstore Authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License""; 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | : "${GIT_HASH:?Environment variable empty or not defined.}" 22 | : "${GITHUB_RUN_ID:?Environment variable empty or not defined.}" 23 | : "${GITHUB_RUN_ATTEMPT:?Environment variable empty or not defined.}" 24 | 25 | COSIGN_CLI=./cosign 26 | 27 | if [[ ! -f cosignImagerefs ]]; then 28 | echo "cosignImagerefs not found" 29 | exit 1 30 | fi 31 | 32 | echo "Signing cosign images using Keyless..." 33 | $COSIGN_CLI sign -y -a sha="$GIT_HASH" -a run_id="$GITHUB_RUN_ID" -a run_attempt="$GITHUB_RUN_ATTEMPT" $(cat cosignImagerefs) 34 | -------------------------------------------------------------------------------- /specs/COSIGN_PREDICATE_SPEC.md: -------------------------------------------------------------------------------- 1 | # Cosign Generic Predicate Specification 2 | 3 | `Cosign` supports working with [In-Toto Attestations](https://github.com/in-toto/attestation) using the predicate model. 4 | Several well-known predicates are supported natively, but `cosign` also supports a simple, generic, format for data that 5 | doesn't fit well into other types. 6 | 7 | The format for this is defined as follows: 8 | 9 | `data`: Raw data to place in the attestation. This is a base64-encoded string of bytes. 10 | `timestamp`: The timestamp the attestation was generated at in the RFC3339 format in the UTC timezone. 11 | 12 | Here is an example attestation containing a data file containing `foo`: 13 | 14 | ```json 15 | { 16 | "_type": "https://in-toto.io/Statement/v0.1", 17 | "predicateType": "https://cosign.sigstore.dev/attestation/v1", 18 | "subject": [ 19 | { 20 | "name": "us.gcr.io/dlorenc-vmtest2/demo", 21 | "digest": { 22 | "sha256": "124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155" 23 | } 24 | } 25 | ], 26 | "predicate": { 27 | "Data": "foo\n", 28 | "Timestamp": "2021-08-11T14:51:09Z" 29 | } 30 | } 31 | ``` -------------------------------------------------------------------------------- /test/ci.mk: -------------------------------------------------------------------------------- 1 | ############ 2 | # signing ci 3 | ############ 4 | 5 | .PHONY: sign-ci-containers 6 | sign-ci-containers: ko 7 | cosign sign --yes --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH) 8 | 9 | .PHONY: sign-ci-keyless-containers 10 | sign-ci-keyless-containers: ko 11 | ./scripts/sign-images-ci.sh 12 | -------------------------------------------------------------------------------- /test/config/gettoken/gettoken.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 The Sigstore Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # https://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: serving.knative.dev/v1 16 | kind: Service 17 | metadata: 18 | name: gettoken 19 | spec: 20 | template: 21 | spec: 22 | containers: 23 | - name: gettoken 24 | image: ko://github.com/sigstore/cosign/v2/test/cmd/getoidctoken 25 | env: 26 | - name: OIDC_FILE 27 | value: "/var/run/sigstore/cosign/oidc-token" 28 | volumeMounts: 29 | - name: oidc-info 30 | mountPath: /var/run/sigstore/cosign 31 | volumes: 32 | - name: oidc-info 33 | projected: 34 | sources: 35 | - serviceAccountToken: 36 | path: oidc-token 37 | expirationSeconds: 600 38 | audience: sigstore 39 | -------------------------------------------------------------------------------- /test/e2e_test.ps1: -------------------------------------------------------------------------------- 1 | # Copyright 2021 The Sigstore Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | function New-TmpDir { 16 | $parent = [System.IO.Path]::GetTempPath() 17 | $name = [System.IO.Path]::GetRandomFileName() 18 | New-Item -ItemType Directory -Path (Join-Path $parent $name) 19 | } 20 | 21 | make cosign 22 | $TmpDir = New-TmpDir 23 | Copy-Item -Path .\cosign -Destination (Join-Path $TmpDir cosign.exe) 24 | 25 | Push-Location $TmpDir 26 | 27 | # See if things blow up immediately 28 | .\cosign.exe version 29 | 30 | # Generate a random alphanumeric password for the private key 31 | $pass = Get-Random 32 | 33 | Write-Output $pass | .\cosign.exe generate-key-pair 34 | $signing_key = "cosign.key" 35 | $verification_key = "cosign.pub" 36 | 37 | $test_img = "ghcr.io/distroless/static" 38 | Write-Output $pass | .\cosign.exe sign --key $signing_key --output-signature interactive.sig --output-payload interactive.payload --tlog-upload=false $test_img 39 | .\cosign.exe verify --key $verification_key --signature interactive.sig --payload interactive.payload --insecure-ignore-tlog=true $test_img 40 | 41 | Pop-Location 42 | 43 | Write-Output "Success" 44 | -------------------------------------------------------------------------------- /test/e2e_test_pkcs11.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2024 The Sigstore Authors. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | set -o nounset 19 | set -o pipefail 20 | 21 | # Test pkcs11 token signing 22 | # using a fork of https://github.com/vegardit/docker-softhsm2-pkcs11-proxy that stopped to build 5 months ago 23 | CONTAINER_ID=$(docker run -dit --name softhsm -v $(pwd):/root/cosign -p 2345:2345 ghcr.io/cpanato/softhsm2-pkcs11-proxy:latest@sha256:2614345f73f9432d85365f0ac450c4bf0abac51b205b54241a94f9cf9e671772) 24 | 25 | docker exec -i $CONTAINER_ID /bin/bash << 'EOF' 26 | 27 | # to install the latest go that is not available in the alpine repository 28 | echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories 29 | apk update 30 | 31 | # add make pcsc-lite-libs go command 32 | apk add make build-base 33 | 34 | apk add go@edge 35 | 36 | cd /root/cosign 37 | 38 | softhsm2-util --init-token --free --label "My Token" --pin 1234 --so-pin 1234 39 | go test -v -cover -coverprofile=./cover.out -tags=softhsm,pkcs11key -coverpkg github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key test/pkcs11_test.go 40 | 41 | EOF 42 | 43 | cleanup_pkcs11() { 44 | docker rm -f $CONTAINER_ID 45 | } 46 | 47 | trap cleanup_pkcs11 EXIT 48 | -------------------------------------------------------------------------------- /test/fakeoidc/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/sigstore/cosign/test/fakeoidc 2 | 3 | go 1.23.4 4 | 5 | require github.com/go-jose/go-jose/v4 v4.0.5 6 | 7 | require golang.org/x/crypto v0.35.0 // indirect 8 | -------------------------------------------------------------------------------- /test/fakeoidc/go.sum: -------------------------------------------------------------------------------- 1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 3 | github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= 4 | github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= 5 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 6 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 7 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 8 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 9 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= 10 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 11 | golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= 12 | golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= 13 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 14 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 15 | -------------------------------------------------------------------------------- /test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict: -------------------------------------------------------------------------------- 1 | "{\"authorityMatches\":{\"keyatt\":{\"signatures\":null,\"attestations\":{\"vuln-key\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}},\"keysignature\":{\"signatures\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}],\"attestations\":null},\"keylessatt\":{\"signatures\":null,\"attestations\":{\"custom-keyless\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}}}}" 2 | # Below is from https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/json.dict 3 | "0" 4 | ",0" 5 | ":0" 6 | "0:" 7 | "-1.2e+3" 8 | 9 | "true" 10 | "false" 11 | "null" 12 | 13 | "\"\"" 14 | ",\"\"" 15 | ":\"\"" 16 | "\"\":" 17 | 18 | "{}" 19 | ",{}" 20 | ":{}" 21 | "{\"\":0}" 22 | "{{}}" 23 | 24 | "[]" 25 | ",[]" 26 | ":[]" 27 | "[0]" 28 | "[[]]" 29 | 30 | "''" 31 | "\\" 32 | "\\b" 33 | "\\f" 34 | "\\n" 35 | "\\r" 36 | "\\t" 37 | "\\u0000" 38 | "\\x00" 39 | "\\0" 40 | "\\uD800\\uDC00" 41 | "\\uDBFF\\uDFFF" 42 | 43 | "\"\":0" 44 | "//" 45 | "/**/" 46 | -------------------------------------------------------------------------------- /test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict: -------------------------------------------------------------------------------- 1 | "-----BEGIN RSA PRIVATE KEY-----" 2 | "-----END RSA PRIVATE KEY-----" 3 | "-----BEGIN PRIVATE KEY-----" 4 | "-----END PRIVATE KEY-----" 5 | "-----BEGIN PUBLIC KEY-----" 6 | "-----END PUBLIC KEY-----" 7 | "-----BEGIN PGP PRIVATE KEY BLOCK-----" 8 | "Version: BCPG C# v1.6.1.0" 9 | "-----END PGP PRIVATE KEY BLOCK-----" 10 | "-----BEGIN EC PRIVATE KEY-----" 11 | "-----END EC PRIVATE KEY-----" 12 | "-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----" 13 | "-----END ENCRYPTED COSIGN PRIVATE KEY-----" 14 | 15 | -------------------------------------------------------------------------------- /test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1: -------------------------------------------------------------------------------- 1 | package sigstore 2 | isCompliant[response] { 3 | attestationsKeylessATT := input.authorityMatches.keylessatt.attestations 4 | result = (count(attestationsKeylessATT) == 1) 5 | attestationsKeyATT := input.authorityMatches.keyatt.attestations 6 | result = (count(attestationsKeyATT) == 1) 7 | keySignature := input.authorityMatches.keysignature.signatures 8 | result = (count(keySignature) == 1) 9 | 10 | errorMsg = "" 11 | warnMsg = "Throw warning error even if succeeded" 12 | 13 | response := { 14 | "result" : result, 15 | "error" : errorMsg, 16 | "warning" : warnMsg 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2: -------------------------------------------------------------------------------- 1 | package sigstore 2 | import "struct" 3 | import "list" 4 | authorityMatches: { 5 | keyatt: { 6 | attestations: struct.MaxFields(1) & struct.MinFields(1) 7 | }, 8 | keysignature: { 9 | signatures: list.MaxItems(1) & list.MinItems(1) 10 | }, 11 | if( len(authorityMatches.keylessatt.attestations) < 2) { 12 | keylessattMinAttestations: 2 13 | keylessattMinAttestations: "Error" 14 | }, 15 | keylesssignature: { 16 | signatures: list.MaxItems(1) & list.MinItems(1) 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /test/testdata/attestations/vuln-predicate.json: -------------------------------------------------------------------------------- 1 | { 2 | "invocation": { 3 | "parameters": null, 4 | "uri": "invocation.example.com/cosign-testing", 5 | "event_id": "", 6 | "builder.id": "" 7 | }, 8 | "scanner": { 9 | "uri": "fakescanner.example.com/cosign-testing", 10 | "version": "", 11 | "db": { 12 | "uri": "", 13 | "version": "" 14 | }, 15 | "result": null 16 | }, 17 | "metadata": { 18 | "scanStartedOn": "2022-04-12T00:00:00Z", 19 | "scanFinishedOn": "2022-04-12T00:10:00Z" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /test/testdata/bom-go-mod.cyclonedx.json: -------------------------------------------------------------------------------- 1 | { 2 | "bomFormat": "CycloneDX", 3 | "specVersion": "1.4", 4 | "serialNumber": "urn:uuid:9b0c2427-be94-439c-82e5-8928db124270", 5 | "version": 1, 6 | "metadata": {}, 7 | "components": [], 8 | "dependencies": [] 9 | } 10 | -------------------------------------------------------------------------------- /test/testdata/bom-go-mod.spdx.json: -------------------------------------------------------------------------------- 1 | {"spdxVersion":"SPDX-2.2","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"SBOM-SPDX-34f1a7f5-03ff-4277-9021-8c04f8777803","documentNamespace":"https://spdx.org/spdxdocs/k8s-releng-bom-16f4e288-6bdf-4b89-a79a-9ffd56ad33e0","creationInfo":{"licenseListVersion":"","creators":["Organization: Kubernetes Release Engineering","Tool: sigs.k8s.io/bom/pkg/spdx"],"created":"2022-06-07T22:14:56Z","comment":""},"packages":[]} 2 | -------------------------------------------------------------------------------- /test/testdata/policies/cue-fails.cue: -------------------------------------------------------------------------------- 1 | import "time" 2 | 3 | before: time.Parse(time.RFC3339, "2049-10-09T17:10:27Z") 4 | 5 | // Test with invalid predicate type. It should be this, so change it 6 | //predicateType: "https://cosign.sigstore.dev/attestation/v1" 7 | predicateType: "https://cosignnotreally.sigstore.dev/attestation/v1" 8 | 9 | // The predicate must match the following constraints. 10 | predicate: { 11 | Timestamp: after 22 | scanFinishedOn: after 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /test/testdata/policies/cue-vuln-works.cue: -------------------------------------------------------------------------------- 1 | import "time" 2 | 3 | before: time.Parse(time.RFC3339, "2022-04-15T17:10:27Z") 4 | after: time.Parse(time.RFC3339, "2022-03-09T17:10:27Z") 5 | 6 | // The predicateType field must match this string 7 | predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1" 8 | 9 | predicate: { 10 | invocation: { 11 | uri: "invocation.example.com/cosign-testing" 12 | } 13 | scanner: { 14 | uri: "fakescanner.example.com/cosign-testing" 15 | } 16 | metadata: { 17 | scanStartedOn: after 19 | scanFinishedOn: after 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /test/testdata/policies/cue-works.cue: -------------------------------------------------------------------------------- 1 | import "time" 2 | 3 | before: time.Parse(time.RFC3339, "2049-10-09T17:10:27Z") 4 | 5 | // The predicateType field must match this string 6 | predicateType: "https://cosign.sigstore.dev/attestation/v1" 7 | 8 | // The predicate must match the following constraints. 9 | predicate: { 10 | Timestamp: