Skip to content

Commit

Permalink
Allow copy and describe of SBOM, attestations and signatures from cosign
Browse files Browse the repository at this point in the history 
Rename flags to `cosign-artifacts`
Change logic to allow the retrieval of SBOM and attestations as well as
signatures for these images

Signed-off-by: Joao Pereira <joaod@vmware.com>
  • Loading branch information
@joaopapereira
joaopapereira committed Feb 17, 2023
1 parent 5281971 commit b60b9f3
Show file tree
Hide file tree
Showing 27 changed files with 1,325 additions and 604 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/gh-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
export GOPATH=$(echo `pwd`)
export PATH="$GOPATH/bin:$PATH"
go install github.com/sigstore/cosign/cmd/cosign@v0.5.0
go install github.com/sigstore/cosign/cmd/cosign@v1.7.2
alias cosign=cosign.exe
'
Expand Down
3 changes: 2 additions & 1 deletion hack/test-e2e.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,11 @@ then
GO=richgo
fi

go install github.com/sigstore/cosign/cmd/cosign@v0.5.0
go install github.com/sigstore/cosign/cmd/cosign@v1.7.2

mkdir -p tmp
pushd ./tmp
rm -f cosign.key cosign.pub
COSIGN_PASSWORD= cosign generate-key-pair
popd

Expand Down
276 changes: 276 additions & 0 deletions pkg/imgpkg/artifacts/artifactsfakes/fake_finder.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

39 changes: 27 additions & 12 deletions pkg/imgpkg/signature/cosign.go → pkg/imgpkg/artifacts/cosign.go
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
// Copyright 2020 VMware, Inc.
// SPDX-License-Identifier: Apache-2.0

package signature
package artifacts

import (
"fmt"
"net/http"

regname "github.com/google/go-containerregistry/pkg/name"
regv1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/remote/transport"
"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/artifacts/cosign"
"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/imageset"
"github.com/vmware-tanzu/carvel-imgpkg/pkg/imgpkg/signature/cosign"
)

// DigestReader Interface that knows how to read a Digest from a registry
Expand All @@ -31,11 +30,35 @@ func NewCosign(reg DigestReader) *Cosign {

// Signature retrieves the Image information that contains the signature for the provided Image
func (c Cosign) Signature(imageRef regname.Digest) (imageset.UnprocessedImageRef, error) {
sigTagRef, err := c.signatureTag(imageRef)
sigTagRef, err := cosign.SignatureTag(imageRef)
if err != nil {
return imageset.UnprocessedImageRef{}, err
}

return c.findArtifact(imageRef, err, sigTagRef)
}

// SBOM retrieves the Image information that contains the signature for the provided Image
func (c Cosign) SBOM(imageRef regname.Digest) (imageset.UnprocessedImageRef, error) {
sigTagRef, err := cosign.SBOMTag(imageRef)
if err != nil {
return imageset.UnprocessedImageRef{}, err
}

return c.findArtifact(imageRef, err, sigTagRef)
}

// Attestation retrieves the Image information that contains the signature for the provided Image
func (c Cosign) Attestation(imageRef regname.Digest) (imageset.UnprocessedImageRef, error) {
sigTagRef, err := cosign.AttestationTag(imageRef)
if err != nil {
return imageset.UnprocessedImageRef{}, err
}

return c.findArtifact(imageRef, err, sigTagRef)
}

func (c Cosign) findArtifact(imageRef regname.Digest, err error, sigTagRef regname.Tag) (imageset.UnprocessedImageRef, error) {
sigDigest, err := c.registry.Digest(sigTagRef)
if err != nil {
if transportErr, ok := err.(*transport.Error); ok {
Expand All @@ -54,11 +77,3 @@ func (c Cosign) Signature(imageRef regname.Digest) (imageset.UnprocessedImageRef
Tag: sigTagRef.TagStr(),
}, nil
}

func (c Cosign) signatureTag(reference regname.Digest) (regname.Tag, error) {
digest, err := regv1.NewHash(reference.DigestStr())
if err != nil {
return regname.Tag{}, fmt.Errorf("Converting to hash: %s", err)
}
return regname.NewTag(reference.Repository.Name() + ":" + cosign.Munge(regv1.Descriptor{Digest: digest}))
}
Loading

0 comments on commit b60b9f3

Please sign in to comment.