feat(sign): option to generate sigstore bundle after signing (#943)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/cmd/attestation_push.go

@@ -26,7 +26,7 @@ import (
 )
 
 func newAttestationPushCmd() *cobra.Command {
-	var pkPath string
+	var pkPath, bundle string
 	var annotationsFlag []string
 	cmd := &cobra.Command{
 		Use:   "push",
@@ -57,7 +57,7 @@ func newAttestationPushCmd() *cobra.Command {
 				return fmt.Errorf("getting executable information: %w", err)
 			}
 			a, err := action.NewAttestationPush(&action.AttestationPushOpts{
-				ActionsOpts: actionOpts, KeyPath: pkPath, CLIVersion: info.Version, CLIDigest: info.Digest,
+				ActionsOpts: actionOpts, KeyPath: pkPath, BundlePath: bundle, CLIVersion: info.Version, CLIDigest: info.Digest,
 			})
 			if err != nil {
 				return fmt.Errorf("failed to load action: %w", err)
@@ -99,6 +99,7 @@ func newAttestationPushCmd() *cobra.Command {
 
 	cmd.Flags().StringVarP(&pkPath, "key", "k", "", "reference (path or env variable name) to the cosign or KMS key that will be used to sign the attestation")
 	cmd.Flags().StringSliceVar(&annotationsFlag, "annotation", nil, "additional annotation in the format of key=value")
+	cmd.Flags().StringVar(&bundle, "bundle", "", "output a Sigstore bundle to the provided path  ")
 	flagAttestationID(cmd)
 
 	return cmd

app/cli/internal/action/attestation_push.go

@@ -32,7 +32,7 @@ import (
 
 type AttestationPushOpts struct {
 	*ActionsOpts
-	KeyPath, CLIVersion, CLIDigest string
+	KeyPath, CLIVersion, CLIDigest, BundlePath string
 }
 
 type AttestationResult struct {
@@ -43,8 +43,8 @@ type AttestationResult struct {
 
 type AttestationPush struct {
 	*ActionsOpts
-	c                              *crafter.Crafter
-	keyPath, cliVersion, cliDigest string
+	c                                          *crafter.Crafter
+	keyPath, cliVersion, cliDigest, bundlePath string
 }
 
 func NewAttestationPush(cfg *AttestationPushOpts) (*AttestationPush, error) {
@@ -59,6 +59,7 @@ func NewAttestationPush(cfg *AttestationPushOpts) (*AttestationPush, error) {
 		keyPath:     cfg.KeyPath,
 		cliVersion:  cfg.CLIVersion,
 		cliDigest:   cfg.CLIDigest,
+		bundlePath:  cfg.BundlePath,
 	}, nil
 }
 
@@ -131,9 +132,9 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 	// Indicate that we are done with the attestation
 	action.c.CraftingState.Attestation.FinishedAt = timestamppb.New(time.Now())
 
-	wrappedSigner := signer.GetSigner(action.keyPath, action.Logger, pb.NewSigningServiceClient(action.CPConnection))
-	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.cliVersion, action.cliDigest, wrappedSigner,
-		renderer.WithLogger(action.Logger))
+	sig := signer.GetSigner(action.keyPath, action.Logger, pb.NewSigningServiceClient(action.CPConnection))
+	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.cliVersion, action.cliDigest, sig,
+		renderer.WithLogger(action.Logger), renderer.WithBundleOutputPath(action.bundlePath))
 	if err != nil {
 		return nil, err
 	}

go.mod

@@ -81,6 +81,7 @@ require (
 	github.com/posthog/posthog-go v0.0.0-20240327112532-87b23fe11103
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/sigstore/fulcio v1.4.5
+	github.com/sigstore/protobuf-specs v0.3.0
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3

go.sum

@@ -1278,6 +1278,8 @@ github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDF
 github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y=
 github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=
 github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
+github.com/sigstore/protobuf-specs v0.3.0 h1:E49qS++llp4psM+3NNVEb+C4AD422bT9VkOQIPrNLpA=
+github.com/sigstore/protobuf-specs v0.3.0/go.mod h1:ynKzXpqr3dUj2Xk9O/5ZUhjnpi0F53DNi5AdH6pS3jc=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
 github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=

internal/attestation/renderer/chainloop/testdata/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAZ+gAwIBAgIURcRj3/yARibWiNcsJcKfhvrSNZQwDQYJKoZIhvcNAQEL
+BQAwXjELMAkGA1UEBhMCRVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAoM
+CUNoYWlubG9vcDESMBAGA1UECwwJY2hhaW5sb29wMRIwEAYDVQQDDAljaGFpbmxv
+b3AwHhcNMjQwNjA3MDkzMzQ5WhcNMjQwNjA3MDk0MzQ5WjAvMS0wKwYDVQQKEyRm
+YjcwMzU5ZC04ZGYxLTQyMDEtODg0Ny1hYzBkNTFhMWI4NTIwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAATcwKEhDoE8m6u00qLYDv8M9SWwweRRLW1MYkDUFVDMyB/w
+SrUak9Vb7aSfiEBEx+QLP21WA18Pp5JQDoBpiQpFo2cwZTAOBgNVHQ8BAf8EBAMC
+B4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFOzOtF3VZK//Lr58A5so
+DAcA1VchMB8GA1UdIwQYMBaAFKDk5Tdk8eOOMf/+GDw+62HNH6XKMA0GCSqGSIb3
+DQEBCwUAA4ICAQAifPG76QnxJWPHs9zXyPTmjNmIpmlgFdbkV4bCg1cG7l44xqZy
+fYW1OFo/WgAYqjSKlb6HbTh6uEoWk93dbnlPNPTSMbBE9fSqazXPp+o/5DKQT7uj
+wgQfTsNW48d4qKpGcAFunM9QesoX5SgNbiIdnW2xQOhjUDTxBmyallS4XBO/oGBF
+aETPjP7Syn+F05OaCW0ektiOHqvSnJ7BKrSfSohOBbUfT9c2KZ6v063XLMtQOJFL
+0kigcjwc/SwESImvN0a0RvPgZoantsjC3UQbzKzycmzXJAQV5JO/DvM9B0Je3dkv
+Wlp08jGBazAvRbBndjqR58JoQ5pncSycr+75q7aK7DjXoFch8eJDi1rJLE12FTvn
+W34cGx6EFBejEIAkqvPIxpOi37PG1SlCqkj4WfbB9A0ktml1S4P7RQm8ONY4CvP6
+8zQhM0PCCpK9F3XRFZCXZPBpqEhOEtVoxgogb9X1tCxqRpJmyYFNWgdG5Se6yfk4
+4xJ/G7lcG9jLOyFK+hXvz7pzs8PdJmlyb1vOHavnkSsd7L/ZDRntVRTncZEtKe3p
+0PbIvrCpD85M0GCv21e6mNmEjxvlxEW9wjq+oK5CFZAngd0Pl8LmT/5S5Gr6Pxft
+zXuZEUMZumYNPw2L5XZ3rkAE04p1KhxxEo6AQWNTdAkgiktmQ8cEdLe13g==
+-----END CERTIFICATE-----

internal/attestation/renderer/renderer.go

@@ -17,24 +17,34 @@ package renderer
 
 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
+	"os"
 
 	v1 "github.com/chainloop-dev/chainloop/internal/attestation/crafter/api/attestation/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
+	chainloopsigner "github.com/chainloop-dev/chainloop/internal/attestation/signer/chainloop"
 	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/rs/zerolog"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
+	v12 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	sigstoredsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse"
 	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
+	sigdsee "github.com/sigstore/sigstore/pkg/signature/dsse"
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
 type AttestationRenderer struct {
-	logger   zerolog.Logger
-	att      *v1.Attestation
-	renderer r
-	signer   sigstoresigner.Signer
+	logger     zerolog.Logger
+	att        *v1.Attestation
+	renderer   r
+	signer     sigstoresigner.Signer
+	dsseSigner sigstoresigner.Signer
+	bundlePath string
 }
 
 type r interface {
@@ -49,16 +59,23 @@ func WithLogger(logger zerolog.Logger) Opt {
 	}
 }
 
+func WithBundleOutputPath(bundlePath string) Opt {
+	return func(ar *AttestationRenderer) {
+		ar.bundlePath = bundlePath
+	}
+}
+
 func NewAttestationRenderer(state *v1.CraftingState, builderVersion, builderDigest string, signer sigstoresigner.Signer, opts ...Opt) (*AttestationRenderer, error) {
 	if state.GetAttestation() == nil {
 		return nil, errors.New("attestation not initialized")
 	}
 
 	r := &AttestationRenderer{
-		logger:   zerolog.Nop(),
-		att:      state.GetAttestation(),
-		signer:   signer,
-		renderer: chainloop.NewChainloopRendererV02(state.GetAttestation(), builderVersion, builderDigest),
+		logger:     zerolog.Nop(),
+		att:        state.GetAttestation(),
+		dsseSigner: sigdsee.WrapSigner(signer, "application/vnd.in-toto+json"),
+		signer:     signer,
+		renderer:   chainloop.NewChainloopRendererV02(state.GetAttestation(), builderVersion, builderDigest),
 	}
 
 	for _, opt := range opts {
@@ -87,15 +104,77 @@ func (ab *AttestationRenderer) Render() (*dsse.Envelope, error) {
 		return nil, err
 	}
 
-	signedAtt, err := ab.signer.SignMessage(bytes.NewReader(rawStatement))
+	signedAtt, err := ab.dsseSigner.SignMessage(bytes.NewReader(rawStatement))
 	if err != nil {
 		return nil, fmt.Errorf("signing message: %w", err)
 	}
 
-	var dseeEnvelope dsse.Envelope
-	if err := json.Unmarshal(signedAtt, &dseeEnvelope); err != nil {
+	var dsseEnvelope dsse.Envelope
+	if err := json.Unmarshal(signedAtt, &dsseEnvelope); err != nil {
 		return nil, err
 	}
 
-	return &dseeEnvelope, nil
+	if ab.bundlePath != "" {
+		// Create sigstore bundle for the contents of this attestation
+		bundle, err := ab.envelopeToBundle(dsseEnvelope)
+		if err != nil {
+			return nil, fmt.Errorf("loading bundle: %w", err)
+		}
+		json, err := protojson.Marshal(bundle)
+		if err != nil {
+			return nil, fmt.Errorf("marshalling bundle: %w", err)
+		}
+		ab.logger.Info().Msg(fmt.Sprintf("generating Sigstore bundle %s", ab.bundlePath))
+		err = os.WriteFile(ab.bundlePath, json, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("writing bundle: %w", err)
+		}
+	}
+
+	return &dsseEnvelope, nil
+}
+
+func (ab *AttestationRenderer) envelopeToBundle(dsseEnvelope dsse.Envelope) (*protobundle.Bundle, error) {
+	// DSSE Envelope is already base64 encoded, we need to decode to prevent it from being encoded twice
+	payload, err := base64.StdEncoding.DecodeString(dsseEnvelope.Payload)
+	if err != nil {
+		return nil, fmt.Errorf("decoding: %w", err)
+	}
+	bundle := &protobundle.Bundle{
+		MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3",
+		Content: &protobundle.Bundle_DsseEnvelope{DsseEnvelope: &sigstoredsse.Envelope{
+			Payload:     payload,
+			PayloadType: dsseEnvelope.PayloadType,
+			Signatures: []*sigstoredsse.Signature{
+				{
+					Sig:   []byte(dsseEnvelope.Signatures[0].Sig),
+					Keyid: dsseEnvelope.Signatures[0].KeyID,
+				},
+			},
+		}},
+		VerificationMaterial: &protobundle.VerificationMaterial{},
+	}
+
+	// extract verification materials
+	// Note: we don't support PublicKey materials (from cosign.key and KMS signers), since Chainloop doesn't (yet) store
+	//       public keys.
+	if v, ok := ab.signer.(*chainloopsigner.Signer); ok {
+		chain := v.Chain
+		certs := make([]*v12.X509Certificate, 0)
+		// Store cert chain except root certificate, as it's required to be provided separately
+		for _, c := range chain[0 : len(chain)-1] {
+			block, _ := pem.Decode([]byte(c))
+			if block == nil {
+				return nil, fmt.Errorf("failed to decode PEM block")
+			}
+			certs = append(certs, &v12.X509Certificate{RawBytes: block.Bytes})
+		}
+		bundle.VerificationMaterial.Content = &protobundle.VerificationMaterial_X509CertificateChain{
+			X509CertificateChain: &v12.X509CertificateChain{
+				Certificates: certs,
+			},
+		}
+	}
+
+	return bundle, nil
 }