Verifying VSA signature

The validate vsa subcommand can verify
a signature from a DSSE from Rekor and
the filesystem.

https://issues.redhat.com/browse/EC-1521

Author: joejstuart

.cursor/rules/vsa_functionality.mdc

@@ -6,6 +6,9 @@ Validate VSA (Verification Summary Attestation)
 
 Validate VSA by comparing the embedded policy against a supplied policy configuration.
 
+By default, VSA signature verification is enabled and requires a public key.
+Use --ignore-signature-verification to disable signature verification.
+
 Supports validation of:
 - Single VSA by identifier (image digest, file path)
 - Multiple VSAs from application snapshot
@@ -24,11 +27,13 @@ ec validate vsa <vsa-identifier> [flags]
 --color:: Enable color when using text output even when the current terminal does not support it (Default: false)
 --effective-time:: Effective time for comparison (Default: now)
 -h, --help:: help for vsa (Default: false)
+--ignore-signature-verification:: Ignore VSA signature verification (signature verification is enabled by default) (Default: false)
 --images:: Application snapshot file
 --no-color:: Disable color when using text output even when the current terminal supports it (Default: false)
 --output:: Output formats (Default: [])
 -o, --output-file:: Output file
 -p, --policy:: Policy configuration
+--public-key:: Path to public key for signature verification (required by default)
 --strict:: Exit with non-zero code if validation fails (Default: true)
 -v, --vsa:: VSA identifier (image digest, file path)
 --vsa-expiration:: VSA expiration threshold (e.g., 24h, 7d, 1w, 1m) (Default: 168h)

cmd/validate/vsa.go

@@ -65,7 +65,7 @@ replace github.com/google/go-containerregistry => github.com/conforma/go-contain
 require (
 	github.com/go-openapi/runtime v0.28.0
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.32.3
 )
 
@@ -386,7 +386,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	knative.dev/pkg v0.0.0-20240815051656-89743d9bbf7c // indirect
 	olympos.io/encoding/edn v0.0.0-20201019073823-d3554ca0b0a3 // indirect

cmd/validate/vsa_test.go

@@ -0,0 +1,67 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package vsa
+
+import (
+	"encoding/json"
+	"fmt"
+
+	ecapi "github.com/conforma/crds/api/v1alpha1"
+	"gopkg.in/yaml.v3"
+)
+
+// ParsePolicySpec parses a policy configuration string to extract the EnterpriseContractPolicySpec
+func ParsePolicySpec(policyConfig string) (ecapi.EnterpriseContractPolicySpec, error) {
+	content := []byte(policyConfig)
+
+	// Convert YAML to JSON first to handle ruleData field mapping correctly
+	var yamlData map[string]interface{}
+	if err := yaml.Unmarshal(content, &yamlData); err != nil {
+		return ecapi.EnterpriseContractPolicySpec{}, fmt.Errorf("failed to parse YAML: %w", err)
+	}
+
+	// Convert interface{} types to proper types for JSON marshaling
+	jsonData := ConvertYAMLToJSON(yamlData)
+
+	// Convert to JSON bytes
+	jsonBytes, err := json.Marshal(jsonData)
+	if err != nil {
+		return ecapi.EnterpriseContractPolicySpec{}, fmt.Errorf("failed to convert YAML to JSON: %w", err)
+	}
+
+	// Now parse as JSON which should handle ruleData field mapping correctly
+	var ecp ecapi.EnterpriseContractPolicy
+	if err := json.Unmarshal(jsonBytes, &ecp); err == nil && ecp.APIVersion != "" {
+		// Check if this is actually a valid CRD (has required fields)
+		if ecp.APIVersion == "" || ecp.Kind == "" {
+			// This is not a valid CRD, try parsing as EnterpriseContractPolicySpec
+			var spec ecapi.EnterpriseContractPolicySpec
+			if err := json.Unmarshal(jsonBytes, &spec); err != nil {
+				return ecapi.EnterpriseContractPolicySpec{}, fmt.Errorf("unable to parse EnterpriseContractPolicySpec: %w", err)
+			}
+			return spec, nil
+		}
+		return ecp.Spec, nil
+	}
+
+	// If parsing as EnterpriseContractPolicy fails, try as EnterpriseContractPolicySpec
+	var spec ecapi.EnterpriseContractPolicySpec
+	if err := json.Unmarshal(jsonBytes, &spec); err != nil {
+		return ecapi.EnterpriseContractPolicySpec{}, fmt.Errorf("unable to parse EnterpriseContractPolicySpec: %w", err)
+	}
+	return spec, nil
+}

docs/modules/ROOT/pages/ec_validate_vsa.adoc

@@ -0,0 +1,110 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package vsa
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestParsePolicySpec tests the ParsePolicySpec function
+func TestParsePolicySpec(t *testing.T) {
+	tests := []struct {
+		name         string
+		policyConfig string
+		expectError  bool
+		checkResult  func(t *testing.T, result interface{})
+	}{
+		{
+			name: "valid YAML policy spec",
+			policyConfig: `
+sources:
+  - name: policy
+`,
+			expectError: false,
+			checkResult: func(t *testing.T, result interface{}) {
+				// Just verify it parsed successfully
+				assert.NotNil(t, result)
+			},
+		},
+		{
+			name: "valid JSON policy spec",
+			policyConfig: `{
+  "sources": [
+    {
+      "name": "policy"
+    }
+  ]
+}`,
+			expectError: false,
+			checkResult: func(t *testing.T, result interface{}) {
+				assert.NotNil(t, result)
+			},
+		},
+		{
+			name: "valid YAML with CRD wrapper",
+			policyConfig: `
+apiVersion: appstudio.redhat.com/v1alpha1
+kind: EnterpriseContractPolicy
+metadata:
+  name: test-policy
+spec:
+  sources:
+    - name: policy
+`,
+			expectError: false,
+			checkResult: func(t *testing.T, result interface{}) {
+				assert.NotNil(t, result)
+			},
+		},
+		{
+			name: "invalid YAML",
+			policyConfig: `
+invalid: yaml: content: [unclosed
+`,
+			expectError: true,
+		},
+		{
+			name: "invalid JSON",
+			policyConfig: `{
+  "sources": [
+    {
+      "name": "policy"
+    }
+  ]
+  // missing closing brace
+`,
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := ParsePolicySpec(tt.policyConfig)
+			if tt.expectError {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				if tt.checkResult != nil {
+					tt.checkResult(t, result)
+				}
+			}
+		})
+	}
+}

go.mod

@@ -366,17 +366,54 @@ func (r *RekorVSARetriever) buildDSSEEnvelopeFromIntotoV002(entry models.LogEntr
 		return nil, fmt.Errorf("envelope does not contain payloadType")
 	}
 
-	// Prefer payload from content.envelope.payload when present; fallback to Attestation.Data
+	// Prefer Attestation.Data (needs base64-encoding); fallback to content.envelope.payload
 	var payloadB64 string
 
-	// First, try to get payload from content.envelope.payload
-	if payload, ok := envelopeData["payload"].(string); ok && payload != "" {
-		payloadB64 = payload
-	} else if entry.Attestation != nil && entry.Attestation.Data != nil {
-		// Fallback to Attestation.Data (already base64-encoded)
-		payloadB64 = string(entry.Attestation.Data)
+	// First, try to get payload from Attestation.Data (needs to be base64-encoded)
+	if entry.Attestation != nil && entry.Attestation.Data != nil {
+		log.Debugf("Using payload from Attestation.Data (length: %d)", len(entry.Attestation.Data))
+		// Attestation.Data contains raw JSON, need to base64-encode it
+		payloadB64 = base64.StdEncoding.EncodeToString(entry.Attestation.Data)
+		log.Debugf("Base64-encoded payload length: %d", len(payloadB64))
+	} else if payload, ok := envelopeData["payload"].(string); ok && payload != "" {
+		// Fallback to content.envelope.payload
+		log.Debugf("Using payload from envelope.payload (length: %d)", len(payload))
+		// Check if the payload is already base64-encoded
+		if _, err := base64.StdEncoding.DecodeString(payload); err == nil {
+			// Already base64-encoded
+			payloadB64 = payload
+		} else {
+			// Not base64-encoded, encode it
+			payloadB64 = base64.StdEncoding.EncodeToString([]byte(payload))
+		}
 	} else {
-		return nil, fmt.Errorf("no payload found in envelope or attestation data")
+		return nil, fmt.Errorf("no payload found in attestation data or envelope")
+	}
+
+	// Debug: Try to decode the payload to see if it's valid base64
+	if _, err := base64.StdEncoding.DecodeString(payloadB64); err != nil {
+		log.Debugf("Payload is not valid base64: %v", err)
+		previewLen := 100
+		if len(payloadB64) < previewLen {
+			previewLen = len(payloadB64)
+		}
+		log.Debugf("Payload preview (first %d chars): %s", previewLen, payloadB64[:previewLen])
+
+		// Try URL encoding as well
+		if _, err := base64.URLEncoding.DecodeString(payloadB64); err != nil {
+			log.Debugf("Payload is also not valid URL base64: %v", err)
+		} else {
+			log.Debugf("Payload is valid URL base64")
+		}
+	} else {
+		log.Debugf("Payload is valid base64")
+		// Decode and preview the decoded content
+		decoded, _ := base64.StdEncoding.DecodeString(payloadB64)
+		previewLen := 100
+		if len(decoded) < previewLen {
+			previewLen = len(decoded)
+		}
+		log.Debugf("Decoded payload preview (first %d chars): %s", previewLen, string(decoded[:previewLen]))
 	}
 
 	// Extract and convert signatures
@@ -400,14 +437,48 @@ func (r *RekorVSARetriever) buildDSSEEnvelopeFromIntotoV002(entry models.LogEntr
 
 		// Extract sig field (required) - only support standard field
 		if sigHex, ok := sigMap["sig"].(string); ok {
-			sig.Sig = sigHex
+			// Handle both single and double encoding to be robust
+			// Try single decode first
+			firstDecode, err := base64.StdEncoding.DecodeString(sigHex)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode signature %d: %w", i, err)
+			}
+
+			// TODO: This is a hack to get the signature from the in-toto entry
+			// Check if the result is still base64-encoded (indicating double encoding)
+			// This is usually the case when the signature is stored in the in-toto entry
+			// For some reason it's double encoded and it doesn't work to not encode when storing.
+			// So, we need to decode it twice to get the actual ASN.1 DER signature
+			// Then re-encode it once for the DSSE library
+			decodedString := string(firstDecode)
+			if isBase64String(decodedString) {
+				// Double-encoded: decode again
+				paddingNeeded := (4 - len(decodedString)%4) % 4
+				paddedString := decodedString
+				for j := 0; j < paddingNeeded; j++ {
+					paddedString += "="
+				}
+
+				actualSignature, err := base64.StdEncoding.DecodeString(paddedString)
+				if err != nil {
+					return nil, fmt.Errorf("failed to double-decode signature %d: %w", i, err)
+				}
+				sig.Sig = base64.StdEncoding.EncodeToString(actualSignature)
+			} else {
+				// Single-encoded: use as-is
+				sig.Sig = base64.StdEncoding.EncodeToString(firstDecode)
+			}
 		} else {
 			return nil, fmt.Errorf("signature %d missing required 'sig' field", i)
 		}
 
 		// Extract keyid field (optional)
 		if keyid, ok := sigMap["keyid"].(string); ok {
 			sig.KeyID = keyid
+		} else {
+			// If no KeyID is provided, set a default one to help with verification
+			// This might help the DSSE library match the signature to the public key
+			sig.KeyID = "default"
 		}
 
 		signatures = append(signatures, sig)
@@ -676,3 +747,9 @@ func (rc *rekorClient) GetLogEntryByUUID(ctx context.Context, uuid string) (*mod
 
 	return nil, fmt.Errorf("log entry not found for UUID: %s", uuid)
 }
+
+// isBase64String checks if a string is valid base64
+func isBase64String(s string) bool {
+	_, err := base64.StdEncoding.DecodeString(s)
+	return err == nil
+}

internal/validate/vsa/policy.go

@@ -258,12 +258,14 @@ func TestRekorVSARetriever_RetrieveVSA(t *testing.T) {
 	vsaStatement := `{"_type":"https://in-toto.io/Statement/v0.1","subject":[{"name":"test-image","digest":{"sha256":"abc123def456"}}],"predicateType":"https://conforma.dev/verification_summary/v1","predicate":{"test":"data"}}`
 
 	// Create in-toto 0.0.2 entry body
+	// The signature needs to be double-base64 encoded for the implementation
+	doubleEncodedSig := base64.StdEncoding.EncodeToString([]byte(base64.StdEncoding.EncodeToString([]byte("test"))))
 	intotoV002Body := `{
 		"spec": {
 			"content": {
 				"envelope": {
 					"payloadType": "application/vnd.in-toto+json",
-					"signatures": [{"sig": "dGVzdA==", "keyid": "test-key-id"}]
+					"signatures": [{"sig": "` + doubleEncodedSig + `", "keyid": "test-key-id"}]
 				}
 			}
 		}
@@ -276,7 +278,7 @@ func TestRekorVSARetriever_RetrieveVSA(t *testing.T) {
 				LogID:    &[]string{"intoto-v002-uuid"}[0],
 				Body:     base64.StdEncoding.EncodeToString([]byte(intotoV002Body)),
 				Attestation: &models.LogEntryAnonAttestation{
-					Data: strfmt.Base64(base64.StdEncoding.EncodeToString([]byte(vsaStatement))),
+					Data: strfmt.Base64([]byte(vsaStatement)), // Raw JSON, not base64 encoded
 				},
 			},
 		},