Better vsa signing secrets with passwords support

In the PR for https://issues.redhat.com/browse/EC-1586 I began
creating the signing secret using the same kind of GitOps job that
Konflux uses for the Chains signing secret. As a side-effect of
that, we now have a signing key with a password, which I think
doesn't quite work as it should.

Rather than create the secret without a password, let's improve
things a little so we can use the password conveniently.

Note: This would be simpler if we stopped supporting the signing
secret in a file, with the COSIGN_PASSWORD, but I think maybe we
wanna keep that since it might be useful in non-Konflux
environments.

Ref: https://issues.redhat.com/browse/EC-1589

Author: simonbaird

internal/utils/private_key.go

@@ -19,6 +19,7 @@ package utils
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/spf13/afero"
@@ -41,3 +42,30 @@ func PrivateKeyFromKeyRef(ctx context.Context, keyRef string, fs afero.Fs) ([]by
 	}
 	return KeyFromKeyRef(ctx, adjustedKeyRef, fs)
 }
+
+// PasswordFromKeyRef resolves a password from either environment variable or a Kubernetes secret reference.
+// This provides a unified interface for password resolution similar to PrivateKeyFromKeyRef.
+// Supported formats:
+// - Environment variable: "" (empty string uses COSIGN_PASSWORD env var)
+// - Kubernetes secret: "k8s://namespace/secret-name" (assumes "cosign.password" key)
+// - Kubernetes secret: "k8s://namespace/secret-name/key-field" (explicit key field)
+func PasswordFromKeyRef(ctx context.Context, passwordRef string) ([]byte, error) {
+	// If passwordRef is empty, use environment variable (backward compatibility)
+	if passwordRef == "" {
+		return []byte(os.Getenv("COSIGN_PASSWORD")), nil
+	}
+
+	// If it's a Kubernetes secret reference
+	if strings.HasPrefix(passwordRef, "k8s://") {
+		// If the key-field is not specified assume it is "cosign.password"
+		adjustedPasswordRef := passwordRef
+		parts := strings.Split(strings.TrimPrefix(passwordRef, "k8s://"), "/")
+		if len(parts) == 2 {
+			adjustedPasswordRef = fmt.Sprintf("%s/cosign.password", passwordRef)
+		}
+		return KeyFromKeyRef(ctx, adjustedPasswordRef, nil) // fs not needed for k8s secrets
+	}
+
+	// For any other format, treat it as environment variable name
+	return []byte(os.Getenv(passwordRef)), nil
+}

internal/validate/vsa/attest.go

@@ -23,7 +23,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 
@@ -67,8 +66,24 @@ func NewSigner(ctx context.Context, keyRef string, fs afero.Fs) (*Signer, error)
 		return nil, fmt.Errorf("resolve private key %q: %w", keyRef, err)
 	}
 
-	// TODO maybe: Consider another env var for the key password
-	signerVerifier, err := LoadPrivateKey(keyBytes, []byte(os.Getenv("COSIGN_PASSWORD")))
+	// For Kubernetes secret keys, derive the password reference from the key reference
+	var passwordRef string
+	if strings.HasPrefix(keyRef, "k8s://") {
+		// Convert k8s://namespace/secret-name/cosign.key to k8s://namespace/secret-name/cosign.password
+		// or k8s://namespace/secret-name to k8s://namespace/secret-name/cosign.password
+		parts := strings.Split(strings.TrimPrefix(keyRef, "k8s://"), "/")
+		if len(parts) >= 2 {
+			passwordRef = fmt.Sprintf("k8s://%s/%s/cosign.password", parts[0], parts[1])
+		}
+	}
+	// If passwordRef is empty, PasswordFromKeyRef will fall back to COSIGN_PASSWORD env var
+
+	password, err := utils.PasswordFromKeyRef(ctx, passwordRef)
+	if err != nil {
+		return nil, fmt.Errorf("resolve private key password: %w", err)
+	}
+
+	signerVerifier, err := LoadPrivateKey(keyBytes, password)
 	if err != nil {
 		return nil, fmt.Errorf("load private key: %w", err)
 	}

internal/validate/vsa/attest_test.go

@@ -446,7 +446,8 @@ func TestNewSigner_Comprehensive(t *testing.T) {
 						Namespace: "test-namespace",
 					},
 					Data: map[string][]byte{
-						"private-key": []byte("test private key content"),
+						"private-key":     []byte("test private key content"),
+						"cosign.password": []byte("test password"),
 					},
 				})
 				ctx = context.WithValue(ctx, utils.K8sClientKey, client)