add SignVSA function and unit tests for VSA signing

Introduce the VSA signing, which signs a Verification Summary Attestation (VSA)
JSON file using a cosign-compatible private key. This writes a detached,
base64-encoded signature alongside the VSA and returns the absolute path to the
signature file. It handles key loading, passphrase support, payload reading,
signing, and signature persistence with robust error handling.

https://issues.redhat.com/browse/EC-1308

Author: joejstuart

cmd/validate/image.go

@@ -458,11 +458,38 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
+				generator := vsa.NewGenerator(report)
+				writer := vsa.NewWriter()
 				for _, comp := range components {
-					if err := processVSA(cmd.Context(), report, comp); err != nil {
-						log.Errorf("[VSA] Error processing VSA for image %s: %v", comp.ContainerImage, err)
+					writtenPath, err := vsa.GenerateAndWriteVSA(cmd.Context(), generator, writer, comp)
+					if err != nil {
+						log.Error(err)
 						continue
 					}
+
+					signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+
+					// Get the git URL safely, defaulting to empty string if GitSource is nil
+					var gitURL string
+					if comp.Source.GitSource != nil {
+						gitURL = comp.Source.GitSource.URL
+					}
+
+					attestor, err := vsa.NewAttestOptions(writtenPath, gitURL, comp.ContainerImage, signer)
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+					envelope, err := vsa.AttestVSA(cmd.Context(), attestor, comp)
+					if err != nil {
+						log.Error(err)
+						continue
+					}
+					log.Infof("[VSA] VSA attested and envelope written to %s", envelope)
 				}
 			}
 			if data.strict && !report.Success {
@@ -580,51 +607,3 @@ func containsOutput(data []string, value string) bool {
 	}
 	return false
 }
-
-// PredicateGenerator defines the interface for generating VSA predicates
-type PredicateGenerator interface {
-	GeneratePredicate(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) (*vsa.Predicate, error)
-}
-
-// VSAWriter defines the interface for writing VSA files
-type VSAWriter interface {
-	WriteVSA(predicate *vsa.Predicate) (string, error)
-}
-
-// generateAndWriteVSA generates a VSA predicate and writes it to a file
-func generateAndWriteVSA(
-	ctx context.Context,
-	report applicationsnapshot.Report,
-	comp applicationsnapshot.Component,
-	generator PredicateGenerator,
-	writer VSAWriter,
-) (string, error) {
-	log.Debugf("[VSA] Generating predicate for image: %s", comp.ContainerImage)
-	pred, err := generator.GeneratePredicate(ctx, report, comp)
-	if err != nil {
-		return "", fmt.Errorf("failed to generate predicate for image %s: %w", comp.ContainerImage, err)
-	}
-	log.Debugf("[VSA] Predicate generated for image: %s", comp.ContainerImage)
-
-	log.Debugf("[VSA] Writing VSA for image: %s", comp.ContainerImage)
-	writtenPath, err := writer.WriteVSA(pred)
-	if err != nil {
-		return "", fmt.Errorf("failed to write VSA for image %s: %w", comp.ContainerImage, err)
-	}
-	log.Debugf("[VSA] VSA written to %s", writtenPath)
-
-	return writtenPath, nil
-}
-
-// processVSA handles the complete VSA generation, signing and upload process for a component
-func processVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) error {
-	generator := vsa.NewGenerator()
-	writer := vsa.NewWriter()
-
-	vsaPath, err := generateAndWriteVSA(ctx, report, comp, generator, writer)
-	log.Infof("[VSA] VSA written to %s", vsaPath)
-	if err != nil {
-		return err
-	}
-	return nil
-}

internal/validate/vsa/attest.go

@@ -0,0 +1,128 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+// attest.go
+package vsa
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	att "github.com/sigstore/cosign/v2/pkg/cosign/attestation"
+	"github.com/sigstore/cosign/v2/pkg/types"
+	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/signature/dsse"
+	sigopts "github.com/sigstore/sigstore/pkg/signature/options"
+	"github.com/spf13/afero"
+)
+
+var loadPrivateKey = cosign.LoadPrivateKey
+
+type AttestOptions struct {
+	PredicatePath string // path to the raw VSA (predicate) JSON
+	PredicateType string // e.g. "https://enterprisecontract.dev/attestations/vsa/v1" // TODO: make this configurable
+	ImageDigest   string // sha256:abcd…  (as returned by `skopeo inspect --format {{.Digest}}`)
+	Repo          string // "quay.io/acme/widget" (hostname/namespace/repo)
+	Signer        *Signer
+}
+
+type Signer struct {
+	KeyPath    string
+	FS         afero.Fs
+	WrapSigner signature.Signer
+}
+
+func NewSigner(keyPath string, fs afero.Fs) (*Signer, error) {
+	keyBytes, err := afero.ReadFile(fs, keyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read key %q: %w", keyPath, err)
+	}
+
+	sv, err := loadPrivateKey(keyBytes, []byte(os.Getenv("COSIGN_PASSWORD")))
+	if err != nil {
+		return nil, fmt.Errorf("load private key: %w", err)
+	}
+
+	return &Signer{
+		KeyPath:    keyPath,
+		FS:         fs,
+		WrapSigner: dsse.WrapSigner(sv, types.IntotoPayloadType),
+	}, nil
+}
+
+// Add a constructor with sensible defaults
+func NewAttestOptions(predicatePath, repo, imageDigest string, signer *Signer) (*AttestOptions, error) {
+	return &AttestOptions{
+		PredicatePath: predicatePath,
+		PredicateType: "https://enterprisecontract.dev/attestations/vsa/v1",
+		ImageDigest:   imageDigest,
+		Repo:          repo,
+		Signer:        signer,
+	}, nil
+}
+
+// AttestPredicate builds an in‑toto Statement around the predicate and
+// returns the fully‑signed **DSSE envelope** (identical to cosign's
+// --no-upload output).  Nothing is pushed to a registry or the TLog.
+func (a AttestOptions) AttestPredicate(ctx context.Context) ([]byte, error) {
+	//-------------------------------------------------------------------- 2. read predicate
+	predFile, err := a.Signer.FS.Open(a.PredicatePath)
+	if err != nil {
+		return nil, fmt.Errorf("open predicate: %w", err)
+	}
+	defer predFile.Close()
+
+	//-------------------------------------------------------------------- 3. make the in‑toto statement
+	stmt, err := att.GenerateStatement(att.GenerateOpts{
+		Predicate: predFile,
+		Type:      a.PredicateType,
+		Digest:    strings.TrimPrefix(a.ImageDigest, "sha256:"),
+		Repo:      a.Repo,
+		Time:      time.Now, // keeps tests deterministic
+	})
+	if err != nil {
+		return nil, fmt.Errorf("wrap predicate: %w", err)
+	}
+	payload, _ := json.Marshal(stmt) // canonicalised by dsse later
+
+	//-------------------------------------------------------------------- 4. sign -> DSSE envelope
+	env, err := a.Signer.WrapSigner.SignMessage(bytes.NewReader(payload), sigopts.WithContext(ctx))
+	if err != nil {
+		return nil, fmt.Errorf("sign statement: %w", err)
+	}
+	return env, nil // byte‑slice containing the JSON DSSE envelope
+}
+
+// WriteEnvelope is an optional convenience that mirrors cosign's
+// --output‑signature flag; it emits <predicate>.intoto.jsonl next to the file.
+func (a AttestOptions) WriteEnvelope(data []byte) (string, error) {
+	out := a.PredicatePath + ".intoto.jsonl"
+	if err := afero.WriteFile(a.Signer.FS, out, data, 0o644); err != nil {
+		return "", err
+	}
+	abs, err := filepath.Abs(out)
+	if err != nil {
+		return "", err
+	}
+	return abs, nil
+}