Skip to content
This repository was archived by the owner on Jan 22, 2026. It is now read-only.

[WIP] Verify Kubernetes components with cosign #744

Draft
3u13r wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[WIP] Verify Kubernetes components with cosign #744

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion internal/versions/hash-generator/BUILD.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ go_library(
srcs = ["generate.go"],
importpath = "github.com/edgelesssys/constellation/v2/internal/versions/hash-generator",
visibility = ["//visibility:private"],
deps = ["@org_golang_x_tools//go/ast/astutil"],
deps = [
"//internal/sigstore",
"@org_golang_x_tools//go/ast/astutil",
],
)

go_binary(
Expand Down
75 changes: 75 additions & 0 deletions internal/versions/hash-generator/generate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,14 @@ import (
"log"
"net/http"
"os"
"regexp"
"strconv"

"golang.org/x/tools/go/ast/astutil"
)

var kuberntesMinorRegex = regexp.MustCompile(`^.*\.(?P<Minor>\d+)\..*(kubelet|kubeadm|kubectl)+$`)

func mustGetHash(url string) string {
// remove quotes around url
url = url[1 : len(url)-1]
Expand Down Expand Up @@ -78,9 +82,80 @@ func mustGetHash(url string) string {
panic("hash mismatch")
}

// Verify cosign signature if available
// Currently, we verify the signature of kubeadm, kubelet and kubectl with minor version >=1.26.
minorVersion := kuberntesMinorRegex.FindStringSubmatch(url)
if minorVersion == nil {
return fmt.Sprintf("\"sha256:%x\"", fileHash)
}
minorVersionIndex := kuberntesMinorRegex.SubexpIndex("Minor")
if minorVersionIndex != -1 {
minorVersionNumber, err := strconv.Atoi(minorVersion[minorVersionIndex])
if err != nil {
panic(err)
}
if minorVersionNumber >= 26 {
content, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}
if err := verifyCosignSignature(content, url); err != nil {
panic(err)
}
}
}

return fmt.Sprintf("\"sha256:%x\"", fileHash)
}

func verifyCosignSignature(content []byte, url string) error {
// Get the signature
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url+".sig", nil)
if err != nil {
panic(err)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()

// Check server response
if resp.StatusCode != http.StatusOK {
panic("bad status: " + resp.Status)
}

sig, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}

// Get the certificate
req, err = http.NewRequestWithContext(context.Background(), http.MethodGet, url+".cert", nil)
if err != nil {
panic(err)
}
resp, err = http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()

// Check server response
if resp.StatusCode != http.StatusOK {
panic("bad status: " + resp.Status)
}

base64Cert, err := io.ReadAll(resp.Body)
if err != nil {
panic(err)
}

// TODO: implement https://github.com/sigstore/cosign/blob/v2.2.0/cmd/cosign/cli/verify/verify_blob.go keyless verification

return verifier.VerifySignature(content, sig)
}

func main() {
fmt.Println("Generating hashes...")

Expand Down