Merge pull request #767 from puerco/limit-days

Signature Check: Check Expected Identity in Certificate

Author: k8s-ci-robot

cmd/kpromo/cmd/sigcheck/sigcheck.go

@@ -31,6 +31,21 @@ func Add(parent *cobra.Command) {
     
 This subcommand checks the signature consistency across promoted images
 to ensure copies in all mirrors have their signatures attached.
+
+By default, kpromo sigcheck will look at all images promoted during the last
+%d days. You can change the default using --from-days and determine a range
+using --to-days. For example, to verify all images promoted in an interval
+between 10 and 5 days ago run:
+
+   kpromo sigcheck --from-days=10 --to-days=5
+
+To debug the signature checker, you can limit the number of images kpromo
+verifies using --limit. When no limit is specified, kpromo will check the
+signatures of all images in the specified date range. As an example, to limit
+kpromo to the first three images it finds run:
+
+   kpromo sigcheck --limit=3
+
     `,
 		SilenceUsage:  true,
 		SilenceErrors: true,
@@ -55,10 +70,38 @@ to ensure copies in all mirrors have their signatures attached.
 	)
 
 	cmd.PersistentFlags().IntVar(
-		&opts.SignCheckDays,
-		"days",
-		5,
-		"check images uploaded this many days ago",
+		&opts.SignCheckFromDays,
+		"from-days",
+		promoteropts.DefaultOptions.SignCheckFromDays,
+		"check images uploaded starting this many days ago",
+	)
+
+	cmd.PersistentFlags().IntVar(
+		&opts.SignCheckToDays,
+		"to-days",
+		0,
+		"check images --from-days ago to this many days ago (defaults to today)",
+	)
+
+	cmd.PersistentFlags().IntVar(
+		&opts.SignCheckMaxImages,
+		"limit",
+		0,
+		"limit signature checks to a number of images (defaults to checking all)",
+	)
+
+	cmd.PersistentFlags().StringVar(
+		&opts.SignCheckIdentity,
+		"certificate-identity",
+		promoteropts.DefaultOptions.SignCheckIdentity,
+		"identity to look for when verifying signatures",
+	)
+
+	cmd.PersistentFlags().StringVar(
+		&opts.SignCheckIssuer,
+		"certificate-oidc-issuer",
+		promoteropts.DefaultOptions.SignCheckIssuer,
+		"issuer of the OIDC token used to generate the signature certificate",
 	)
 
 	parent.AddCommand(cmd)

internal/promoter/image/signcheck.go

@@ -17,6 +17,8 @@ limitations under the License.
 package imagepromoter
 
 import (
+	"bytes"
+	"encoding/json"
 	"fmt"
 	"net/url"
 	"strings"
@@ -33,6 +35,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/sirupsen/logrus"
+
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+
 	checkresults "sigs.k8s.io/promo-tools/v3/promoter/image/checkresults"
 	options "sigs.k8s.io/promo-tools/v3/promoter/image/options"
 	"sigs.k8s.io/promo-tools/v3/types/image"
@@ -64,7 +69,7 @@ func (di *DefaultPromoterImplementation) GetLatestImages(opts *options.Options)
 	if err != nil {
 		return nil, fmt.Errorf("fetching latest images: %w", err)
 	}
-	logrus.Infof("+%v", images)
+	logrus.Infof("Images to check: +%v", images)
 	return images, nil
 }
 
@@ -148,7 +153,7 @@ func (di *DefaultPromoterImplementation) GetSignatureStatus(
 		}
 
 		logrus.Infof("Checking %s for signatures in %d mirrors", refString, len(targetImages))
-		existing, missing, err := checkObjects(targetImages)
+		existing, missing, err := di.CheckSignatureLayers(opts, targetImages)
 		if err != nil {
 			return results, fmt.Errorf("checking objects: %w", err)
 		}
@@ -160,37 +165,90 @@ func (di *DefaultPromoterImplementation) GetSignatureStatus(
 	return results, nil
 }
 
-func checkObjects(oList []string) (existing, missing []string, err error) {
+// miniManifest is a minimal representation of the sigstore signature manifest
+type miniManifest struct {
+	Layers []struct {
+		MediaType   string
+		Annotations map[string]string `json:"annotations"`
+	} `json:"layers"`
+}
+
+// CheckSignatureLayers checks a list of signature layers to ensure
+func (di *DefaultPromoterImplementation) CheckSignatureLayers(opts *options.Options, oList []string) (existing, missing []string, err error) {
 	// TODO: Parallelize this check
 	existing = []string{}
 	missing = []string{}
 	for _, s := range oList {
-		e, err := objectExists(s)
+		e, err := objectExists(opts, s)
 		if err != nil {
 			return existing, missing, fmt.Errorf("checking reference: %w", err)
 		}
 
-		if e {
-			existing = append(existing, s)
-		} else {
+		if !e {
 			missing = append(missing, s)
+			continue
 		}
+
+		existing = append(existing, s)
 	}
 	return existing, missing, nil
 }
 
-func objectExists(refString string) (bool, error) {
+func objectExists(opts *options.Options, refString string) (bool, error) {
 	// Check
-	_, err := crane.Digest(refString)
-	if err == nil {
-		return true, nil
+	manifestData, err := crane.Manifest(refString)
+	if err != nil {
+		if strings.Contains(err.Error(), "MANIFEST_UNKNOWN") {
+			logrus.WithField("image", refString).Info("No signature found")
+			return false, nil
+		}
+		return false, fmt.Errorf("pulling signature manifest: %w", err)
 	}
 
-	if strings.Contains(err.Error(), "MANIFEST_UNKNOWN") {
+	manifest := &miniManifest{}
+	if err := json.Unmarshal(manifestData, manifest); err != nil {
+		return false, fmt.Errorf("parsing .sig image manifest: %w", err)
+	}
+
+	// Get the certificate
+	if manifest.Layers == nil || len(manifest.Layers) == 0 {
 		return false, nil
 	}
+	signedLayers := 0
+	for _, layer := range manifest.Layers {
+		if layer.MediaType != "application/vnd.dev.cosign.simplesigning.v1+json" {
+			continue
+		}
+
+		certData, ok := layer.Annotations["dev.sigstore.cosign/certificate"]
+		if !ok {
+			continue
+		}
 
-	return false, fmt.Errorf("checking if reference exists in the registry: %w", err)
+		var b bytes.Buffer
+		b.Write([]byte(certData))
+
+		certs, err := cryptoutils.LoadCertificatesFromPEM(&b)
+		if err != nil {
+			return false, err
+		}
+
+		names := cryptoutils.GetSubjectAlternateNames(certs[0])
+		for _, n := range names {
+			if n == opts.SignCheckIdentity {
+				return true, nil
+			}
+		}
+		signedLayers++
+	}
+
+	if signedLayers == 0 {
+		logrus.WithField("image", refString).Debugf("No certificates found")
+	} else {
+		logrus.WithField("image", refString).Debugf("Image signed, but not with expected identity")
+	}
+
+	return false, nil
 }
 
 // FixMissingSignatures signs an image that has no signatures at all
@@ -200,13 +258,15 @@ func (di *DefaultPromoterImplementation) FixMissingSignatures(opts *options.Opti
 			continue
 		}
 
-		logrus.Infof("Signing and replicating %s", mainImg)
+		logrus.Infof("Signing and replicating first mirror (%s)", mainImg)
+
 		// Build the digest of the first missing one
-		digestRef := strings.ReplaceAll(res.Missing[0], ":sha256-", "@sha256:")
+		digestRef := strings.TrimSuffix(strings.ReplaceAll(res.Missing[0], ":sha256-", "@sha256:"), ".sig")
 		if err := di.signReference(opts, digestRef); err != nil {
-			return fmt.Errorf("signing %s: %w", digestRef, err)
+			return fmt.Errorf("signing first mirror reference %s: %w", digestRef, err)
 		}
 
+		logrus.Infof("Replicating image to %d mirrors", len(res.Missing[1:]))
 		for _, targetRef := range res.Missing[1:] {
 			if err := di.replicateReference(opts, res.Missing[0], targetRef); err != nil {
 				return fmt.Errorf("replicating signature: %w", err)
@@ -304,7 +364,15 @@ func (di *DefaultPromoterImplementation) readLatestImages(opts *options.Options)
 		google.Keychain,
 	))
 
-	dateCutOff := time.Now().AddDate(0, 0, opts.SignCheckDays*-1)
+	dateCutOff := time.Now().AddDate(0, 0, opts.SignCheckFromDays*-1)
+	dateCutOffTo := time.Now()
+	if opts.SignCheckToDays > 0 {
+		dateCutOffTo = time.Now().AddDate(0, 0, opts.SignCheckToDays*-1)
+	}
+	logrus.Infof("Checking images from %s to %s",
+		dateCutOff.Local().Format(time.RFC822),
+		dateCutOffTo.Local().Format(time.RFC822),
+	)
 	images := []string{}
 
 	repo, err := name.NewRepository(scanRegistry+"/"+repositoryPath, name.WeakValidation)
@@ -342,6 +410,10 @@ func (di *DefaultPromoterImplementation) readLatestImages(opts *options.Options)
 				continue
 			}
 
+			if opts.SignCheckToDays > 0 && manifest.Uploaded.After(dateCutOffTo) {
+				continue
+			}
+
 			mt.Lock()
 			images = append(images, strings.ReplaceAll(
 				fmt.Sprintf("%s:%s", repo, manifest.Tags[0]),
@@ -356,5 +428,9 @@ func (di *DefaultPromoterImplementation) readLatestImages(opts *options.Options)
 		return nil, fmt.Errorf("walking repo: %w", err)
 	}
 
+	if opts.SignCheckMaxImages != 0 && len(images) > opts.SignCheckMaxImages {
+		images = images[0:opts.SignCheckMaxImages]
+	}
+
 	return images, nil
 }

promoter/image/options/options.go

@@ -109,8 +109,20 @@ type Options struct {
 	// SignCheckFix when true, fix missing signatures
 	SignCheckFix bool
 
-	// SignCheckDays number of days back to check for signatrures
-	SignCheckDays int
+	// SignCheckFromDays number of days back to check for signatrures
+	SignCheckFromDays int
+
+	// SignCheckToDays complements SignCheckFromDays to enable date ranges
+	SignCheckToDays int
+
+	// SignCheckMaxImages limits the number of images to look when verifying
+	SignCheckMaxImages int
+
+	// SignCheckIdentity is the account we expect to sign all imges
+	SignCheckIdentity string
+
+	// SignCheckIssuer is the iisuer of the OIDC tokens used to identify the signer
+	SignCheckIssuer string
 }
 
 var DefaultOptions = &Options{
@@ -122,7 +134,9 @@ var DefaultOptions = &Options{
 	SignerAccount:       "[email protected]",
 	SignCheckFix:        false,
 	SignCheckReferences: []string{},
-	SignCheckDays:       5,
+	SignCheckFromDays:   5,
+	SignCheckIdentity:   "[email protected]",
+	SignCheckIssuer:     "https://accounts.google.com",
 }
 
 func (o *Options) Validate() error {