Skip to content

Commit f6873e4

Browse files
alopez-susealopez-suse
committed
NVSHAS-8377: implement RootlessKeypairsOnly
1 parent 4fef5d4 commit f6873e4

File tree

1 file changed

+25
-10
lines changed

1 file changed

+25
-10
lines changed

main.go

Lines changed: 25 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,12 @@ type Configuration struct {
3030
}
3131

3232
type RootOfTrust struct {
33-
Name string `json:"Name"`
34-
RekorPublicKey string `json:"RekorPublicKey"`
35-
RootCert string `json:"RootCert"`
36-
SCTPublicKey string `json:"SCTPublicKey"`
37-
Verifiers []Verifier `json:"Verifiers"`
33+
Name string `json:"Name"`
34+
RootlessKeypairsOnly bool `json:"RootlessKeypairsOnly"`
35+
RekorPublicKey string `json:"RekorPublicKey"`
36+
RootCert string `json:"RootCert"`
37+
SCTPublicKey string `json:"SCTPublicKey"`
38+
Verifiers []Verifier `json:"Verifiers"`
3839
}
3940

4041
func (r *RootOfTrust) IsPublic() bool {
@@ -191,9 +192,13 @@ func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature, pr
191192
}
192193

193194
func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust RootOfTrust, proxy Proxy, ctx context.Context) (err error) {
195+
if rootOfTrust.RootlessKeypairsOnly {
196+
return nil
197+
}
198+
194199
// rekor public keys
195200
rekorKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()
196-
if rootOfTrust.RekorPublicKey == "" {
201+
if rootOfTrust.IsPublic() {
197202
rekorKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.Rekor, proxy)
198203
if err != nil {
199204
return fmt.Errorf("could not retrieve rekor tuf targets: %s", err.Error())
@@ -203,7 +208,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
203208
return fmt.Errorf("could not add public root of trust rekor public key to collection: %w", err)
204209
}
205210
}
206-
} else {
211+
} else if rootOfTrust.RekorPublicKey != "" {
207212
if err := rekorKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.RekorPublicKey), sigtuf.Active); err != nil {
208213
return fmt.Errorf("could not add custom root of trust rekor public key to collection: %w", err)
209214
}
@@ -233,7 +238,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
233238
}
234239
cosignOptions.RootCerts = rootPool
235240
cosignOptions.IntermediateCerts = intermediatePool
236-
} else {
241+
} else if rootOfTrust.IsPublic() {
237242
targetCertificates, err := GetSigstorePublicTufTargets(sigtuf.Fulcio, proxy)
238243
// certificates, err := GetPublicRootOfTrustFulcioCertificates(proxy)
239244
if err != nil {
@@ -263,7 +268,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
263268

264269
// sct public keys
265270
sctKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()
266-
if rootOfTrust.SCTPublicKey == "" {
271+
if rootOfTrust.IsPublic() {
267272
sctKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.CTFE, proxy)
268273
if err != nil {
269274
return fmt.Errorf("could not retrieve ctfe tuf targets: %s", err.Error())
@@ -273,7 +278,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
273278
return fmt.Errorf("could not add public root of trust sct public key to collection: %w", err)
274279
}
275280
}
276-
} else {
281+
} else if rootOfTrust.SCTPublicKey != "" {
277282
if err := sctKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.SCTPublicKey), sigtuf.Active); err != nil {
278283
return fmt.Errorf("could not add custom root of trust sct public key to collection: %w", err)
279284
}
@@ -291,6 +296,12 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier
291296
return fmt.Errorf("could not load PEM encoded public key of verifier %s under %s: %s", verifier.Name, rootOfTrust.Name, err.Error())
292297
}
293298
case "keyless":
299+
if rootOfTrust.RootlessKeypairsOnly {
300+
return fmt.Errorf("cannot use keyless verifier for root of trust with field RootlessKeypairsOnly set to true")
301+
}
302+
if rootOfTrust.RootCert == "" && !rootOfTrust.IsPublic() {
303+
return fmt.Errorf("cannot use keyless verifier %s with private root of trust without root cert", verifier.Name)
304+
}
294305
cosignOptions.Identities = []cosign.Identity{
295306
{
296307
Issuer: verifier.KeylessOptions.CertIssuer,
@@ -309,5 +320,9 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier
309320
cosignOptions.IgnoreSCT = true
310321
}
311322
}
323+
if rootOfTrust.RootlessKeypairsOnly {
324+
cosignOptions.IgnoreSCT = true
325+
cosignOptions.IgnoreTlog = true
326+
}
312327
return nil
313328
}

0 commit comments

Comments
 (0)