diff --git a/go.mod b/go.mod index fa8ed212..d37e820d 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/google/go-containerregistry v0.20.3 github.com/sigstore/cosign/v2 v2.5.0 github.com/sigstore/rekor v1.3.9 - github.com/sigstore/sigstore v1.9.1 + github.com/sigstore/sigstore v1.9.3 github.com/sirupsen/logrus v1.9.3 github.com/theupdateframework/go-tuf v0.7.0 ) diff --git a/go.sum b/go.sum index ee2198f7..e413fa7b 100644 --- a/go.sum +++ b/go.sum @@ -159,8 +159,8 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= -github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo= -github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= +github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8= +github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= @@ -482,8 +482,8 @@ github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= github.com/sigstore/rekor v1.3.9 h1:sUjRpKVh/hhgqGMs0t+TubgYsksArZ6poLEC3MsGAzU= github.com/sigstore/rekor v1.3.9/go.mod h1:xThNUhm6eNEmkJ/SiU/FVU7pLY2f380fSDZFsdDWlcM= -github.com/sigstore/sigstore v1.9.1 h1:bNMsfFATsMPaagcf+uppLk4C9rQZ2dh5ysmCxQBYWaw= -github.com/sigstore/sigstore v1.9.1/go.mod h1:zUoATYzR1J3rLNp3jmp4fzIJtWdhC3ZM6MnpcBtnsE4= +github.com/sigstore/sigstore v1.9.3 h1:y2qlTj+vh+Or3ictKuR3JUFawZPdDxAjrWkeFhon0OQ= +github.com/sigstore/sigstore v1.9.3/go.mod h1:VwYkiw0G0dRtwL25KSs04hCyVFF6CYMd/qvNeYrl7EQ= github.com/sigstore/sigstore-go v0.7.1 h1:lyzi3AjO6+BHc5zCf9fniycqPYOt3RaC08M/FRmQhVY= github.com/sigstore/sigstore-go v0.7.1/go.mod h1:AIRj4I3LC82qd07VFm3T2zXYiddxeBV1k/eoS8nTz0E= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.1 h1:/YcNq687WnXpIRXl04nLfJX741G4iW+w+7Nem2Zy0f4= diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go index 349926c7..02c032b0 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/algorithm_registry.go @@ -53,6 +53,10 @@ type AlgorithmDetails struct { // hashType is the hash algorithm being used. hashType crypto.Hash + // protoHashType is the hash algorithm being used as a proto message, it must be the protobuf-specs + // v1.HashAlgorithm equivalent of the hashType. + protoHashType v1.HashAlgorithm + // extraKeyParams contains any extra parameters required to check a given public key against this entry. // // The underlying type of these parameters is dependent on the keyType. @@ -75,11 +79,16 @@ func (a AlgorithmDetails) GetKeyType() PublicKeyType { return a.keyType } -// GetHashType returns the hash algorithm that should be used with this algorithm +// GetHashType returns the hash algorithm that should be used with this algorithm. func (a AlgorithmDetails) GetHashType() crypto.Hash { return a.hashType } +// GetProtoHashType is a convenience method to get the protobuf-specs type of the hash algorithm. +func (a AlgorithmDetails) GetProtoHashType() v1.HashAlgorithm { + return a.protoHashType +} + // GetRSAKeySize returns the RSA key size for the algorithm details, if the key type is RSA. func (a AlgorithmDetails) GetRSAKeySize() (RSAKeySize, error) { if a.keyType != RSA { @@ -143,17 +152,19 @@ func (a AlgorithmDetails) checkHash(hashType crypto.Hash) bool { // list, including PKCS1v1.5 encoded RSA. Refer to the v1.PublicKeyDetails enum // for more details. var supportedAlgorithms = []AlgorithmDetails{ - {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, RSA, crypto.SHA256, RSAKeySize(2048), "rsa-sign-pkcs1-2048-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, RSA, crypto.SHA256, RSAKeySize(3072), "rsa-sign-pkcs1-3072-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, RSA, crypto.SHA256, RSAKeySize(4096), "rsa-sign-pkcs1-4096-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, RSA, crypto.SHA256, RSAKeySize(2048), "rsa-sign-pss-2048-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, RSAKeySize(3072), "rsa-sign-pss-3072-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, RSAKeySize(4096), "rsa-sign-pss-4092-sha256"}, - {v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, ECDSA, crypto.SHA256, elliptic.P256(), "ecdsa-sha2-256-nistp256"}, - {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, ECDSA, crypto.SHA384, elliptic.P384(), "ecdsa-sha2-384-nistp384"}, - {v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, ECDSA, crypto.SHA512, elliptic.P521(), "ecdsa-sha2-512-nistp521"}, - {v1.PublicKeyDetails_PKIX_ED25519, ED25519, crypto.Hash(0), nil, "ed25519"}, - {v1.PublicKeyDetails_PKIX_ED25519_PH, ED25519, crypto.SHA512, nil, "ed25519-ph"}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(2048), "rsa-sign-pkcs1-2048-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(3072), "rsa-sign-pkcs1-3072-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pkcs1-4096-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(2048), "rsa-sign-pss-2048-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(3072), "rsa-sign-pss-3072-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, RSAKeySize(4096), "rsa-sign-pss-4092-sha256"}, + {v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P256(), "ecdsa-sha2-256-nistp256"}, + {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, ECDSA, crypto.SHA384, v1.HashAlgorithm_SHA2_384, elliptic.P384(), "ecdsa-sha2-384-nistp384"}, + {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P384(), "ecdsa-sha2-256-nistp384"}, //nolint:staticcheck + {v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, ECDSA, crypto.SHA512, v1.HashAlgorithm_SHA2_512, elliptic.P521(), "ecdsa-sha2-512-nistp521"}, + {v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_256, ECDSA, crypto.SHA256, v1.HashAlgorithm_SHA2_256, elliptic.P521(), "ecdsa-sha2-256-nistp521"}, //nolint:staticcheck + {v1.PublicKeyDetails_PKIX_ED25519, ED25519, crypto.Hash(0), v1.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED, nil, "ed25519"}, + {v1.PublicKeyDetails_PKIX_ED25519_PH, ED25519, crypto.SHA512, v1.HashAlgorithm_SHA2_512, nil, "ed25519-ph"}, } // AlgorithmRegistryConfig represents a set of permitted algorithms for a given Sigstore service or component. diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go b/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go index 9cee68d1..d333cb23 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go @@ -188,7 +188,7 @@ func (e ECDSAVerifier) VerifySignature(signature, message io.Reader, opts ...Ver } // Without this check, VerifyASN1 panics on an invalid key. - if !e.publicKey.Curve.IsOnCurve(e.publicKey.X, e.publicKey.Y) { + if !e.publicKey.IsOnCurve(e.publicKey.X, e.publicKey.Y) { return fmt.Errorf("invalid ECDSA public key for %s", e.publicKey.Params().Name) } diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go b/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go index 7e402c42..1122989f 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/signer.go @@ -136,15 +136,12 @@ func LoadDefaultSigner(privateKey crypto.PrivateKey, opts ...LoadOption) (Signer if err != nil { return nil, err } - filteredOpts := []LoadOption{options.WithHash(algorithmDetails.hashType)} - for _, opt := range opts { - var useED25519ph bool - var rsaPSSOptions *rsa.PSSOptions - opt.ApplyED25519ph(&useED25519ph) - opt.ApplyRSAPSS(&rsaPSSOptions) - if useED25519ph || rsaPSSOptions != nil { - filteredOpts = append(filteredOpts, opt) - } - } + return LoadSignerFromAlgorithmDetails(privateKey, algorithmDetails, opts...) +} + +// LoadSignerFromAlgorithmDetails returns a signature.Signer based on +// the algorithm details and the user's choice of options. +func LoadSignerFromAlgorithmDetails(privateKey crypto.PrivateKey, algorithmDetails AlgorithmDetails, opts ...LoadOption) (Signer, error) { + filteredOpts := GetOptsFromAlgorithmDetails(algorithmDetails, opts...) return LoadSignerWithOpts(privateKey, filteredOpts...) } diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/signerverifier.go b/vendor/github.com/sigstore/sigstore/pkg/signature/signerverifier.go index f521f35f..9ff93420 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/signerverifier.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/signerverifier.go @@ -116,15 +116,12 @@ func LoadDefaultSignerVerifier(privateKey crypto.PrivateKey, opts ...LoadOption) if err != nil { return nil, err } - filteredOpts := []LoadOption{options.WithHash(algorithmDetails.hashType)} - for _, opt := range opts { - var useED25519ph bool - var rsaPSSOptions *rsa.PSSOptions - opt.ApplyED25519ph(&useED25519ph) - opt.ApplyRSAPSS(&rsaPSSOptions) - if useED25519ph || rsaPSSOptions != nil { - filteredOpts = append(filteredOpts, opt) - } - } + return LoadSignerVerifierFromAlgorithmDetails(privateKey, algorithmDetails, opts...) +} + +// LoadSignerVerifierFromAlgorithmDetails returns a signature.SignerVerifier based on +// the algorithm details and the user's choice of options. +func LoadSignerVerifierFromAlgorithmDetails(privateKey crypto.PrivateKey, algorithmDetails AlgorithmDetails, opts ...LoadOption) (SignerVerifier, error) { + filteredOpts := GetOptsFromAlgorithmDetails(algorithmDetails, opts...) return LoadSignerVerifierWithOpts(privateKey, filteredOpts...) } diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go index 8852ecc4..3f8beff4 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/util.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/util.go @@ -17,11 +17,13 @@ package signature import ( "bytes" + "crypto/rsa" "encoding/json" "fmt" "github.com/google/go-containerregistry/pkg/name" + "github.com/sigstore/sigstore/pkg/signature/options" sigpayload "github.com/sigstore/sigstore/pkg/signature/payload" ) @@ -53,3 +55,20 @@ func VerifyImageSignature(signer SignerVerifier, payload, signature []byte) (ima } return imgPayload.Image, imgPayload.Annotations, nil } + +// GetOptsFromAlgorithmDetails returns a list of LoadOptions that are +// appropriate for the given algorithm details. It ignores the hash type because +// that can be retrieved from the algorithm details. +func GetOptsFromAlgorithmDetails(algorithmDetails AlgorithmDetails, opts ...LoadOption) []LoadOption { + res := []LoadOption{options.WithHash(algorithmDetails.hashType)} + for _, opt := range opts { + var useED25519ph bool + var rsaPSSOptions *rsa.PSSOptions + opt.ApplyED25519ph(&useED25519ph) + opt.ApplyRSAPSS(&rsaPSSOptions) + if useED25519ph || rsaPSSOptions != nil { + res = append(res, opt) + } + } + return res +} diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/verifier.go b/vendor/github.com/sigstore/sigstore/pkg/signature/verifier.go index fb1e1f5c..0b5a1bba 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/verifier.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/verifier.go @@ -145,15 +145,12 @@ func LoadDefaultVerifier(publicKey crypto.PublicKey, opts ...LoadOption) (Verifi if err != nil { return nil, err } - filteredOpts := []LoadOption{options.WithHash(algorithmDetails.hashType)} - for _, opt := range opts { - var useED25519ph bool - var rsaPSSOptions *rsa.PSSOptions - opt.ApplyED25519ph(&useED25519ph) - opt.ApplyRSAPSS(&rsaPSSOptions) - if useED25519ph || rsaPSSOptions != nil { - filteredOpts = append(filteredOpts, opt) - } - } + return LoadVerifierFromAlgorithmDetails(publicKey, algorithmDetails, opts...) +} + +// LoadVerifierFromAlgorithmDetails returns a signature.Verifier based on +// the algorithm details and the user's choice of options. +func LoadVerifierFromAlgorithmDetails(publicKey crypto.PublicKey, algorithmDetails AlgorithmDetails, opts ...LoadOption) (Verifier, error) { + filteredOpts := GetOptsFromAlgorithmDetails(algorithmDetails, opts...) return LoadVerifierWithOpts(publicKey, filteredOpts...) } diff --git a/vendor/gitlab.com/gitlab-org/api/client-go/.gitlab-ci.yml b/vendor/gitlab.com/gitlab-org/api/client-go/.gitlab-ci.yml index 13b2b07b..7b90069c 100644 --- a/vendor/gitlab.com/gitlab-org/api/client-go/.gitlab-ci.yml +++ b/vendor/gitlab.com/gitlab-org/api/client-go/.gitlab-ci.yml @@ -139,7 +139,7 @@ tests:unit: generate-release-notes: stage: deploy needs: [] - image: alpine:3.21.2 + image: alpine:3.21.3 before_script: - apk add --update jq curl git script: diff --git a/vendor/modules.txt b/vendor/modules.txt index a96790d0..3c3cbed8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -397,7 +397,7 @@ github.com/sigstore/rekor/pkg/types/rekord github.com/sigstore/rekor/pkg/types/rekord/v0.0.1 github.com/sigstore/rekor/pkg/util github.com/sigstore/rekor/pkg/verify -# github.com/sigstore/sigstore v1.9.1 +# github.com/sigstore/sigstore v1.9.3 ## explicit; go 1.23.0 github.com/sigstore/sigstore/pkg/cryptoutils github.com/sigstore/sigstore/pkg/signature