feat: Cosign verifier based on Cosign CLI#10
feat: Cosign verifier based on Cosign CLI#10junczhu wants to merge 22 commits intonotaryproject:mainfrom
Conversation
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
from
dce27bf to
b51ac18
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Codecov ReportAttention: Patch coverage is
❌ Your patch status has failed because the patch coverage (38.24%) is below the target coverage (80.00%). You can increase the patch coverage or adjust the target coverage.
|
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
5 times, most recently
from
05d3557 to
59240a2
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
from
59240a2 to
f0aaace
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
2 times, most recently
from
513e55b to
db55766
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
from
db55766 to
7a13f1c
Compare
cosign/truststore.go
Outdated
| certChains map[string][]*x509.Certificate | ||
| } | ||
|
|
||
| func NewWithOpts(opts *VerifierOptions) TrustStore { |
There was a problem hiding this comment.
A1: Shall we rename or create a new package for this structure?
A2: I would read input from opts
cosign/truststore.go
Outdated
| } | ||
|
|
||
| func (t *TrustStoreImp) GetVerifyOpts(subjectRef string) (*VOptions, error) { | ||
| return t.optsMap[subjectRef], nil |
There was a problem hiding this comment.
should we return err if it's not existing.
junczhu
force-pushed
the
cosign-verifier
branch
2 times, most recently
from
49149f1 to
9c25283
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
from
9c25283 to
fd733b2
Compare
|
Gonna update the remote branch to apply those newly merged changes. |
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
binbin-li
left a comment
binbin-li
left a comment
There was a problem hiding this comment.
could you briefly explain how to support distinguish cert/keys for different repos/registries.
| } | ||
|
|
||
| type verifyContextOptions struct { | ||
| optsMap map[string]*VerifyContext |
There was a problem hiding this comment.
the map seems mapping a digested reference to a context, which means users need to configure the context for each artifact that will be validated. It would be a huge work for users. Does all options in this VerifyContext vary for each artifact?
There was a problem hiding this comment.
Would it be better to have a mapping function
| return nil, v1.Hash{}, fmt.Errorf("unable to locate reference with artifactType %s", artifactTypeCosign) | ||
| } | ||
|
|
||
| signatureDesc := signatureDescriptors[numResults-1] |
There was a problem hiding this comment.
seems it's an experimental feature for cosign, probably we still need to support the main user scenario. cc: @shizhMSFT
| GetVerifyOpts(subjectRef string) (*VerifyContext, error) | ||
| } | ||
|
|
||
| type verifyContextOptions struct { |
There was a problem hiding this comment.
we should either expose it or have a constructor to create it with values.
| ) | ||
|
|
||
| // VerifyContext holds the options for verifying a context. | ||
| type VerifyContext struct { |
There was a problem hiding this comment.
we could remove some options if they are not required in this PR
There was a problem hiding this comment.
Those ones are filtered and indeed used in this PR.
I would keep an eye on the changes based on the change of PR
shizhMSFT
left a comment
shizhMSFT
left a comment
There was a problem hiding this comment.
I would request a markdown of the design. Otherwise, it is too difficult to understand. Please provide an outline first, and then fill in the details.
cosign/go.mod
Outdated
|
|
||
| go 1.23.4 | ||
|
|
||
| toolchain go1.23.6 |
cosign/truststore.go
Outdated
| IgnoreSCT bool | ||
| } | ||
|
|
||
| type TrustStoreImp struct { |
cosign/truststore.go
Outdated
| certChains map[string][]*x509.Certificate | ||
| } | ||
|
|
||
| func NewWithOpts(opts *VerifierOptions) TrustStore { |
cosign/truststore.go
Outdated
| } | ||
|
|
||
| func (t *TrustStoreImp) GetVerifyOpts(subjectRef string) (*VOptions, error) { | ||
| return t.optsMap[subjectRef], nil |
| } | ||
|
|
||
| type verifyContextOptions struct { | ||
| optsMap map[string]*VerifyContext |
There was a problem hiding this comment.
Would it be better to have a mapping function
cosign/verifier.go
Outdated
| Verifier: v, | ||
| } | ||
| // TODO: update verify result | ||
| _, err = cosign.VerifyImageSignature(ctx, sig, signatureDescHash, checkOpts) |
There was a problem hiding this comment.
You are right, We should also consider cases that fail to verify but no error.
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier
branch
from
c3897f5 to
da7e072
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
|
Convert to draft as a PoC |
junczhu
changed the title
4 participants
What this PR does / why we need it:
Added design document
Implement cosign verifier
truststoremapping, includingkeys,certificates, andcertchainsfor verificationVerfierOptions, is for verifier creatation andVerifyOptionandVerifyContextfor verificationWhich issue(s) this PR resolves
Resolves #39
Please check the following list: