Add --signing-algorithm flag

[ret2libc]

Summary

This PR implements a configurable signing algorithm feature for Cosign by adding a --signing-algorithm flag to sign-blob commands. This partially addresses #3271 for configurable crypto algorithms.

Key Changes:

• Added --signing-algorithm flag to sign-blob command
• Supports multiple signing algorithms: ECDSA P-256/384/521 with SHA-256/384/512, RSA, and Ed25519ph
• Maintains ECDSA P-256 SHA-256 as the default algorithm for backwards compatibility
• Updated signing logic to use the specified algorithm when generating new keys

The implementation allows users to specify signing algorithms like:

cosign sign-blob --signing-algorithm ecdsa-sha2-384-nistp3 <file>
cosign sign-blob --signing-algorithm rsa-sign-pkcs1-3072-sha256 <file>
cosign sign-blob --signing-algorithm ed25519-ph <file>

This improves security by allowing users to choose stronger algorithms and provides cryptographic agility for different security requirements.

Release Note

• Added --signing-algorithm flag to sign-blob command to allow configurable signing algorithms. Supported algorithms include ECDSA (P-256/384/521), RSA PKCS1v15, and Ed25519ph. ECDSA P-256 SHA-256 remains the default algorithm.

---

How to test

$ ./cosign sign-blob --signing-algorithm=help --new-bundle-format --bundle cosign.bundle --yes README.md                                                                          ✘ 1 
Error: invalid signing algorithm: help. Supported algorithms are: ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, ed25519-ph, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256
error during command execution: invalid signing algorithm: help. Supported algorithms are: ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, ed25519-ph, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256

$ ./cosign sign-blob --new-bundle-format --bundle cosign.bundle --yes README.md
# Default is ECDSA-P256 with SHA256
$ jq -C '.messageSignature.messageDigest.algorithm' cosign.bundle
"SHA2_256"
$ jq -r '.verificationMaterial.certificate.rawBytes' cosign.bundle | base64 -d | print-cert /dev/stdin | grep -A 10 "Subject Public Key Info:"
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:94:ec:38:c8:e0:f5:5d:4c:b8:e5:52:69:45:00:
                    dd:e4:76:b7:bb:a5:8c:c1:d1:00:c5:d0:6d:f8:89:
                    5f:5f:76:ce:d0:af:f7:18:1c:43:80:99:d8:a4:5d:
                    bd:1c:7e:98:15:a3:c4:61:2a:09:70:87:64:e9:9d:
                    1b:3e:86:fa:b3
                ASN1 OID: prime256v1
                NIST CURVE: P-256


$ ./cosign sign-blob --signing-algorithm ecdsa-sha2-512-nistp521 --new-bundle-format --bundle cosign.bundle --yes README.md
# Artifact digest should be SHA512 and public key should be ECDSA-P521
$ jq -C '.messageSignature.messageDigest.algorithm' cosign.bundle
"SHA2_512"
$ jq -r '.verificationMaterial.certificate.rawBytes' cosign.bundle | base64 -d | print-cert /dev/stdin | grep -A 14 "Subject Public Key Info:"
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub:
                    04:00:21:6a:9f:01:72:ae:36:63:60:51:aa:d8:58:
                    d7:a8:1e:2b:c9:5b:95:db:0a:a1:23:7a:17:f7:23:
                    10:df:0f:56:02:94:71:38:e0:30:25:81:0e:be:2a:
                    09:68:15:f4:d2:31:5f:8b:0e:b6:f7:41:c6:54:cc:
                    46:c8:64:80:19:89:63:00:93:b8:fe:cc:91:8a:b2:
                    2f:2f:20:25:2e:2b:6d:24:66:5a:3a:35:0b:8f:c3:
                    cf:43:19:f6:ee:c6:54:18:ae:02:b7:36:49:31:27:
                    52:67:14:88:b0:85:05:17:36:0c:5c:57:4c:c8:76:
                    bc:86:ab:ea:25:2f:3e:8c:56:77:90:9b:df
                ASN1 OID: secp521r1
                NIST CURVE: P-521

# Non-default signing algorithm are supported only with the new bundle format
$ ./cosign sign-blob --signing-algorithm ecdsa-sha2-512-nistp521 --bundle cosign.bundle README.md                                                                               ✘ 130 
Generating ephemeral keys...
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=oMmHLR....
Retrieving signed certificate...
Successfully verified SCT...
Non SHA256 hash function is not supported for old bundle format. Use --new-bundle-format to use the new bundle format or use different signing key/algorithm.
Are you sure you would like to continue? [y/N] 

[ret2libc]

Shall we add the --signing-algorithm to the verify/verify-blob commands as well?

[haydentherapper]

Do we need a client algorithm registry for the sign path? There are roughly three places the client interacts with a key: Generation, signing, and verification.

For generation, it makes sense that the client specify which algorithms are supported for the generated key. This can be for both ephemeral and long-lived key generation.

For the verification path, supported algorithms could be a part of the verification policy, so that makes sense to allow a user to specify a set of trusted algorithms.

For signing, I'm not sure it's needed. When a key is provided, the user is specifying that's the key they want to use (whether it was generated ephemerally or self-managed). The backend (fulcio or rekor) could choose to reject it, which will be surfaced as a response error.

[haydentherapper]

Overall LGTM, I'll need to do a deep dive once this is out of draft but overall this seems solid. Can we add e2e tests that exercise generation, signing and verification?

[codecov]

Codecov Report

❌ Patch coverage is 12.50000% with 56 lines in your changes missing coverage. Please review.
✅ Project coverage is 34.61%. Comparing base (2ef6022) to head (ff27b5e).
⚠️ Report is 499 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/sign/sign.go	0.00%	19 Missing ⚠️
cmd/cosign/cli/sign/sign_blob.go	40.00%	10 Missing and 2 partials ⚠️
cmd/cosign/cli/signblob.go	0.00%	11 Missing ⚠️
pkg/cosign/keys.go	0.00%	9 Missing ⚠️
cmd/cosign/cli/options/signblob.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3497      +/-   ##
==========================================
- Coverage   40.10%   34.61%   -5.49%     
==========================================
  Files         155      216      +61     
  Lines       10044    15256    +5212     
==========================================
+ Hits         4028     5281    +1253     
- Misses       5530     9288    +3758     
- Partials      486      687     +201     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[haydentherapper]

Would we want to have this only under the --new-bundle-format path, given that I assume we'll want to use the new sigstore-go compatible verifier? It would also decrease the number of places that changes have to be made along the sign path.

[ret2libc]

Would we want to have this only under the --new-bundle-format path, given that I assume we'll want to use the new sigstore-go compatible verifier?

I can check --signing-algorithm is only used with --new-bundle-format and fail with msg if old bundle format is used. However, in terms of code changes I don't think it would really affect anything else because the format of the bundle is just affecting the very last bit in sign_blob.go where we serialize the data.

[ret2libc]

Ideally this would be supported for other commands as well and not only for sign-blob, but we need some extra work on those other commands first.