Merge pull request #1530 from aquaproj/fix/cosign-goos-goarch

fix: install cosign properly even if AQUA_GOOS and AQUA_GOARCH are set
aquaproj · Jan 6, 2023 · 5885165 · 5885165
2 parents 62f1f07 + 4310057
commit 5885165
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 87 deletions.
diff --git a/pkg/installpackage/checksum.go b/pkg/installpackage/checksum.go
@@ -59,7 +59,7 @@ func (inst *InstallerImpl) dlAndExtractChecksum(ctx context.Context, logE *logru
 		}
 		art := pkg.GetTemplateArtifact(inst.runtime, assetName)
 		logE.Info("verify a checksum file with Cosign")
-		if err := inst.installCosign(ctx, logE, cosign.Version); err != nil {
+		if err := inst.cosignInstaller.installCosign(ctx, logE, cosign.Version); err != nil {
 			return "", err
 		}
 		if err := inst.cosign.Verify(ctx, logE, inst.runtime, &download.File{

diff --git a/pkg/installpackage/cosign.go b/pkg/installpackage/cosign.go
@@ -12,88 +12,11 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// type Cosign struct {
-// 	installer *InstallerImpl
-// }
-//
-// func NewCosign(param *config.Param, downloader download.ClientAPI, fs afero.Fs, linker domain.Linker, executor Executor, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, policyChecker policy.Checker, cosignVerifier cosign.Verifier, slsaVerifier slsa.Verifier) *Cosign {
-// 	return &Cosign{
-// 		installer: &InstallerImpl{
-// 			rootDir:            param.RootDir,
-// 			maxParallelism:     param.MaxParallelism,
-// 			downloader:         downloader,
-// 			checksumDownloader: chkDL,
-// 			checksumFileParser: &checksum.FileParser{},
-// 			checksumCalculator: chkCalc,
-// 			runtime:            runtime.NewR(),
-// 			fs:                 fs,
-// 			linker:             linker,
-// 			executor:           executor,
-// 			progressBar:        param.ProgressBar,
-// 			isTest:             param.IsTest,
-// 			onlyLink:           param.OnlyLink,
-// 			copyDir:            param.Dest,
-// 			unarchiver:         unarchiver,
-// 			policyChecker:      policyChecker,
-// 			cosign:             cosignVerifier,
-// 			slsaVerifier:       slsaVerifier,
-// 		},
-// 	}
-// }
-//
-// func (cos *Cosign) InstallCosign(ctx context.Context, logE *logrus.Entry, version string) error {
-// 	assetTemplate := `cosign-{{.OS}}-{{.Arch}}`
-// 	pkg := &config.Package{
-// 		Package: &aqua.Package{
-// 			Name:    "sigstore/cosign",
-// 			Version: version,
-// 		},
-// 		PackageInfo: &registry.PackageInfo{
-// 			Type:      "github_release",
-// 			RepoOwner: "sigstore",
-// 			RepoName:  "cosign",
-// 			Asset:     &assetTemplate,
-// 			SupportedEnvs: []string{
-// 				"darwin",
-// 				"linux",
-// 				"amd64",
-// 			},
-// 		},
-// 	}
-//
-// 	chksum := cosign.Checksums()[cos.installer.runtime.Env()]
-//
-// 	pkgInfo, err := pkg.PackageInfo.Override(pkg.Package.Version, cos.installer.runtime)
-// 	if err != nil {
-// 		return fmt.Errorf("evaluate version constraints: %w", err)
-// 	}
-// 	supported, err := pkgInfo.CheckSupported(cos.installer.runtime, cos.installer.runtime.GOOS+"/"+cos.installer.runtime.GOARCH)
-// 	if err != nil {
-// 		return fmt.Errorf("check if cosign is supported: %w", err)
-// 	}
-// 	if !supported {
-// 		logE.Debug("the package isn't supported on this environment")
-// 		return nil
-// 	}
-//
-// 	pkg.PackageInfo = pkgInfo
-//
-// 	if err := cos.installer.InstallPackage(ctx, logE, &ParamInstallPackage{
-// 		Checksums: checksum.New(), // Check cosign's checksum but not update aqua-checksums.json
-// 		Pkg:       pkg,
-// 		Checksum: &checksum.Checksum{
-// 			Algorithm: "sha256",
-// 			Checksum:  chksum,
-// 		},
-// 		// PolicyConfigs is nil, so the policy check is skipped
-// 	}); err != nil {
-// 		return err
-// 	}
-//
-// 	return nil
-// }
+type Cosign struct {
+	installer *InstallerImpl
+}
 
-func (inst *InstallerImpl) installCosign(ctx context.Context, logE *logrus.Entry, version string) error {
+func (cos *Cosign) installCosign(ctx context.Context, logE *logrus.Entry, version string) error {
 	assetTemplate := `cosign-{{.OS}}-{{.Arch}}`
 	pkg := &config.Package{
 		Package: &aqua.Package{
@@ -113,13 +36,13 @@ func (inst *InstallerImpl) installCosign(ctx context.Context, logE *logrus.Entry
 		},
 	}
 
-	chksum := cosign.Checksums()[inst.runtime.Env()]
+	chksum := cosign.Checksums()[cos.installer.runtime.Env()]
 
-	pkgInfo, err := pkg.PackageInfo.Override(pkg.Package.Version, inst.runtime)
+	pkgInfo, err := pkg.PackageInfo.Override(pkg.Package.Version, cos.installer.runtime)
 	if err != nil {
 		return fmt.Errorf("evaluate version constraints: %w", err)
 	}
-	supported, err := pkgInfo.CheckSupported(inst.runtime, inst.runtime.Env())
+	supported, err := pkgInfo.CheckSupported(cos.installer.runtime, cos.installer.runtime.Env())
 	if err != nil {
 		return fmt.Errorf("check if cosign is supported: %w", err)
 	}
@@ -130,7 +53,7 @@ func (inst *InstallerImpl) installCosign(ctx context.Context, logE *logrus.Entry
 
 	pkg.PackageInfo = pkgInfo
 
-	if err := inst.InstallPackage(ctx, logE, &ParamInstallPackage{
+	if err := cos.installer.InstallPackage(ctx, logE, &ParamInstallPackage{
 		Checksums: checksum.New(), // Check cosign's checksum but not update aqua-checksums.json
 		Pkg:       pkg,
 		Checksum: &checksum.Checksum{

diff --git a/pkg/installpackage/download.go b/pkg/installpackage/download.go
@@ -98,7 +98,7 @@ func (inst *InstallerImpl) download(ctx context.Context, logE *logrus.Entry, par
 	if cos := ppkg.PackageInfo.Cosign; cos.GetEnabled() {
 		art := ppkg.GetTemplateArtifact(inst.runtime, param.Asset)
 		logE.Info("verify a package with Cosign")
-		if err := inst.installCosign(ctx, logE, cosign.Version); err != nil {
+		if err := inst.cosignInstaller.installCosign(ctx, logE, cosign.Version); err != nil {
 			return err
 		}
 		if err := inst.cosign.Verify(ctx, logE, inst.runtime, &download.File{

diff --git a/pkg/installpackage/installer.go b/pkg/installpackage/installer.go
@@ -46,9 +46,18 @@ type InstallerImpl struct {
 	isTest             bool
 	copyDir            string
 	policyChecker      policy.Checker
+	cosignInstaller    *Cosign
 }
 
 func New(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker domain.Linker, executor Executor, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, policyChecker policy.Checker, cosignVerifier cosign.Verifier, slsaVerifier slsa.Verifier) *InstallerImpl {
+	installer := newInstaller(param, downloader, rt, fs, linker, executor, chkDL, chkCalc, unarchiver, policyChecker, cosignVerifier, slsaVerifier)
+	installer.cosignInstaller = &Cosign{
+		installer: newInstaller(param, downloader, runtime.NewR(), fs, linker, executor, chkDL, chkCalc, unarchiver, policyChecker, cosignVerifier, slsaVerifier),
+	}
+	return installer
+}
+
+func newInstaller(param *config.Param, downloader download.ClientAPI, rt *runtime.Runtime, fs afero.Fs, linker domain.Linker, executor Executor, chkDL download.ChecksumDownloader, chkCalc ChecksumCalculator, unarchiver Unarchiver, policyChecker policy.Checker, cosignVerifier cosign.Verifier, slsaVerifier slsa.Verifier) *InstallerImpl {
 	return &InstallerImpl{
 		rootDir:            param.RootDir,
 		maxParallelism:     param.MaxParallelism,