feat: sign.kontain.me #64
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # `sign.kontain.me` | ||
|
|
||
| ## Examples | ||
|
|
||
| Pull a mirrored [`busybox`](https://hub.docker.com/_/busybox) image: | ||
|
|
||
| ``` | ||
| docker pull sign.kontain.me/busybox | ||
| ``` | ||
|
|
||
| Or by tag: | ||
|
|
||
| ``` | ||
| docker pull sign.kontain.me/busybox:musl | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -euxo pipefail | ||
|
|
||
| gcloud run deploy sign \ | ||
| --project=kontaindotme \ | ||
| --region=us-central1 \ | ||
| --allow-unauthenticated \ | ||
| --set-env-vars=BUCKET=kontaindotme \ | ||
| --image=$(KO_DOCKER_REPO=gcr.io/kontaindotme ko publish -P ./cmd/sign) \ | ||
| --memory=1Gi \ | ||
| --cpu=1 \ | ||
| --concurrency=80 \ | ||
| --timeout=60 # 1m |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,208 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "context" | ||
| "fmt" | ||
| "github.com/google/go-containerregistry/pkg/authn" | ||
| v1 "github.com/google/go-containerregistry/pkg/v1" | ||
| "github.com/google/go-containerregistry/pkg/v1/remote" | ||
| "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" | ||
| "log" | ||
| "net/http" | ||
| "os" | ||
| "strings" | ||
|
|
||
| "github.com/google/go-containerregistry/pkg/name" | ||
| "github.com/imjasonh/kontain.me/pkg/serve" | ||
|
|
||
| "github.com/sigstore/cosign/cmd/cosign/cli/options" | ||
| "github.com/sigstore/cosign/cmd/cosign/cli/sign" | ||
| "github.com/sigstore/cosign/cmd/cosign/cli/verify" | ||
| "github.com/sigstore/cosign/pkg/cosign" | ||
| fulcioclient "github.com/sigstore/fulcio/pkg/client" | ||
| ) | ||
|
|
||
| func main() { | ||
| ctx := context.Background() | ||
| st, err := serve.NewStorage(ctx) | ||
| if err != nil { | ||
| log.Fatalf("serve.NewStorage: %v", err) | ||
| } | ||
| http.Handle("/v2/", &server{ | ||
| info: log.New(os.Stdout, "I ", log.Ldate|log.Ltime|log.Lshortfile), | ||
| error: log.New(os.Stderr, "E ", log.Ldate|log.Ltime|log.Lshortfile), | ||
| storage: st, | ||
| }) | ||
| http.Handle("/", http.RedirectHandler("https://github.com/imjasonh/kontain.me/blob/main/cmd/sign", http.StatusSeeOther)) | ||
|
|
||
| log.Println("Starting...") | ||
| port := os.Getenv("PORT") | ||
| if port == "" { | ||
| port = "8080" | ||
| log.Printf("Defaulting to port %s", port) | ||
| } | ||
| log.Printf("Listening on port %s", port) | ||
| log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil)) | ||
| } | ||
|
|
||
| type server struct { | ||
| info, error *log.Logger | ||
| storage *serve.Storage | ||
| } | ||
|
|
||
| func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
| s.info.Println("handler:", r.Method, r.URL) | ||
| path := strings.TrimPrefix(r.URL.String(), "/v2/") | ||
|
|
||
| switch { | ||
| case path == "": | ||
| // API Version check. | ||
| w.Header().Set("Docker-Distribution-API-Version", "registry/2.0") | ||
| return | ||
| case strings.Contains(path, "/blobs/"), | ||
| strings.Contains(path, "/manifests/sha256:"): | ||
| // Extract requested blob digest and redirect to serve it from GCS. | ||
| // If it doesn't exist, this will return 404. | ||
| parts := strings.Split(r.URL.Path, "/") | ||
| digest := parts[len(parts)-1] | ||
| serve.Blob(w, r, digest) | ||
| case strings.Contains(path, "/manifests/"): | ||
| s.serveSignManifest(w, r) | ||
| default: | ||
| serve.Error(w, serve.ErrNotFound) | ||
| } | ||
| } | ||
|
|
||
| // sign.kontain.me/ubuntu -> mirror ubuntu and serve | ||
| func (s *server) serveSignManifest(w http.ResponseWriter, r *http.Request) { | ||
| ctx := r.Context() | ||
| path := strings.TrimPrefix(r.URL.Path, "/v2/") | ||
| parts := strings.Split(path, "/") | ||
|
|
||
| refstr := strings.Join(parts[:len(parts)-2], "/") | ||
| tagOrDigest := parts[len(parts)-1] | ||
| if strings.HasPrefix(tagOrDigest, "sha256:") { | ||
| refstr += "@" + tagOrDigest | ||
| } else { | ||
| refstr += ":" + tagOrDigest | ||
| } | ||
| for strings.HasPrefix(refstr, "sign.kontain.me/") { | ||
| refstr = strings.TrimPrefix(refstr, "sign.kontain.me/") | ||
| } | ||
|
|
||
| ref, err := name.ParseReference(refstr) | ||
| if err != nil { | ||
| s.error.Printf("ERROR (ParseReference(%q)): %v", refstr, err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| revision := tagOrDigest | ||
|
|
||
| // If request is for image by digest, try to serve it from GCS. | ||
| if strings.HasPrefix(tagOrDigest, "sha256:") { | ||
| desc, err := s.storage.BlobExists(ctx, tagOrDigest) | ||
| if err != nil { | ||
| s.error.Printf("ERROR (storage.BlobExists): %s", err) | ||
| serve.Error(w, serve.ErrNotFound) | ||
| return | ||
| } | ||
| if r.Method == http.MethodHead { | ||
| w.Header().Set("Docker-Content-Digest", tagOrDigest) | ||
| w.Header().Set("Content-Type", string(desc.MediaType)) | ||
| w.Header().Set("Content-Length", fmt.Sprintf("%d", desc.Size)) | ||
| return | ||
| } | ||
| serve.Blob(w, r, tagOrDigest) | ||
| return | ||
| } | ||
|
|
||
| // If it's a HEAD request, and request was by digest, and we have that | ||
| // manifest mirrored by digest already, serve HEAD response from GCS. | ||
| // If it's a HEAD request and the other conditions aren't met, we'll | ||
| // handle this later by consulting the real registry. | ||
| if r.Method == http.MethodHead { | ||
| if d, ok := ref.(name.Digest); ok { | ||
| if desc, err := s.storage.BlobExists(ctx, d.DigestStr()); err == nil { | ||
| w.Header().Set("Docker-Content-Digest", d.DigestStr()) | ||
| w.Header().Set("Content-Type", string(desc.MediaType)) | ||
| w.Header().Set("Content-Length", fmt.Sprintf("%d", desc.Size)) | ||
| return | ||
| } | ||
| } | ||
| } | ||
|
|
||
| ko := sign.KeyOpts{ | ||
| FulcioURL: fulcioclient.SigstorePublicServerURL, | ||
| RekorURL: "https://rekor.sigstore.dev", | ||
| OIDCIssuer: "https://oauth2.sigstore.dev/auth", | ||
| OIDCClientID: "sigstore", | ||
| } | ||
|
|
||
| ro := options.RegistryOptions{} | ||
|
|
||
| err = sign.SignCmd(ctx, ko, ro, nil, []string{refstr}, "", true, "", false, false, "") | ||
|
|
||
| if err != nil { | ||
| s.error.Printf("ERROR (Cosign Keyless Sign(%q)): %v", refstr, err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| // Serve new image manifest. | ||
| img, err := s.getImage(ctx, refstr) | ||
| if err != nil { | ||
| s.error.Println("ERROR:", err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| co, err := ro.ClientOpts(ctx) | ||
| if err != nil { | ||
| s.error.Println("ERROR:", err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| verified, _, err := cosign.VerifyImageSignatures(ctx, ref, &cosign.CheckOpts{ | ||
| RekorURL: "https://rekor.sigstore.dev", | ||
| RegistryClientOpts: co, | ||
| RootCerts: fulcio.GetRoots(), | ||
| }) | ||
|
|
||
| if err != nil { | ||
| s.error.Println("VerifyImageSignatures:", err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| if len(verified) > 0 { | ||
| verify.PrintVerification(refstr, verified, "text") | ||
| } else { | ||
| s.error.Println("PrintVerification:", err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
|
|
||
| // Serve the manifest. | ||
| ck := cacheKey(path, revision) | ||
| if err := s.storage.ServeManifest(w, r, img, ck); err != nil { | ||
| s.error.Printf("ERROR (storage.ServeManifest): %v", err) | ||
| serve.Error(w, err) | ||
| return | ||
| } | ||
| } | ||
|
|
||
| func cacheKey(path, revision string) string { | ||
| ck := fmt.Sprintf("%s-%s", strings.ReplaceAll(path, "/", "_"), revision) | ||
| return fmt.Sprintf("sign-%x", ck) | ||
| } | ||
|
|
||
| func (s *server) getImage(ctx context.Context, image string) (v1.Image, error) { | ||
| ref, err := name.NewTag(image, name.WeakValidation) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return remote.Image(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain), | ||
| remote.WithContext(ctx)) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -euxo pipefail | ||
|
|
||
| time crane validate --remote=sign.kontain.me/busybox | ||
| time crane validate --remote=sign.kontain.me/busybox | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can run the server locally with
BUCKET=your-gcs-bucket go run ./cmd/signand pull an image withcrane validate --remote=localhost:8080/busyboxThis test should also
cosign verifythe signature for the imageThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We just implemented the Verification method for the keyless mode:
And we're printing results to stdout as follows:
Is that what you asked for?