Add oci.Signature() method to expose raw signature

Closes sigstore#2517 Signed-off-by: mozillazg <mozillazg101@gmail.com>
mozillazg · Jan 15, 2023 · 18e9432 · 18e9432
1 parent 6df3ad9
commit 18e9432
Show file tree

Hide file tree

Showing 12 changed files with 54 additions and 44 deletions.
diff --git a/internal/pkg/cosign/ephemeral/signer_test.go b/internal/pkg/cosign/ephemeral/signer_test.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"strings"
 	"testing"
 
@@ -43,14 +42,9 @@ func TestEphemeralSigner(t *testing.T) {
 		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
 	}
 
-	b64Sig, err := ociSig.Base64Signature()
+	sig, err := ociSig.Signature()
 	if err != nil {
-		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
-	}
-
-	sig, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+		t.Fatalf("ociSig.Signature() returned error: %v", err)
 	}
 
 	err = verifier.VerifySignature(bytes.NewReader(sig), strings.NewReader(testPayload))

diff --git a/internal/pkg/cosign/fulcio/signer_test.go b/internal/pkg/cosign/fulcio/signer_test.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"strings"
 	"testing"
 
@@ -112,13 +111,9 @@ func TestSigner(t *testing.T) {
 	if err != nil {
 		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
 	}
-	b64Sig, err := ociSig.Base64Signature()
+	sig, err := ociSig.Signature()
 	if err != nil {
-		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
-	}
-	sig, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+		t.Fatalf("ociSig.Signature() returned error: %v", err)
 	}
 	gotPayload, err := ociSig.Payload()
 	if err != nil {

diff --git a/internal/pkg/cosign/payload/signer_test.go b/internal/pkg/cosign/payload/signer_test.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"strings"
 	"testing"
 
@@ -54,14 +53,9 @@ func TestSigner(t *testing.T) {
 		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
 	}
 
-	b64Sig, err := ociSig.Base64Signature()
+	sig, err := ociSig.Signature()
 	if err != nil {
-		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
-	}
-
-	sig, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+		t.Fatalf("ociSig.Signature() returned error: %v", err)
 	}
 
 	gotPayload, err := ociSig.Payload()

diff --git a/internal/pkg/cosign/rekor/signer_test.go b/internal/pkg/cosign/rekor/signer_test.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"strings"
 	"testing"
 
@@ -71,13 +70,9 @@ func TestSigner(t *testing.T) {
 	if err != nil {
 		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
 	}
-	b64Sig, err := ociSig.Base64Signature()
+	sig, err := ociSig.Signature()
 	if err != nil {
-		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
-	}
-	sig, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+		t.Fatalf("ociSig.Signature() returned error: %v", err)
 	}
 	gotPayload, err := ociSig.Payload()
 	if err != nil {

diff --git a/internal/pkg/cosign/tsa/signer.go b/internal/pkg/cosign/tsa/signer.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
@@ -81,13 +80,8 @@ func (rs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
-	b64Sig, err := sig.Base64Signature()
-	if err != nil {
-		return nil, nil, err
-	}
-
 	// create timestamp over raw bytes of signature
-	rawSig, err := base64.StdEncoding.DecodeString(b64Sig)
+	rawSig, err := sig.Signature()
 	if err != nil {
 		return nil, nil, err
 	}

diff --git a/internal/pkg/cosign/tsa/signer_test.go b/internal/pkg/cosign/tsa/signer_test.go
@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"encoding/base64"
 	"strings"
 	"testing"
 	"time"
@@ -65,13 +64,9 @@ func TestSigner(t *testing.T) {
 	if err != nil {
 		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
 	}
-	b64Sig, err := ociSig.Base64Signature()
+	sig, err := ociSig.Signature()
 	if err != nil {
-		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
-	}
-	sig, err := base64.StdEncoding.DecodeString(b64Sig)
-	if err != nil {
-		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+		t.Fatalf("ociSig.Signature() returned error: %v", err)
 	}
 	gotPayload, err := ociSig.Payload()
 	if err != nil {

diff --git a/pkg/oci/internal/signature/layer.go b/pkg/oci/internal/signature/layer.go
@@ -17,6 +17,7 @@ package signature
 
 import (
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -69,6 +70,15 @@ func (s *sigLayer) Payload() ([]byte, error) {
 	return payload, nil
 }
 
+// Signature implements oci.Signature
+func (s *sigLayer) Signature() ([]byte, error) {
+	b64sig, err := s.Base64Signature()
+	if err != nil {
+		return nil, err
+	}
+	return base64.StdEncoding.DecodeString(b64sig)
+}
+
 // Base64Signature implements oci.Signature
 func (s *sigLayer) Base64Signature() (string, error) {
 	b64sig, ok := s.desc.Annotations[sigkey]

diff --git a/pkg/oci/mutate/signature.go b/pkg/oci/mutate/signature.go
@@ -64,6 +64,11 @@ func (sw *sigWrapper) Payload() ([]byte, error) {
 	return sw.wrapped.Payload()
 }
 
+// Signature implements oci.Signature
+func (sw *sigWrapper) Signature() ([]byte, error) {
+	return sw.wrapped.Signature()
+}
+
 // Base64Signature implements oci.Signature.
 func (sw *sigWrapper) Base64Signature() (string, error) {
 	return sw.wrapped.Base64Signature()

diff --git a/pkg/oci/signature/layer.go b/pkg/oci/signature/layer.go
@@ -17,6 +17,7 @@ package signature
 
 import (
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -69,6 +70,15 @@ func (s *sigLayer) Payload() ([]byte, error) {
 	return payload, nil
 }
 
+// Signature implements oci.Signature
+func (s *sigLayer) Signature() ([]byte, error) {
+	b64sig, err := s.Base64Signature()
+	if err != nil {
+		return nil, err
+	}
+	return base64.StdEncoding.DecodeString(b64sig)
+}
+
 // Base64Signature implements oci.Signature
 func (s *sigLayer) Base64Signature() (string, error) {
 	b64sig, ok := s.desc.Annotations[sigkey]

diff --git a/pkg/oci/signatures.go b/pkg/oci/signatures.go
@@ -42,6 +42,11 @@ type Signature interface {
 	// This will always return data when there is no error.
 	Payload() ([]byte, error)
 
+	// Signature fetches the raw signature
+	// of the payload.  This will always return data when
+	// there is no error.
+	Signature() ([]byte, error)
+
 	// Base64Signature fetches the base64 encoded signature
 	// of the payload.  This will always return data when
 	// there is no error.

diff --git a/pkg/oci/static/signature.go b/pkg/oci/static/signature.go
@@ -18,6 +18,7 @@ package static
 import (
 	"bytes"
 	"crypto/x509"
+	"encoding/base64"
 	"io"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -138,6 +139,15 @@ func (l *staticLayer) Payload() ([]byte, error) {
 	return l.b, nil
 }
 
+// Signature implements oci.Signature
+func (l *staticLayer) Signature() ([]byte, error) {
+	b64sig, err := l.Base64Signature()
+	if err != nil {
+		return nil, err
+	}
+	return base64.StdEncoding.DecodeString(b64sig)
+}
+
 // Base64Signature implements oci.Signature
 func (l *staticLayer) Base64Signature() (string, error) {
 	return l.b64sig, nil

diff --git a/pkg/policy/attestation_test.go b/pkg/policy/attestation_test.go
@@ -43,6 +43,9 @@ func (fa *failingAttestation) Payload() ([]byte, error) {
 func (fa *failingAttestation) Annotations() (map[string]string, error) {
 	return nil, fmt.Errorf("unimplemented")
 }
+func (fa *failingAttestation) Signature() ([]byte, error) {
+	return nil, fmt.Errorf("unimplemented")
+}
 func (fa *failingAttestation) Base64Signature() (string, error) {
 	return "", fmt.Errorf("unimplemented")
 }