Clean up and modify to use library-go verify package

Modify to use proper k8s encoding/decoding and other minor cleanup.
Reference open comments from #343.
Use library-go verify package which was created since both CVO and
the oc client use them.

pkg/cli/admin/release/extract.go

@@ -9,8 +9,6 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
-	"path/filepath"
-	"strings"
 	"sync"
 	"time"
 
@@ -290,23 +288,6 @@ func (o *ExtractOptions) Run() error {
 							manifestErrs = append(manifestErrs, errors.Wrapf(err, "error parsing %s", hdr.Name))
 							return true, nil
 						}
-						for i := range ms {
-							ms[i].OriginalFilename = filepath.Base(hdr.Name)
-							src := fmt.Sprintf("the config map %s/%s", ms[i].Obj.GetNamespace(), ms[i].Obj.GetName())
-							data, _, err := unstructured.NestedStringMap(ms[i].Obj.Object, "data")
-							if err != nil {
-								manifestErrs = append(manifestErrs, errors.Wrapf(err, "%s is not valid", src))
-								continue
-							}
-							for k, v := range data {
-								switch {
-								case strings.HasPrefix(k, "verifier-public-key-"):
-									klog.V(2).Infof("Found in %s:\n%s %s", hdr.Name, k, v)
-								case strings.HasPrefix(k, "store-"):
-									klog.V(2).Infof("Found in %s:\n%s\n%s", hdr.Name, k, v)
-								}
-							}
-						}
 						o.Manifests = append(o.Manifests, ms...)
 					}
 				}
@@ -320,19 +301,10 @@ func (o *ExtractOptions) Run() error {
 			return fmt.Errorf("image did not contain %s", o.File)
 		}
 
-		// Only output manifest errors if manifests were being extracted and we didn't find the expected signature
-		// manifests. We don't care about errors in other manifests and they will only confuse/alarm the user.
+		// Only output manifest errors if manifests were being extracted.
 		// Do not return an error so current operation, e.g. mirroring, continues.
-		if len(manifestErrs) > 0 {
-			if o.ExtractManifests && len(o.Manifests) == 0 {
-				fmt.Fprintf(o.ErrOut, "Errors: %s\n", errorList(manifestErrs))
-			}
-		}
-
-		// Output an error if manifests were being extracted and we didn't find the expected signature
-		// manifests. Do not return an error so current operation, e.g. mirroring, continues.
-		if o.ExtractManifests && len(o.Manifests) == 0 {
-			fmt.Fprintf(o.ErrOut, "No manifests found\n")
+		if o.ExtractManifests && len(manifestErrs) > 0 {
+			fmt.Fprintf(o.ErrOut, "Errors: %s\n", errorList(manifestErrs))
 		}
 		return nil
 

pkg/cli/admin/release/mirror.go

@@ -39,11 +39,14 @@ import (
 	"github.com/openshift/library-go/pkg/image/dockerv1client"
 	imagereference "github.com/openshift/library-go/pkg/image/reference"
 	"github.com/openshift/library-go/pkg/manifest"
+	"github.com/openshift/library-go/pkg/verify"
+	"github.com/openshift/library-go/pkg/verify/store/configmap"
+	"github.com/openshift/library-go/pkg/verify/store/sigstore"
+	"github.com/openshift/library-go/pkg/verify/util"
 	"github.com/openshift/oc/pkg/cli/image/extract"
 	"github.com/openshift/oc/pkg/cli/image/imagesource"
 	imagemanifest "github.com/openshift/oc/pkg/cli/image/manifest"
 	"github.com/openshift/oc/pkg/cli/image/mirror"
-	"github.com/openshift/oc/pkg/helpers/release"
 )
 
 // configFilesBaseDir is created under '--to-dir', when specified, to contain release image
@@ -236,7 +239,7 @@ func (o *MirrorOptions) Complete(cmd *cobra.Command, f kcmdutil.Factory, args []
 		if err != nil {
 			return nil, err
 		}
-		client := coreClient.ConfigMaps(release.NamespaceLabelConfigMap)
+		client := coreClient.ConfigMaps(configmap.NamespaceLabelConfigMap)
 		return client, nil
 	}
 	o.PrintImageContentInstructions = true
@@ -321,7 +324,7 @@ func (o *MirrorOptions) handleSignatures(context context.Context, signaturesByDi
 		}
 	}
 	for digest, signatures := range signaturesByDigest {
-		cmData, err := release.GetSignaturesAsConfigmap(digest, signatures)
+		cmData, err := verify.GetSignaturesAsConfigmap(digest, signatures)
 		if err != nil {
 			return fmt.Errorf("converting signatures to a configmap: %v", err)
 		}
@@ -360,7 +363,7 @@ func (o *MirrorOptions) handleSignatures(context context.Context, signaturesByDi
 			if o.DryRun {
 				fmt.Fprintf(o.Out, "info: Write configmap signature file %s\n", fullName)
 			} else {
-				cmDataBytes, err := yaml.Marshal(cmData)
+				cmDataBytes, err := util.ConfigMapAsBytes(cmData)
 				if err != nil {
 					return fmt.Errorf("marshaling configmap YAML: %v", err)
 				}
@@ -497,19 +500,18 @@ func (o *MirrorOptions) Run() error {
 	sourceFn := func(ref imagesource.TypedImageReference) imagesource.TypedImageReference {
 		return ref
 	}
-	// Wraps operator's HTTPClient method to allow image verifier to create http client with up-to-date config
-	clientBuilder := &verifyClientBuilder{builder: o.HTTPClient}
+
+	httpClientConstructor := sigstore.NewCachedHTTPClientConstructor(o.HTTPClient, nil)
 
 	// Attempt to load a verifier as defined by the release being mirrored
-	imageVerifier, err := release.LoadConfigMapVerifierDataFromUpdate(manifests, clientBuilder, nil)
+	imageVerifier, err := verify.NewFromManifests(manifests, httpClientConstructor.HTTPClient)
 	if err != nil {
 		return fmt.Errorf("Unable to load configmap verifier: %v", err)
 	}
 	if imageVerifier != nil {
 		klog.V(4).Infof("Verifying release authenticity: %v", imageVerifier)
 	} else {
 		fmt.Fprintf(o.ErrOut, "warning: No release authenticity verification is configured, all releases are considered unverified\n")
-		imageVerifier = release.Reject
 	}
 	// verify the provided payload
 	ctx, cancelFn := context.WithCancel(context.Background())