insecure-skip-tlog-verify: rename and adapt the cert expiration check (…

…#2620) * chore: error when no signed timestamp was found Signed-off-by: Hector Fernandez <hector@chainguard.dev> * chore: rename insecure-skip-tlog-verify to insecure-ignore-tlog Signed-off-by: Hector Fernandez <hector@chainguard.dev> * chore: change error message Signed-off-by: Hector Fernandez <hector@chainguard.dev> Signed-off-by: Hector Fernandez <hector@chainguard.dev>
sigstore · Jan 12, 2023 · 23d7a51 · 23d7a51
1 parent 3a492c7
commit 23d7a51
Show file tree

Hide file tree

Showing 19 changed files with 98 additions and 94 deletions.
diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go
@@ -22,7 +22,7 @@ import (
 type CommonVerifyOptions struct {
 	Offline          bool // Force offline verification
 	TSACertChainPath string
-	SkipTlogVerify   bool
+	IgnoreTlog       bool
 }
 
 func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
@@ -33,8 +33,8 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+
 			"Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp")
 
-	cmd.Flags().BoolVar(&o.SkipTlogVerify, "insecure-skip-tlog-verify", false,
-		"skip transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
+	cmd.Flags().BoolVar(&o.IgnoreTlog, "insecure-ignore-tlog", false,
+		"ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
 			"cannot be publicly verified when not included in a log")
 }
 

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -118,14 +118,14 @@ against the transparency log.`,
 				LocalImage:                   o.LocalImage,
 				Offline:                      o.CommonVerifyOptions.Offline,
 				TSACertChainPath:             o.CommonVerifyOptions.TSACertChainPath,
-				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
+				IgnoreTlog:                   o.CommonVerifyOptions.IgnoreTlog,
 			}
 
 			if o.Registry.AllowInsecure {
 				v.NameOptions = append(v.NameOptions, name.Insecure)
 			}
 
-			if o.CommonVerifyOptions.SkipTlogVerify {
+			if o.CommonVerifyOptions.IgnoreTlog {
 				fmt.Fprintln(os.Stderr, "**Warning** Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.")
 			}
 
@@ -210,7 +210,7 @@ against the transparency log.`,
 				NameOptions:                  o.Registry.NameOptions(),
 				Offline:                      o.CommonVerifyOptions.Offline,
 				TSACertChainPath:             o.CommonVerifyOptions.TSACertChainPath,
-				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
+				IgnoreTlog:                   o.CommonVerifyOptions.IgnoreTlog,
 			}
 
 			return v.Exec(cmd.Context(), args)
@@ -295,7 +295,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
 				SCTRef:                       o.CertVerify.SCT,
 				Offline:                      o.CommonVerifyOptions.Offline,
-				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
+				IgnoreTlog:                   o.CommonVerifyOptions.IgnoreTlog,
 			}
 			if err := verifyBlobCmd.Exec(cmd.Context(), args[0]); err != nil {
 				return fmt.Errorf("verifying blob %s: %w", args, err)
@@ -354,7 +354,7 @@ The blob may be specified as a path to a file.`,
 				IgnoreSCT:                    o.CertVerify.IgnoreSCT,
 				SCTRef:                       o.CertVerify.SCT,
 				Offline:                      o.CommonVerifyOptions.Offline,
-				SkipTlogVerify:               o.CommonVerifyOptions.SkipTlogVerify,
+				IgnoreTlog:                   o.CommonVerifyOptions.IgnoreTlog,
 			}
 			if len(args) != 1 {
 				return fmt.Errorf("no path to blob passed in, run `cosign verify-blob-attestation -h` for more help")

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -75,7 +75,7 @@ type VerifyCommand struct {
 	NameOptions                  []name.Option
 	Offline                      bool
 	TSACertChainPath             string
-	SkipTlogVerify               bool
+	IgnoreTlog                   bool
 }
 
 // Exec runs the verification command
@@ -121,7 +121,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		SignatureRef:                 c.SignatureRef,
 		Identities:                   identities,
 		Offline:                      c.Offline,
-		SkipTlogVerify:               c.SkipTlogVerify,
+		IgnoreTlog:                   c.IgnoreTlog,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
@@ -152,7 +152,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		co.TSARootCertificates = roots
 	}
 
-	if !c.SkipTlogVerify {
+	if !c.IgnoreTlog {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -64,7 +64,7 @@ type VerifyAttestationCommand struct {
 	NameOptions                  []name.Option
 	Offline                      bool
 	TSACertChainPath             string
-	SkipTlogVerify               bool
+	IgnoreTlog                   bool
 }
 
 // Exec runs the verification command
@@ -101,7 +101,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		IgnoreSCT:                    c.IgnoreSCT,
 		Identities:                   identities,
 		Offline:                      c.Offline,
-		SkipTlogVerify:               c.SkipTlogVerify,
+		IgnoreTlog:                   c.IgnoreTlog,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
@@ -137,7 +137,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		co.TSAIntermediateCertificates = intermediates
 		co.TSARootCertificates = roots
 	}
-	if !c.SkipTlogVerify {
+	if !c.IgnoreTlog {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -62,7 +62,7 @@ type VerifyBlobCmd struct {
 	IgnoreSCT                    bool
 	SCTRef                       string
 	Offline                      bool
-	SkipTlogVerify               bool
+	IgnoreTlog                   bool
 }
 
 // nolint
@@ -108,7 +108,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		IgnoreSCT:                    c.IgnoreSCT,
 		Identities:                   identities,
 		Offline:                      c.Offline,
-		SkipTlogVerify:               c.SkipTlogVerify,
+		IgnoreTlog:                   c.IgnoreTlog,
 	}
 	if c.RFC3161TimestampPath != "" && c.KeyOpts.TSACertChainPath == "" {
 		return fmt.Errorf("timestamp-certificate-chain is required to validate a RFC3161 timestamp")
@@ -138,7 +138,7 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		co.TSARootCertificates = roots
 	}
 
-	if !c.SkipTlogVerify {
+	if !c.IgnoreTlog {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {

diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -61,10 +61,10 @@ type VerifyBlobAttestationCommand struct {
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
 
-	IgnoreSCT      bool
-	SCTRef         string
-	Offline        bool
-	SkipTlogVerify bool
+	IgnoreSCT  bool
+	SCTRef     string
+	Offline    bool
+	IgnoreTlog bool
 
 	CheckClaims   bool
 	PredicateType string
@@ -106,7 +106,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		IgnoreSCT:                    c.IgnoreSCT,
 		Offline:                      c.Offline,
-		SkipTlogVerify:               c.SkipTlogVerify,
+		IgnoreTlog:                   c.IgnoreTlog,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
@@ -159,7 +159,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 		co.TSARootCertificates = roots
 	}
 
-	if !c.SkipTlogVerify {
+	if !c.IgnoreTlog {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {

diff --git a/cmd/cosign/cli/verify/verify_blob_attestation_test.go b/cmd/cosign/cli/verify/verify_blob_attestation_test.go
@@ -104,11 +104,11 @@ func TestVerifyBlobAttestation(t *testing.T) {
 			sigRef := writeBlobFile(t, td, string(decodedSig), "signature")
 
 			cmd := VerifyBlobAttestationCommand{
-				KeyOpts:        options.KeyOpts{KeyRef: keyRef},
-				SignaturePath:  sigRef,
-				SkipTlogVerify: true,
-				CheckClaims:    true,
-				PredicateType:  test.predicateType,
+				KeyOpts:       options.KeyOpts{KeyRef: keyRef},
+				SignaturePath: sigRef,
+				IgnoreTlog:    true,
+				CheckClaims:   true,
+				PredicateType: test.predicateType,
 			}
 			err = cmd.Exec(ctx, test.blobPath)
 

diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -573,9 +573,9 @@ func TestVerifyBlob(t *testing.T) {
 					CertIdentity:   identity,
 					CertOidcIssuer: issuer,
 				},
-				IgnoreSCT:      true,
-				CertChain:      chainPath,
-				SkipTlogVerify: tt.skipTlogVerify,
+				IgnoreSCT:  true,
+				CertChain:  chainPath,
+				IgnoreTlog: tt.skipTlogVerify,
 			}
 			blobPath := writeBlobFile(t, td, string(blobBytes), "blob.txt")
 			if tt.signature != "" {

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md
diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md
diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -137,8 +137,8 @@ type CheckOpts struct {
 	// TSAIntermediateCertificates are the set of intermediates for chain building
 	TSAIntermediateCertificates []*x509.Certificate
 
-	// SkipTlogVerify skip tlog verification
-	SkipTlogVerify bool
+	// IgnoreTlog skip tlog verification
+	IgnoreTlog bool
 }
 
 // This is a substitutable signature verification function that can be used for verifying
@@ -596,7 +596,7 @@ func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash,
 		}
 	}
 
-	if !co.SkipTlogVerify {
+	if !co.IgnoreTlog {
 		bundleVerified, err = VerifyBundle(sig, co)
 		if err != nil {
 			return false, fmt.Errorf("error verifying bundle: %w", err)
@@ -708,6 +708,10 @@ func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash,
 		// if no timestamp has been provided, use the current time
 		if !expirationChecked {
 			if err := CheckExpiry(cert, time.Now()); err != nil {
+				// If certificate is expired and not signed timestamp was provided then error the following message. Otherwise throw an expiration error.
+				if co.IgnoreTlog && acceptableRFC3161Time == nil {
+					return false, &VerificationError{"expected a signed timestamp to verify an expired certificate"}
+				}
 				return false, fmt.Errorf("checking expiry on certificate with bundle: %w", err)
 			}
 		}