Allow cosigned to validate Fulcio signatures. (#867)

This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: #866 Signed-off-by: Matt Moore <mattomata@gmail.com>
sigstore · Oct 11, 2021 · 2ba1605 · 2ba1605
1 parent b0408bf
commit 2ba1605
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 17 deletions.
diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -175,9 +175,6 @@ jobs:
       run: |
         ko apply -Bf config/
 
-        # Update the cosign verification-key secret with a proper key pair.
-        cosign generate-key-pair k8s://cosign-system/verification-key
-
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
     

diff --git a/pkg/cosign/kubernetes/webhook/validation.go b/pkg/cosign/kubernetes/webhook/validation.go
@@ -34,8 +34,26 @@ import (
 )
 
 func valid(ctx context.Context, ref name.Reference, keys []*ecdsa.PublicKey) bool {
+	if len(keys) == 0 {
+		// If there are no keys, then verify against the fulcio root.
+		sps, err := validSignatures(ctx, ref, nil /* verifier */)
+		if err != nil {
+			logging.FromContext(ctx).Errorf("error validating signatures: %v", err)
+			return false
+		}
+		if len(sps) > 0 {
+			return true
+		}
+		return false
+	}
 	for _, k := range keys {
-		sps, err := validSignatures(ctx, ref, k)
+		verifier, err := signature.LoadECDSAVerifier(k, crypto.SHA256)
+		if err != nil {
+			logging.FromContext(ctx).Errorf("error creating verifier: %v", err)
+			return false
+		}
+
+		sps, err := validSignatures(ctx, ref, verifier)
 		if err != nil {
 			logging.FromContext(ctx).Errorf("error validating signatures: %v", err)
 			return false
@@ -51,15 +69,10 @@ func valid(ctx context.Context, ref name.Reference, keys []*ecdsa.PublicKey) boo
 // For testing
 var cosignVerifySignatures = cosign.VerifySignatures
 
-func validSignatures(ctx context.Context, ref name.Reference, key *ecdsa.PublicKey) ([]oci.Signature, error) {
-	ecdsaVerifier, err := signature.LoadECDSAVerifier(key, crypto.SHA256)
-	if err != nil {
-		return nil, err
-	}
-
+func validSignatures(ctx context.Context, ref name.Reference, verifier signature.Verifier) ([]oci.Signature, error) {
 	sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
 		RootCerts:     fulcioroots.Get(),
-		SigVerifier:   ecdsaVerifier,
+		SigVerifier:   verifier,
 		ClaimVerifier: cosign.SimpleClaimVerifier,
 	})
 	return sigs, err

diff --git a/pkg/cosign/kubernetes/webhook/validator_test.go b/pkg/cosign/kubernetes/webhook/validator_test.go
@@ -212,12 +212,7 @@ func TestValidateCronJob(t *testing.T) {
 			Name:      secretName,
 		},
 		Data: map[string][]byte{
-			// Random public key (cosign generate-key-pair) 2021-09-25
-			"cosign.pub": []byte(`-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEapTW568kniCbL0OXBFIhuhOboeox
-UoJou2P8sbDxpLiE/v3yLw1/jyOrCPWYHWFXnyyeGlkgSVefG54tNoK7Uw==
------END PUBLIC KEY-----
-`),
+			// No data should make us verify against Fulcio.
 		},
 	})
 

diff --git a/test/e2e_test_cosigned.sh b/test/e2e_test_cosigned.sh
@@ -30,6 +30,21 @@ spec:
   - name: sample
     image: $KO_DOCKER_REPO/sample
 EOF
+cat > distroless-pod.yaml <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  generateName: pod-test-
+spec:
+  restartPolicy: Never
+  containers:
+  - name: sample
+    image: gcr.io/distroless/base:debug
+    command: [/busybox/sh, -c]
+    args:
+    - |
+      echo Testing Fulcio verification
+EOF
 cat > job.yaml <<EOF
 apiVersion: batch/v1
 kind: Job
@@ -62,6 +77,29 @@ EOF
 echo '::endgroup::'
 
 
+echo '::group:: enable verification'
+kubectl label namespace default --overwrite cosigned.sigstore.dev/include=true
+echo '::endgroup::'
+
+
+echo '::group:: test pod success (Fulcio root)'
+# This time it should succeed!
+if ! kubectl create -f distroless-pod.yaml ; then
+  echo Failed to create Pod signed by Fulcio!
+  exit 1
+else
+  echo Successfully created Pod signed by Fulcio.
+fi
+echo '::endgroup::'
+
+
+echo '::group:: setup verification-key'
+# Update the cosign verification-key secret with a proper key pair.
+cosign generate-key-pair k8s://cosign-system/verification-key
+echo '::endgroup::'
+
+
+
 echo '::group:: disable verification'
 kubectl label namespace default --overwrite cosigned.sigstore.dev/include=false
 echo '::endgroup::'