Make the DSSE wrapped private. (#966)

This consolidates the logic where we wrap the verifier in a DSSE wrapper into `Verify` (previously it was half/half based on whether we were doing keyless verification). This is a good example of why we should split the Signature/Attestation types, and VerifySignature/Attestation methods. Signed-off-by: Matt Moore <mattomata@gmail.com>
sigstore · Oct 29, 2021 · 7957228 · 7957228
1 parent 0bf537f
commit 7957228
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 12 deletions.
diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -35,7 +35,6 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/cue"
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	sigs "github.com/sigstore/cosign/pkg/signature"
-	"github.com/sigstore/sigstore/pkg/signature"
 )
 
 // VerifyAttestationCommand verifies a signature on a supplied container image
@@ -80,9 +79,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 	keyRef := c.KeyRef
 
 	// Keys are optional!
-	var pubKey signature.Verifier
 	if keyRef != "" {
-		pubKey, err = sigs.PublicKeyFromKeyRef(ctx, keyRef)
+		co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, keyRef)
 		if err != nil {
 			return errors.Wrap(err, "loading public key")
 		}
@@ -92,17 +90,11 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 			return errors.Wrap(err, "opening piv token")
 		}
 		defer sk.Close()
-		pubKey, err = sk.Verifier()
+		co.SigVerifier, err = sk.Verifier()
 		if err != nil {
 			return errors.Wrap(err, "initializing piv token verifier")
 		}
 	}
-	if pubKey != nil {
-		// TODO(vaikas): Should this be private and cosign just figures out
-		// how to wrap things. This would mean we need to pass more context, so
-		// just making it like this for now.
-		co.SigVerifier = cosign.NewReverseDSSEVerifier(pubKey)
-	}
 
 	for _, imageRef := range images {
 		ref, err := name.ParseReference(imageRef)

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -74,7 +74,7 @@ type reverseDSSEVerifier struct {
 	signature.Verifier
 }
 
-func NewReverseDSSEVerifier(v signature.Verifier) signature.Verifier {
+func newReverseDSSEVerifier(v signature.Verifier) signature.Verifier {
 	return &reverseDSSEVerifier{
 		Verifier: dsse.WrapVerifier(v),
 	}
@@ -164,6 +164,14 @@ func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor,
 				if err != nil {
 					return err
 				}
+
+				// The fact that there's no signature (or empty rather), implies
+				// that this is an Attestation that we're verifying. So, we need
+				// to construct a Verifier that grabs the signature from the
+				// payload instead of the Signatures annotations.
+				if len(signature) == 0 {
+					co.SigVerifier = newReverseDSSEVerifier(co.SigVerifier)
+				}
 				if err := co.SigVerifier.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx)); err != nil {
 					return err
 				}
@@ -193,7 +201,7 @@ func Verify(ctx context.Context, signedImgRef name.Reference, accessor Accessor,
 				// to construct a Verifier that grabs the signature from the
 				// payload instead of the Signatures annotations.
 				if len(signature) == 0 {
-					pub = NewReverseDSSEVerifier(pub)
+					pub = newReverseDSSEVerifier(pub)
 				}
 				if err := pub.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx)); err != nil {
 					return err