verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for u…

…sing a key from rekor's API (#2362) * verify: using a key from a rekor instance is not needed Signed-off-by: Asra Ali <asraa@google.com>
sigstore · Oct 27, 2022 · ca0959a · ca0959a
1 parent b603117
commit ca0959a
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 47 deletions.
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -333,7 +333,7 @@ func verifyBlob(ctx context.Context, co *cosign.CheckOpts,
 				return fmt.Errorf("marshalling pubkey: %w", err)
 			}
 		}
-		bundle, err := verifyRekorBundle(ctx, bundle, co.RekorClient, blobBytes, sig, svBytes)
+		bundle, err := verifyRekorBundle(ctx, bundle, blobBytes, sig, svBytes)
 		if err != nil {
 			// Return when the provided bundle fails verification. (Do not fallback).
 			return err
@@ -364,7 +364,7 @@ func verifyBlob(ctx context.Context, co *cosign.CheckOpts,
 		fallthrough
 	// We are provided a log entry, possibly from above, or search.
 	case e != nil:
-		if err := cosign.VerifyTLogEntry(ctx, co.RekorClient, e); err != nil {
+		if err := cosign.VerifyTLogEntry(ctx, nil, e); err != nil {
 			return err
 		}
 
@@ -482,15 +482,13 @@ func payloadBytes(blobRef string) ([]byte, error) {
 	return blobBytes, nil
 }
 
-// TODO: RekorClient can be removed when SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
-// is removed.
-func verifyRekorBundle(ctx context.Context, bundle *bundle.RekorBundle, rekorClient *client.Rekor,
+func verifyRekorBundle(ctx context.Context, bundle *bundle.RekorBundle,
 	blobBytes []byte, sig string, pubKeyBytes []byte) (*bundle.RekorPayload, error) {
 	if err := verifyBundleMatchesData(ctx, bundle, blobBytes, pubKeyBytes, []byte(sig)); err != nil {
 		return nil, err
 	}
 
-	publicKeys, err := cosign.GetRekorPubs(ctx, rekorClient)
+	publicKeys, err := cosign.GetRekorPubs(ctx, nil)
 	if err != nil {
 		return nil, fmt.Errorf("retrieving rekor public key: %w", err)
 	}

diff --git a/pkg/cosign/env/env.go b/pkg/cosign/env/env.go
@@ -52,10 +52,9 @@ const (
 	VariableRepository       Variable = "COSIGN_REPOSITORY"
 
 	// Sigstore environment variables
-	VariableSigstoreCTLogPublicKeyFile  Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
-	VariableSigstoreRootFile            Variable = "SIGSTORE_ROOT_FILE"
-	VariableSigstoreTrustRekorPublicKey Variable = "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY"
-	VariableSigstoreRekorPublicKey      Variable = "SIGSTORE_REKOR_PUBLIC_KEY"
+	VariableSigstoreCTLogPublicKeyFile Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
+	VariableSigstoreRootFile           Variable = "SIGSTORE_ROOT_FILE"
+	VariableSigstoreRekorPublicKey     Variable = "SIGSTORE_REKOR_PUBLIC_KEY"
 
 	// Other external environment variables
 	VariableGitHubToken              Variable = "GITHUB_TOKEN" //nolint:gosec
@@ -114,12 +113,6 @@ var (
 			Sensitive:   false,
 			External:    true,
 		},
-		VariableSigstoreTrustRekorPublicKey: {
-			Description: "if specified, will fetch the Rekor Public Key from the specified Rekor server and add it to RekorPubKeys. This env var is only for testing!",
-			Expects:     "any string to trigger this behavior",
-			Sensitive:   false,
-			External:    true,
-		},
 		VariableSigstoreRekorPublicKey: {
 			Description: "if specified, you can specify an oob Public Key that Rekor uses",
 			Expects:     "path to the public key",

diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go
@@ -88,15 +88,10 @@ func intotoEntry(ctx context.Context, signature, pubKey []byte) (models.Proposed
 
 // GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached
 // TUF root. If expired, makes a network call to retrieve the updated targets.
-// A Rekor client may optionally be provided in case using SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
-// (see below).
 // There are two Env variable that can be used to override this behaviour:
 // SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains
 // the Rekor Public Key on local filesystem
-// SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY - If specified, fetches the Rekor public
-// key from the Rekor server using the provided rekorClient.
-// TODO: Rename SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY to be test-only or remove.
-func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]RekorPubKey, error) {
+func GetRekorPubs(ctx context.Context, _ *client.Rekor) (map[string]RekorPubKey, error) {
 	publicKeys := make(map[string]RekorPubKey)
 	altRekorPub := env.Getenv(env.VariableSigstoreRekorPublicKey)
 
@@ -136,26 +131,6 @@ func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]Re
 		}
 	}
 
-	// If we have a Rekor client and we've been told to fetch the Public Key from Rekor,
-	// additionally fetch it here.
-	addRekorPublic := env.Getenv(env.VariableSigstoreTrustRekorPublicKey)
-	if addRekorPublic != "" && rekorClient != nil {
-		fmt.Fprintf(os.Stderr, "**Warning ('%s' is only for testing)** Fetching public key from Rekor API directly\n", env.VariableSigstoreTrustRekorPublicKey.String())
-		pubOK, err := rekorClient.Pubkey.GetPublicKey(nil)
-		if err != nil {
-			return nil, fmt.Errorf("unable to fetch rekor public key from rekor: %w", err)
-		}
-		pubFromAPI, err := PemToECDSAKey([]byte(pubOK.Payload))
-		if err != nil {
-			return nil, fmt.Errorf("error converting rekor PEM public key from rekor to ECDSAKey: %w", err)
-		}
-		keyID, err := getLogID(pubFromAPI)
-		if err != nil {
-			return nil, fmt.Errorf("error generating log ID: %w", err)
-		}
-		publicKeys[keyID] = RekorPubKey{PubKey: pubFromAPI, Status: tuf.Active}
-	}
-
 	if len(publicKeys) == 0 {
 		return nil, errors.New("none of the Rekor public keys have been found")
 	}
@@ -199,7 +174,7 @@ func doUpload(ctx context.Context, rekorClient *client.Rekor, pe models.Proposed
 			if err != nil {
 				return nil, err
 			}
-			return e, VerifyTLogEntry(ctx, rekorClient, e)
+			return e, VerifyTLogEntry(ctx, nil, e)
 		}
 		return nil, err
 	}
@@ -428,7 +403,8 @@ func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, pa
 }
 
 // VerityTLogEntry verifies a TLog entry.
-func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.LogEntryAnon) error {
+// The argument *client.Rekor is unused and may be nil.
+func VerifyTLogEntry(ctx context.Context, _ *client.Rekor, e *models.LogEntryAnon) error {
 	if e.Verification == nil || e.Verification.InclusionProof == nil {
 		return errors.New("inclusion proof not provided")
 	}
@@ -460,7 +436,7 @@ func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.L
 		LogID:          *e.LogID,
 	}
 
-	rekorPubKeys, err := GetRekorPubs(ctx, rekorClient)
+	rekorPubKeys, err := GetRekorPubs(ctx, nil)
 	if err != nil {
 		return fmt.Errorf("unable to fetch Rekor public keys: %w", err)
 	}

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -447,7 +447,7 @@ func tlogValidateEntry(ctx context.Context, client *client.Rekor, sig oci.Signat
 	entryVerificationErrs := make([]string, 0)
 	for _, e := range tlogEntries {
 		entry := e
-		if err := VerifyTLogEntry(ctx, client, &entry); err != nil {
+		if err := VerifyTLogEntry(ctx, nil, &entry); err != nil {
 			entryVerificationErrs = append(entryVerificationErrs, err.Error())
 			continue
 		}
@@ -885,7 +885,7 @@ func VerifyBundle(ctx context.Context, sig oci.Signature, rekorClient *client.Re
 		return false, err
 	}
 
-	publicKeys, err := GetRekorPubs(ctx, rekorClient)
+	publicKeys, err := GetRekorPubs(ctx, nil)
 	if err != nil {
 		return false, fmt.Errorf("retrieving rekor public key: %w", err)
 	}