verify-blob can't verify DSSE blobs with COSIGN_EXPERIMENTAL

[wlynch]

Description

@eddiezane and I stumbled on this today - verify-blob has logic for handling DSSE messages

cosign/cmd/cosign/cli/verify/verify_blob.go

Lines 234 to 237 in 128f8fb

	// Use the DSSE verifier if the payload is a DSSE with the In-Toto format.
	if isIntotoDSSE(blobBytes) {
	verifier = dsse.WrapVerifier(verifier)
	}

but when this is combined with COSIGN_EXPERIMENTAL, it fails:

$ cat test.json.sig 
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiIiLCJzdWJqZWN0IjpbeyJuYW1lIjoiIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjVmMzY0OTgwZjc0NDAwZjg3NzNmODJjZjU4ZWM3ODQ0YTExZDI3Y2YifX1dLCJwcmVkaWNhdGUiOnsibmFtZSI6InVuaXQtdGVzdC0xIiwic3RhdHVzIjoic3VjY2VzcyJ9fQ==","signatures":[{"keyid":"","sig":"MEUCIEha6COOH9fAeqZE36P2nlpmT5dmN/DQdi6ffhdEI5s1AiEAlVTKIYxPAQLxbTUBjOIdFJLzkLf9wgSGH2VuTdx4k9U="}]}

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature test.json.sig test.json.sig --cert=<(rekor-cli get --log-index 3121421 --format json | jq -r .Body.IntotoObj.publicKey | base64 -d)
Error: verifying blob [test.json.sig]: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest  &{Code:400 Message:verifying signature: failed to verify signature: %!w(<nil>)}
main.go:62: error during command execution: verifying blob [test.json.sig]: searching log query: [POST /api/v1/log/entries/retrieve][400] searchLogQueryBadRequest  &{Code:400 Message:verifying signature: failed to verify signature: %!w(<nil>)}

$ cosign verify-blob --signature test.json.sig test.json.sig --cert=<(rekor-cli get --log-index 3121421 --format json | jq -r .Body.IntotoObj.publicKey | base64 -d)
Verified OK

We think the root cause is verify-blob is expecting a blob + signature (because by default it's not expecting raw bytes, not a DSSE envelope), so when it tries to look up the rekor entry it fails because the check to whether to lookup by HashedRekord or Intoto depends on whether a signature is present (it assumes a signature for DSSE is not needed because it's in the message itself):

cosign/pkg/cosign/tlog.go

Lines 289 to 303 in 128f8fb

	if len(signature) == 0 {
	te := intotoEntry(payload, pubKey)
	entry := &models.Intoto{
	APIVersion: swag.String(te.APIVersion()),
	Spec: te.IntotoObj,
	}
	proposedEntry = []models.ProposedEntry{entry}
	} else {
	re := rekorEntry(payload, signature, pubKey)
	entry := &models.Hashedrekord{
	APIVersion: swag.String(re.APIVersion()),
	Spec: re.HashedRekordObj,
	}
	proposedEntry = []models.ProposedEntry{entry}
	}

however, verify-blob requires --signature, which means you can't query by intoto:

$ cosign verify-blob test.json.sig --cert=<(rekor-cli get --log-index 3121421 --format json | jq -r .Body.IntotoObj.publicKey | base64 -d) 
Error: verifying blob [test.json.sig]: missing flag '--signature'
main.go:62: error during command execution: verifying blob [test.json.sig]: missing flag '--signature'

We can't use verify-attestation, since that is assuming there's an OCI image (I'm just trying to verify a raw DSSE envelope signed by via keyless signing).

One thing that was a bit surprising was that verify-blob had any kind of special casing for DSSE at all. Maybe it would be worth breaking this up into a separate verify-dsse subcommand, or let verify-attestation act on direct messages instead of requiring OCI?

Version

128f8fb

[haydentherapper]

cc @asraa

[asraa]

I think this will be addressed in verify-blob-attestation, given that there's an attest-blob separate command. @priyawadhwa