Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verify: remove SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY test env var for using a key from rekor's API #2362

Merged
merged 2 commits into from
Oct 27, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,7 @@ func verifyBlob(ctx context.Context, co *cosign.CheckOpts,
return fmt.Errorf("marshalling pubkey: %w", err)
}
}
bundle, err := verifyRekorBundle(ctx, bundle, co.RekorClient, blobBytes, sig, svBytes)
bundle, err := verifyRekorBundle(ctx, bundle, blobBytes, sig, svBytes)
if err != nil {
// Return when the provided bundle fails verification. (Do not fallback).
return err
Expand Down Expand Up @@ -364,7 +364,7 @@ func verifyBlob(ctx context.Context, co *cosign.CheckOpts,
fallthrough
// We are provided a log entry, possibly from above, or search.
case e != nil:
if err := cosign.VerifyTLogEntry(ctx, co.RekorClient, e); err != nil {
if err := cosign.VerifyTLogEntry(ctx, nil, e); err != nil {
return err
}

Expand Down Expand Up @@ -482,15 +482,13 @@ func payloadBytes(blobRef string) ([]byte, error) {
return blobBytes, nil
}

// TODO: RekorClient can be removed when SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
// is removed.
func verifyRekorBundle(ctx context.Context, bundle *bundle.RekorBundle, rekorClient *client.Rekor,
func verifyRekorBundle(ctx context.Context, bundle *bundle.RekorBundle,
blobBytes []byte, sig string, pubKeyBytes []byte) (*bundle.RekorPayload, error) {
if err := verifyBundleMatchesData(ctx, bundle, blobBytes, pubKeyBytes, []byte(sig)); err != nil {
return nil, err
}

publicKeys, err := cosign.GetRekorPubs(ctx, rekorClient)
publicKeys, err := cosign.GetRekorPubs(ctx, nil)
if err != nil {
return nil, fmt.Errorf("retrieving rekor public key: %w", err)
}
Expand Down
13 changes: 3 additions & 10 deletions pkg/cosign/env/env.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,9 @@ const (
VariableRepository Variable = "COSIGN_REPOSITORY"

// Sigstore environment variables
VariableSigstoreCTLogPublicKeyFile Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
VariableSigstoreRootFile Variable = "SIGSTORE_ROOT_FILE"
VariableSigstoreTrustRekorPublicKey Variable = "SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY"
VariableSigstoreRekorPublicKey Variable = "SIGSTORE_REKOR_PUBLIC_KEY"
VariableSigstoreCTLogPublicKeyFile Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
VariableSigstoreRootFile Variable = "SIGSTORE_ROOT_FILE"
VariableSigstoreRekorPublicKey Variable = "SIGSTORE_REKOR_PUBLIC_KEY"

// Other external environment variables
VariableGitHubToken Variable = "GITHUB_TOKEN" //nolint:gosec
Expand Down Expand Up @@ -114,12 +113,6 @@ var (
Sensitive: false,
External: true,
},
VariableSigstoreTrustRekorPublicKey: {
Description: "if specified, will fetch the Rekor Public Key from the specified Rekor server and add it to RekorPubKeys. This env var is only for testing!",
Expects: "any string to trigger this behavior",
Sensitive: false,
External: true,
},
VariableSigstoreRekorPublicKey: {
Description: "if specified, you can specify an oob Public Key that Rekor uses",
Expects: "path to the public key",
Expand Down
34 changes: 5 additions & 29 deletions pkg/cosign/tlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,15 +88,10 @@ func intotoEntry(ctx context.Context, signature, pubKey []byte) (models.Proposed

// GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached
// TUF root. If expired, makes a network call to retrieve the updated targets.
// A Rekor client may optionally be provided in case using SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
// (see below).
// There are two Env variable that can be used to override this behaviour:
// SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains
// the Rekor Public Key on local filesystem
// SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY - If specified, fetches the Rekor public
// key from the Rekor server using the provided rekorClient.
// TODO: Rename SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY to be test-only or remove.
func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]RekorPubKey, error) {
func GetRekorPubs(ctx context.Context, _ *client.Rekor) (map[string]RekorPubKey, error) {
publicKeys := make(map[string]RekorPubKey)
altRekorPub := env.Getenv(env.VariableSigstoreRekorPublicKey)

Expand Down Expand Up @@ -136,26 +131,6 @@ func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]Re
}
}

// If we have a Rekor client and we've been told to fetch the Public Key from Rekor,
// additionally fetch it here.
addRekorPublic := env.Getenv(env.VariableSigstoreTrustRekorPublicKey)
if addRekorPublic != "" && rekorClient != nil {
fmt.Fprintf(os.Stderr, "**Warning ('%s' is only for testing)** Fetching public key from Rekor API directly\n", env.VariableSigstoreTrustRekorPublicKey.String())
pubOK, err := rekorClient.Pubkey.GetPublicKey(nil)
if err != nil {
return nil, fmt.Errorf("unable to fetch rekor public key from rekor: %w", err)
}
pubFromAPI, err := PemToECDSAKey([]byte(pubOK.Payload))
if err != nil {
return nil, fmt.Errorf("error converting rekor PEM public key from rekor to ECDSAKey: %w", err)
}
keyID, err := getLogID(pubFromAPI)
if err != nil {
return nil, fmt.Errorf("error generating log ID: %w", err)
}
publicKeys[keyID] = RekorPubKey{PubKey: pubFromAPI, Status: tuf.Active}
}

if len(publicKeys) == 0 {
return nil, errors.New("none of the Rekor public keys have been found")
}
Expand Down Expand Up @@ -199,7 +174,7 @@ func doUpload(ctx context.Context, rekorClient *client.Rekor, pe models.Proposed
if err != nil {
return nil, err
}
return e, VerifyTLogEntry(ctx, rekorClient, e)
return e, VerifyTLogEntry(ctx, nil, e)
}
return nil, err
}
Expand Down Expand Up @@ -428,7 +403,8 @@ func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, pa
}

// VerityTLogEntry verifies a TLog entry.
func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.LogEntryAnon) error {
// The argument *client.Rekor is unused and may be nil.
func VerifyTLogEntry(ctx context.Context, _ *client.Rekor, e *models.LogEntryAnon) error {
if e.Verification == nil || e.Verification.InclusionProof == nil {
return errors.New("inclusion proof not provided")
}
Expand Down Expand Up @@ -460,7 +436,7 @@ func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.L
LogID: *e.LogID,
}

rekorPubKeys, err := GetRekorPubs(ctx, rekorClient)
rekorPubKeys, err := GetRekorPubs(ctx, nil)
if err != nil {
return fmt.Errorf("unable to fetch Rekor public keys: %w", err)
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -447,7 +447,7 @@ func tlogValidateEntry(ctx context.Context, client *client.Rekor, sig oci.Signat
entryVerificationErrs := make([]string, 0)
for _, e := range tlogEntries {
entry := e
if err := VerifyTLogEntry(ctx, client, &entry); err != nil {
if err := VerifyTLogEntry(ctx, nil, &entry); err != nil {
entryVerificationErrs = append(entryVerificationErrs, err.Error())
continue
}
Expand Down Expand Up @@ -885,7 +885,7 @@ func VerifyBundle(ctx context.Context, sig oci.Signature, rekorClient *client.Re
return false, err
}

publicKeys, err := GetRekorPubs(ctx, rekorClient)
publicKeys, err := GetRekorPubs(ctx, nil)
if err != nil {
return false, fmt.Errorf("retrieving rekor public key: %w", err)
}
Expand Down