add --ca-roots and --ca-intermediates flags to 'cosign verify'

[dmitris]

Summary

Add new --ca-roots and --ca-intermediates flags to allow pass a certificate bundle PEM file with multiple CA roots and optionally a file with the intermediate certificates. Related to issue #3462. Current commit adds the two flags to verify the CLI options. There is a new functional test file test/e2e_tsa_certbundle.sh for the new flags to cosign verify.

Release Note

• New features and improvements, including behavioural changes, UI changes and CLI changes
  added --ca-roots and --ca-intermediates flags to take a certificate bundle PEM file with one or multiple CA roots and optionally a PEM file with intermediate certificates. Both flags are exclusive with --certificate-chain.

Documentation

sigstore/docs#291

[codecov]

Codecov Report

Attention: Patch coverage is 6.89655% with 54 lines in your changes missing coverage. Please review.

Project coverage is 36.44%. Comparing base (2ef6022) to head (f1be17d).
Report is 139 commits behind head on main.

Files	Patch %	Lines
cmd/cosign/cli/verify/verify.go	0.00%	38 Missing ⚠️
cmd/cosign/cli/options/certificate.go	0.00%	14 Missing ⚠️
cmd/cosign/cli/verify.go	66.66%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3464      +/-   ##
==========================================
- Coverage   40.10%   36.44%   -3.66%     
==========================================
  Files         155      200      +45     
  Lines       10044    12282    +2238     
==========================================
+ Hits         4028     4476     +448     
- Misses       5530     7260    +1730     
- Partials      486      546      +60     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft?

[dmitris]

@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft?

I was waiting for the initial feedback - I think I have it now (in #3462), thanks! - I'll try to add the unit tests shortly and mark it as "ready to review".

[dmitris]

@haydentherapper marked as "ready for review" now. I thought about adding unit tests - but I believe the current implementation with the "big" VerifyCommand.Exec() method https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L85-L316 doesn't make it easy to cover that code with unit tests, could be a good idea to refactor and split that. I added a new functional test test/e2e_tsa_certbundle.sh modelled after and expanding on the test/e2e_tsa_mtls.sh code - it works with the PR code and (unsurprisingly) fails with the trunk version (since it tests the newly added --ca-roots command-line flag). We also are running this version internally in some CI pipelines.

[haydentherapper]

Given this is a more sensitive change, cc'ing a few others for thoughts - @woodruffw @kommendorkapten PTAL.

[haydentherapper]

Given this is only used in one place, can we just call ValidateAndUnpackCert directly? I believe if no roots are provided, verification will fail so we don't need an explicit check, though it would be good to have a unit test to confirm.

[dmitris]

[FYI] I tried to "combine" the two functions but was getting test failures with cosign attach flows - likely I have missed some code paths. Backed up to the state that you reviewed for now to get into the green build zone - will try again "with smaller steps."

[dmitris]

I got rid of the "special" function ValidateAndUnpackCertWithCertPools in 44e0ff5.
Do you think I should remove this check?
https://github.com/sigstore/cosign/pull/3464/files#diff-fc9a26a4caa1d8684a4bdd9102f187f44e1f7fce7c06a19f4185035f13317cc8R296-R298

                               if co.RootCerts == nil {
                                       return errors.New("no CA roots provided to validate certificate")
                               }

I would think it can be good to fail earlier with possibly more explicit error what have gone wrong, to make for easier troubleshooting (if it ever gets triggered). Let me know if you prefer this yanked @haydentherapper. I will also look into adding or expanding the unit tests, as you mentioned above.

[haydentherapper]

@dmitris, thanks for pushing this through. This looks good, and from comparing to the last review, reusing ValidateAndUnpackCert keeps this much cleaner. And the tests look great. I pointed out a few duplicate tests that are in another e2e_test file, can they be removed?

Can you add the duplicated CLI options for verify-blob, verify-attestation, and verify-blob-attestation now?

[haydentherapper]

Sorry for raising this issue back up, but to summarize how I'm looking at this:

• We know --trusted-root is the route we eventually want to take. We are slowly adding sigstore-go dependencies in Cosign. Once we add support for trusted-root, we will deprecate all other options for providing trust root information, including the one proposed here. With that said, deprecation will take time.
• The current trust root spec supports chains rather than pools, as noted in this issue. We need to add support for pools to match this PR.

I'm fine moving forward with this because it unblocks @dmitris's use-case. While it is adding more complexity around how roots are provided, there are already a number of ways that adding one more doesn't add much more complexity. We should concurrently discuss moving sigstore/protobuf-specs#249 forward.

[haydentherapper]

Chatted offline with @dmitris who will follow up in a second PR with the updates to the other verify-* commands.