Merge pull request #2180 from siretart/fulcio_rekor_stub

Add buildtags to avoid fulcio and rekor dependencies

README.md

@@ -63,6 +63,8 @@ the primary downside is that creating new signatures with the Golang-only implem
 - `containers_image_ostree`: Import `ostree:` transport in `github.com/containers/image/transports/alltransports`. This builds the library requiring the `libostree` development libraries. Otherwise a stub which reports that the transport is not supported gets used. The `github.com/containers/image/ostree` package is completely disabled
 and impossible to import when this build tag is not in use.
 - `containers_image_storage_stub`: Don’t import the `containers-storage:` transport in `github.com/containers/image/transports/alltransports`, to decrease the amount of required dependencies.  Use a stub which reports that the transport is not supported instead.
+- `containers_image_fulcio_stub`: Don't import sigstore/fulcio code, all fulcio operations will return an error code
+- `containers_image_rekor_stub`: Don't import sigstore/reckor code, all rekor operations will return an error code
 
 ## [Contributing](CONTRIBUTING.md)
 

signature/fulcio_cert.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package signature
 
 import (

signature/fulcio_cert_stub.go

@@ -0,0 +1,28 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package signature
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"errors"
+)
+
+type fulcioTrustRoot struct {
+	caCertificates *x509.CertPool
+	oidcIssuer     string
+	subjectEmail   string
+}
+
+func (f *fulcioTrustRoot) validate() error {
+	return errors.New("fulcio disabled at compile-time")
+}
+
+func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte,
+	untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string,
+	untrustedPayloadBytes []byte) (crypto.PublicKey, error) {
+	return nil, errors.New("fulcio diabled at compile-time")
+
+}

signature/fulcio_cert_test.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package signature
 
 import (

signature/internal/rekor_set.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package internal
 
 import (

signature/internal/rekor_set_stub.go

@@ -0,0 +1,15 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package internal
+
+import (
+	"crypto/ecdsa"
+	"time"
+)
+
+// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data.
+// Returns bundle upload time on success.
+func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) {
+	return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time")
+}

signature/internal/rekor_set_test.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package internal
 
 import (

signature/policy_eval_sigstore_test.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 // Policy evaluation for prCosignSigned.
 
 package signature

signature/sigstore/fulcio/fulcio.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_fulcio_stub
+// +build !containers_image_fulcio_stub
+
 package fulcio
 
 import (

signature/sigstore/fulcio/fulcio_stub.go

@@ -0,0 +1,45 @@
+//go:build containers_image_fulcio_stub
+// +build containers_image_fulcio_stub
+
+package fulcio
+
+import (
+	"fmt"
+	"io"
+	"net/url"
+
+	"github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
+//
+// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file).
+func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}
+
+// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on an interactively-obtained OIDC ID token.
+// The token is obtained
+//   - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer,
+//     to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process;
+//     either or both may be impossible in a container or a remote VM).
+//   - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text.
+//
+// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file).
+func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
+	interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		return fmt.Errorf("fulcio disabled at compile time")
+	}
+}

signature/sigstore/rekor/rekor.go

@@ -1,3 +1,6 @@
+//go:build !containers_image_rekor_stub
+// +build !containers_image_rekor_stub
+
 package rekor
 
 import (

signature/sigstore/rekor/rekor_stub.go

@@ -0,0 +1,17 @@
+//go:build containers_image_rekor_stub
+// +build containers_image_rekor_stub
+
+package rekor
+
+import (
+	"fmt"
+	"net/url"
+
+	signerInternal "github.com/containers/image/v5/signature/sigstore/internal"
+)
+
+func WithRekor(rekorURL *url.URL) signerInternal.Option {
+	return func(s *signerInternal.SigstoreSigner) error {
+		return fmt.Errorf("rekor disabled at build time")
+	}
+}