Skip to content

Commit

Permalink
polish up cosign verify for hauler store sync
Browse files Browse the repository at this point in the history
Signed-off-by: Adam Martin <adam.martin@rancherfederal.com>
  • Loading branch information
amartin120 committed Oct 12, 2023
1 parent 356c46f commit f2b0c44
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 8 deletions.
18 changes: 13 additions & 5 deletions cmd/hauler/cli/store/sync.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/spf13/cobra"
"helm.sh/helm/v3/pkg/action"
"k8s.io/apimachinery/pkg/util/yaml"
"github.com/mitchellh/go-homedir"

"github.com/rancherfederal/hauler/pkg/store"

Expand All @@ -32,7 +33,7 @@ func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
f := cmd.Flags()

f.StringSliceVarP(&o.ContentFiles, "files", "f", []string{}, "Path to content files")
f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for digital signature verification")
f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for image signature verification")
}

func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
Expand Down Expand Up @@ -99,15 +100,22 @@ func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
for _, i := range cfg.Spec.Images {

// Check if the user provided a key.
if o.Key != "" {
if o.Key != "" || i.Key != "" {
key := o.Key
if i.Key != "" {
key, err = homedir.Expand(i.Key)
}
l.Debugf("key for image [%s]", key)

// verify signature using the provided key.
err := cosign.VerifySignature(ctx, s, o.Key, i.Name)
err := cosign.VerifySignature(ctx, s, key, i.Name)
if err != nil {
return err
l.Errorf("signature verification failed for image [%s]. ** hauler will skip adding this image to the store **:\n%v", i.Name, err)
continue
}
l.Infof("signature verified for image [%s]", i.Name)
}

err = storeImage(ctx, s, i)
if err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ require (
github.com/gorilla/handlers v1.5.1
github.com/gorilla/mux v1.8.0
github.com/mholt/archiver/v3 v3.5.1
github.com/mitchellh/go-homedir v1.1.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0-rc5
github.com/pkg/errors v0.9.1
Expand Down Expand Up @@ -100,7 +101,6 @@ require (
github.com/mattn/go-runewidth v0.0.9 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/hauler.cattle.io/v1alpha1/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,8 @@ type ImageSpec struct {
type Image struct {
// Name is the full location for the image, can be referenced by tags or digests
Name string `json:"name"`

// Path is the path to the cosign public key used for verifying image signatures
//Key string `json:"key,omitempty"`
Key string `json:"key"`
}
4 changes: 2 additions & 2 deletions pkg/cosign/cosign.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string) error {
return err
}

// Command to verify the signature using Cosign.
// Command to save/download an image using Cosign.
cmd := exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root)

// Run the command and capture its output.
Expand All @@ -75,7 +75,7 @@ func LoadImage(ctx context.Context, s *store.Layout, registry string, ropts cont
return err
}

// Command to verify the signature using Cosign.
// Command to upload index to a remote registry using Cosign.
cmd := exec.Command(cosignBinaryPath, "load", "--registry", registry, "--dir", s.Root)

// Conditionally add extra registry flags.
Expand Down

0 comments on commit f2b0c44

Please sign in to comment.