From f2b0c44af3a35e4b4d0c7bd1f15c215ed871c193 Mon Sep 17 00:00:00 2001 From: Adam Martin Date: Thu, 12 Oct 2023 12:05:35 -0400 Subject: [PATCH] polish up cosign verify for hauler store sync Signed-off-by: Adam Martin --- cmd/hauler/cli/store/sync.go | 18 +++++++++++++----- go.mod | 2 +- pkg/apis/hauler.cattle.io/v1alpha1/image.go | 4 ++++ pkg/cosign/cosign.go | 4 ++-- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/cmd/hauler/cli/store/sync.go b/cmd/hauler/cli/store/sync.go index b8b9044e..7f90b345 100644 --- a/cmd/hauler/cli/store/sync.go +++ b/cmd/hauler/cli/store/sync.go @@ -10,6 +10,7 @@ import ( "github.com/spf13/cobra" "helm.sh/helm/v3/pkg/action" "k8s.io/apimachinery/pkg/util/yaml" + "github.com/mitchellh/go-homedir" "github.com/rancherfederal/hauler/pkg/store" @@ -32,7 +33,7 @@ func (o *SyncOpts) AddFlags(cmd *cobra.Command) { f := cmd.Flags() f.StringSliceVarP(&o.ContentFiles, "files", "f", []string{}, "Path to content files") - f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for digital signature verification") + f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for image signature verification") } func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error { @@ -99,15 +100,22 @@ func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error { for _, i := range cfg.Spec.Images { // Check if the user provided a key. - if o.Key != "" { + if o.Key != "" || i.Key != "" { + key := o.Key + if i.Key != "" { + key, err = homedir.Expand(i.Key) + } + l.Debugf("key for image [%s]", key) + // verify signature using the provided key. - err := cosign.VerifySignature(ctx, s, o.Key, i.Name) + err := cosign.VerifySignature(ctx, s, key, i.Name) if err != nil { - return err + l.Errorf("signature verification failed for image [%s]. ** hauler will skip adding this image to the store **:\n%v", i.Name, err) + continue } l.Infof("signature verified for image [%s]", i.Name) } - + err = storeImage(ctx, s, i) if err != nil { return err diff --git a/go.mod b/go.mod index f5ac8c58..775b9f07 100644 --- a/go.mod +++ b/go.mod @@ -10,6 +10,7 @@ require ( github.com/gorilla/handlers v1.5.1 github.com/gorilla/mux v1.8.0 github.com/mholt/archiver/v3 v3.5.1 + github.com/mitchellh/go-homedir v1.1.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc5 github.com/pkg/errors v0.9.1 @@ -100,7 +101,6 @@ require ( github.com/mattn/go-runewidth v0.0.9 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect diff --git a/pkg/apis/hauler.cattle.io/v1alpha1/image.go b/pkg/apis/hauler.cattle.io/v1alpha1/image.go index cde4d2c0..b7a23602 100644 --- a/pkg/apis/hauler.cattle.io/v1alpha1/image.go +++ b/pkg/apis/hauler.cattle.io/v1alpha1/image.go @@ -20,4 +20,8 @@ type ImageSpec struct { type Image struct { // Name is the full location for the image, can be referenced by tags or digests Name string `json:"name"` + + // Path is the path to the cosign public key used for verifying image signatures + //Key string `json:"key,omitempty"` + Key string `json:"key"` } diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 91b06a2a..a6787122 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -54,7 +54,7 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string) error { return err } - // Command to verify the signature using Cosign. + // Command to save/download an image using Cosign. cmd := exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root) // Run the command and capture its output. @@ -75,7 +75,7 @@ func LoadImage(ctx context.Context, s *store.Layout, registry string, ropts cont return err } - // Command to verify the signature using Cosign. + // Command to upload index to a remote registry using Cosign. cmd := exec.Command(cosignBinaryPath, "load", "--registry", registry, "--dir", s.Root) // Conditionally add extra registry flags.