feat: add timestamping options

Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
in-toto · Oct 17, 2022 · d637284 · d637284
1 parent ad38d7d
commit d637284
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/dsse/sign.go b/dsse/sign.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/pem"
+	"fmt"
 	"io"
 
 	"github.com/testifysec/go-witness/cryptoutil"
@@ -48,11 +49,15 @@ func SignWithTimestampers(timestampers ...Timestamper) SignOption {
 
 func Sign(bodyType string, body io.Reader, opts ...SignOption) (Envelope, error) {
 	so := &signOptions{}
+	env := Envelope{}
 	for _, opt := range opts {
 		opt(so)
 	}
 
-	env := Envelope{}
+	if len(so.signers) == 0 {
+		return env, fmt.Errorf("must have at least one signer, have %v", len(so.signers))
+	}
+
 	bodyBytes, err := io.ReadAll(body)
 	if err != nil {
 		return env, err

diff --git a/run.go b/run.go
@@ -37,6 +37,7 @@ type runOptions struct {
 	attestors       []string
 	command         []string
 	attestationOpts []attestation.AttestationContextOption
+	timestampers    []dsse.Timestamper
 }
 
 type RunOption func(ro *runOptions)
@@ -65,6 +66,12 @@ func RunWithCommand(command []string) RunOption {
 	}
 }
 
+func RunWithTimestampers(ts ...dsse.Timestamper) RunOption {
+	return func(ro *runOptions) {
+		ro.timestampers = ts
+	}
+}
+
 type RunResult struct {
 	Collection     attestation.Collection
 	SignedEnvelope dsse.Envelope
@@ -115,7 +122,7 @@ func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResul
 	}
 
 	result.Collection = attestation.NewCollection(ro.stepName, runCtx.CompletedAttestors())
-	result.SignedEnvelope, err = signCollection(result.Collection, ro.signer)
+	result.SignedEnvelope, err = signCollection(result.Collection, dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
 	if err != nil {
 		return result, fmt.Errorf("failed to sign collection: %w", err)
 	}
@@ -135,7 +142,7 @@ func validateRunOpts(ro runOptions) error {
 	return nil
 }
 
-func signCollection(collection attestation.Collection, signer cryptoutil.Signer) (dsse.Envelope, error) {
+func signCollection(collection attestation.Collection, opts ...dsse.SignOption) (dsse.Envelope, error) {
 	data, err := json.Marshal(&collection)
 	if err != nil {
 		return dsse.Envelope{}, err
@@ -151,5 +158,5 @@ func signCollection(collection attestation.Collection, signer cryptoutil.Signer)
 		return dsse.Envelope{}, err
 	}
 
-	return dsse.Sign(intoto.PayloadType, bytes.NewReader(stmtJson), dsse.SignWithSigners(signer))
+	return dsse.Sign(intoto.PayloadType, bytes.NewReader(stmtJson), opts...)
 }
diff --git a/sign.go b/sign.go
@@ -18,12 +18,11 @@ import (
 	"encoding/json"
 	"io"
 
-	"github.com/testifysec/go-witness/cryptoutil"
 	"github.com/testifysec/go-witness/dsse"
 )
 
-func Sign(r io.Reader, dataType string, w io.Writer, signers ...cryptoutil.Signer) error {
-	env, err := dsse.Sign(dataType, r, dsse.SignWithSigners(signers...))
+func Sign(r io.Reader, dataType string, w io.Writer, opts ...dsse.SignOption) error {
+	env, err := dsse.Sign(dataType, r, opts...)
 	if err != nil {
 		return err
 	}