DO NOT MERGE IRRESPONSIBLE: Cosign integration #1599

Currently, this just allows serializing and deserializing it as a blob. NOTE: This makes an implementation decision about the blob format: we use OpenPGP signatures with no marker, any new formats will start with a zero byte and an ASCII line identifying the format of the rest. Signed-off-by: Miloslav Trmač <[email protected]>

It's not actually dealing with the lookaside; just with the configuration. And we are going to introduce more configuration. Signed-off-by: Miloslav Trmač <[email protected]>

…rageBaseURL This will allow us to only load the configuration once. Signed-off-by: Miloslav Trmač <[email protected]>

This will allow us to load the configuration and then ask for multiple items. Signed-off-by: Miloslav Trmač <[email protected]>

This is a bit more repetitive in most callers. The benefit is that we only read the files once per newImageSource, even if there are multiple mirrors. We will also read more items from the config. Signed-off-by: Miloslav Trmač <[email protected]>

... so that users can choose whether to do the extra manifest lookups, and record signatures. NOTE: This defaults to false. FIXME: Documentation Signed-off-by: Miloslav Trmač <[email protected]>

…t.fetchManifest Signed-off-by: Miloslav Trmač <[email protected]>

We need it for writing signatures. Signed-off-by: Miloslav Trmač <[email protected]>

We are going to need a way to upload to a tag without affecting dockerImageDestination.manifestDigest. Signed-off-by: Miloslav Trmač <[email protected]>

NOTE design decisions: - We can read Cosign data from lookaside - We ONLY write Cosign data to Cosign attachments, never to lookaside; because lookaside is set up by default, that would be too confusing. - We ONLY use Cosign attachments at all if the user opts in via registries.d. One concern is performance impact of the extra round-trip for large-scale operations like (skopeo sync). Short-term, a much more worrying is the risk that we probably have the "is this failure just a missing atachment manifest, or a real failure reading it?" heuristic wrong, so without an opt-in, _all_ image reads are going to fail. This might eventually go away after more testing. Signed-off-by: Miloslav Trmač <[email protected]>

Private key only, no Fulcio/Rekor. The extra dependencies are not ideal, but not too bad (notably the scary go-tuf addition is only a small subpackage), looking only at files added in new subpackage, not additions caused by updates of existing dependencies: vendor/github.com/golang/protobuf/jsonpb/decode.go | 524 ++++++++++++++++ vendor/github.com/golang/protobuf/jsonpb/encode.go | 559 ++++++++++++++++++ vendor/github.com/golang/protobuf/jsonpb/json.go | 69 +++ vendor/github.com/google/go-containerregistry/LICENSE | 202 +++++++ vendor/github.com/google/go-containerregistry/pkg/name/README.md | 3 + vendor/github.com/google/go-containerregistry/pkg/name/check.go | 43 ++ vendor/github.com/google/go-containerregistry/pkg/name/digest.go | 96 +++ vendor/github.com/google/go-containerregistry/pkg/name/doc.go | 42 ++ vendor/github.com/google/go-containerregistry/pkg/name/errors.go | 42 ++ vendor/github.com/google/go-containerregistry/pkg/name/options.go | 83 +++ vendor/github.com/google/go-containerregistry/pkg/name/ref.go | 75 +++ vendor/github.com/google/go-containerregistry/pkg/name/registry.go | 136 +++++ vendor/github.com/google/go-containerregistry/pkg/name/repository.go | 121 ++++ vendor/github.com/google/go-containerregistry/pkg/name/tag.go | 108 ++++ vendor/github.com/letsencrypt/boulder/LICENSE.txt | 375 ++++++++++++ vendor/github.com/letsencrypt/boulder/core/challenges.go | 27 + vendor/github.com/letsencrypt/boulder/core/interfaces.go | 14 + vendor/github.com/letsencrypt/boulder/core/objects.go | 536 +++++++++++++++++ vendor/github.com/letsencrypt/boulder/core/proto/core.pb.go | 1100 ++++++++++++++++++++++++++++++++++ vendor/github.com/letsencrypt/boulder/core/proto/core.proto | 95 +++ vendor/github.com/letsencrypt/boulder/core/util.go | 298 ++++++++++ vendor/github.com/letsencrypt/boulder/errors/errors.go | 150 +++++ vendor/github.com/letsencrypt/boulder/features/featureflag_string.go | 45 ++ vendor/github.com/letsencrypt/boulder/features/features.go | 158 +++++ vendor/github.com/letsencrypt/boulder/goodkey/blocked.go | 98 +++ vendor/github.com/letsencrypt/boulder/goodkey/good_key.go | 432 ++++++++++++++ vendor/github.com/letsencrypt/boulder/goodkey/weak.go | 66 +++ vendor/github.com/letsencrypt/boulder/identifier/identifier.go | 32 + vendor/github.com/letsencrypt/boulder/probs/probs.go | 349 +++++++++++ vendor/github.com/letsencrypt/boulder/revocation/reasons.go | 74 +++ vendor/github.com/letsencrypt/boulder/sa/proto/sa.pb.go | 3449 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto | 272 +++++++++ vendor/github.com/letsencrypt/boulder/sa/proto/sa_grpc.pb.go | 1515 +++++++++++++++++++++++++++++++++++++++++++++++ vendor/github.com/letsencrypt/boulder/sa/proto/subsets.go | 46 ++ vendor/github.com/sigstore/sigstore/COPYRIGHT.txt | 14 + vendor/github.com/sigstore/sigstore/LICENSE | 202 +++++++ vendor/github.com/sigstore/sigstore/pkg/cryptoutils/certificate.go | 170 ++++++ vendor/github.com/sigstore/sigstore/pkg/cryptoutils/generic.go | 31 + vendor/github.com/sigstore/sigstore/pkg/cryptoutils/password.go | 96 +++ vendor/github.com/sigstore/sigstore/pkg/cryptoutils/privatekey.go | 144 +++++ vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go | 174 ++++++ vendor/github.com/sigstore/sigstore/pkg/signature/doc.go | 17 + vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go | 244 ++++++++ vendor/github.com/sigstore/sigstore/pkg/signature/ed25519.go | 197 ++++++ vendor/github.com/sigstore/sigstore/pkg/signature/message.go | 111 ++++ vendor/github.com/sigstore/sigstore/pkg/signature/options.go | 57 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/context.go | 36 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/digest.go | 35 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/keyversion.go | 50 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/noop.go | 49 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/rand.go | 41 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/remoteverification.go | 32 + vendor/github.com/sigstore/sigstore/pkg/signature/options/rpcauth.go | 58 ++ vendor/github.com/sigstore/sigstore/pkg/signature/options/signeropts.go | 40 ++ vendor/github.com/sigstore/sigstore/pkg/signature/payload/payload.go | 104 ++++ vendor/github.com/sigstore/sigstore/pkg/signature/publickey.go | 25 + vendor/github.com/sigstore/sigstore/pkg/signature/rsapkcs1v15.go | 225 +++++++ vendor/github.com/sigstore/sigstore/pkg/signature/rsapss.go | 260 ++++++++ vendor/github.com/sigstore/sigstore/pkg/signature/signer.go | 89 +++ vendor/github.com/sigstore/sigstore/pkg/signature/signerverifier.go | 69 +++ vendor/github.com/sigstore/sigstore/pkg/signature/util.go | 55 ++ vendor/github.com/sigstore/sigstore/pkg/signature/verifier.go | 100 ++++ vendor/github.com/theupdateframework/go-tuf/LICENSE | 27 + vendor/github.com/theupdateframework/go-tuf/encrypted/encrypted.go | 226 +++++++ vendor/github.com/titanous/rocacheck/LICENSE | 22 + vendor/github.com/titanous/rocacheck/README.md | 7 + vendor/github.com/titanous/rocacheck/rocacheck.go | 52 ++ vendor/golang.org/x/crypto/internal/poly1305/bits_compat.go | 40 ++ vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go | 22 + vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go | 10 + vendor/golang.org/x/crypto/internal/poly1305/poly1305.go | 99 ++++ vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go | 48 ++ vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.s | 109 ++++ vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go | 310 ++++++++++ vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.go | 48 ++ vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s | 182 ++++++ vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go | 76 +++ vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.s | 504 ++++++++++++++++ vendor/golang.org/x/crypto/internal/subtle/aliasing.go | 33 ++ vendor/golang.org/x/crypto/internal/subtle/aliasing_purego.go | 36 ++ vendor/golang.org/x/crypto/nacl/secretbox/secretbox.go | 173 ++++++ vendor/golang.org/x/crypto/ocsp/ocsp.go | 789 +++++++++++++++++++++++++ vendor/golang.org/x/crypto/salsa20/salsa/hsalsa20.go | 144 +++++ vendor/golang.org/x/crypto/salsa20/salsa/salsa208.go | 199 +++++++ vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.go | 24 + vendor/golang.org/x/crypto/salsa20/salsa/salsa20_amd64.s | 881 +++++++++++++++++++++++++++ vendor/golang.org/x/crypto/salsa20/salsa/salsa20_noasm.go | 15 + vendor/golang.org/x/crypto/salsa20/salsa/salsa20_ref.go | 231 ++++++++ vendor/golang.org/x/crypto/scrypt/scrypt.go | 212 +++++++ vendor/golang.org/x/crypto/sha3/doc.go | 66 +++ vendor/golang.org/x/crypto/sha3/hashes.go | 97 +++ vendor/golang.org/x/crypto/sha3/hashes_generic.go | 28 + vendor/golang.org/x/crypto/sha3/keccakf.go | 413 +++++++++++++ vendor/golang.org/x/crypto/sha3/keccakf_amd64.go | 14 + vendor/golang.org/x/crypto/sha3/keccakf_amd64.s | 391 ++++++++++++ vendor/golang.org/x/crypto/sha3/register.go | 19 + vendor/golang.org/x/crypto/sha3/sha3.go | 193 ++++++ vendor/golang.org/x/crypto/sha3/sha3_s390x.go | 285 +++++++++ vendor/golang.org/x/crypto/sha3/sha3_s390x.s | 34 ++ vendor/golang.org/x/crypto/sha3/shake.go | 173 ++++++ vendor/golang.org/x/crypto/sha3/shake_generic.go | 20 + vendor/golang.org/x/crypto/sha3/xor.go | 24 + vendor/golang.org/x/crypto/sha3/xor_generic.go | 28 + vendor/golang.org/x/crypto/sha3/xor_unaligned.go | 68 +++ vendor/google.golang.org/grpc/channelz/channelz.go | 36 ++ vendor/google.golang.org/grpc/internal/balancer/gracefulswitch/gracefulswitch.go | 382 ++++++++++++ vendor/google.golang.org/grpc/internal/pretty/pretty.go | 82 +++ vendor/google.golang.org/protobuf/encoding/protojson/decode.go | 665 +++++++++++++++++++++ vendor/google.golang.org/protobuf/encoding/protojson/doc.go | 11 + vendor/google.golang.org/protobuf/encoding/protojson/encode.go | 344 +++++++++++ vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go | 889 ++++++++++++++++++++++++++++ vendor/google.golang.org/protobuf/internal/encoding/json/decode.go | 340 +++++++++++ vendor/google.golang.org/protobuf/internal/encoding/json/decode_number.go | 254 ++++++++ vendor/google.golang.org/protobuf/internal/encoding/json/decode_string.go | 91 +++ vendor/google.golang.org/protobuf/internal/encoding/json/decode_token.go | 192 ++++++ vendor/google.golang.org/protobuf/internal/encoding/json/encode.go | 276 +++++++++ vendor/google.golang.org/protobuf/types/known/emptypb/empty.pb.go | 168 ++++++ Signed-off-by: Miloslav Trmač <[email protected]>

Signed-off-by: Miloslav Trmač <[email protected]>

THIS MUST HAVE TOTAL CODE COVERAGE. type: cosignSigned, with the usual keyData/keyPath. Fulcio/Rekor is plausible _for the off-line rekor log entry proofs_, but not currently implemented. Tests first. NOTE: This only allows a single public key, not a keyring, unlike simple signing. That seems problematic, there are known users of that. But we can fix that later by adding keyDirectory and the like. FIXME: Update documentation of policy.json. Signed-off-by: Miloslav Trmač <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DO NOT MERGE IRRESPONSIBLE: Cosign integration #1599

DO NOT MERGE IRRESPONSIBLE: Cosign integration #1599

Commits on Jul 7, 2022