Remove TUF timestamp from OCI signature bundle (sigstore#1428)

As described in sigstore#1273, this solution does not work
because the TUF root is not included in the snapshot.
Removing unused code.

Confirmed that verifying images with a timestamp
annotation still works. Confimed that signing and
verifying works locally too.

Signed-off-by: Hayden Blauzvern <[email protected]>

cmd/cosign/cli/attest/attest.go

@@ -35,7 +35,6 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
 	cremote "github.com/sigstore/cosign/pkg/cosign/remote"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/sigstore/cosign/pkg/oci/static"
@@ -160,11 +159,6 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	opts := []static.Option{static.WithLayerMediaType(types.DssePayloadType)}
 	if sv.Cert != nil {
 		opts = append(opts, static.WithCertChain(sv.Cert, sv.Chain))
-		timestamp, err := tuf.GetTimestamp(ctx)
-		if err != nil {
-			return errors.Wrap(err, "reading tuf timestamp")
-		}
-		opts = append(opts, static.WithTimestamp(timestamp))
 	}
 
 	// Check whether we should be uploading to the transparency log
@@ -176,11 +170,6 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 			return err
 		}
 		opts = append(opts, static.WithBundle(bundle))
-		timestamp, err := tuf.GetTimestamp(ctx)
-		if err != nil {
-			return errors.Wrap(err, "reading tuf timestamp")
-		}
-		opts = append(opts, static.WithTimestamp(timestamp))
 	}
 
 	sig, err := static.NewAttestation(signedPayload, opts...)

cmd/cosign/cli/sign/sign_blob.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/pkg/errors"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
@@ -103,11 +102,6 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		}
 		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
 		signedPayload.Bundle = cbundle.EntryToBundle(entry)
-		ts, err := tuf.GetTimestamp(ctx)
-		if err != nil {
-			return nil, err
-		}
-		signedPayload.Timestamp = ts
 	}
 
 	// if bundle is specified, just do that and ignore the rest

internal/pkg/cosign/fulcio/signer.go

@@ -20,7 +20,6 @@ import (
 	"io"
 
 	"github.com/sigstore/cosign/internal/pkg/cosign"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 )
@@ -42,13 +41,8 @@ func (fs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
-	timestamp, err := tuf.GetTimestamp(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	// TODO(dekkagaijin): move the fulcio SignerVerifier logic here
-	newSig, err := mutate.Signature(sig, mutate.WithCertChain(fs.cert, fs.chain), mutate.WithTimestamp(timestamp))
+	newSig, err := mutate.Signature(sig, mutate.WithCertChain(fs.cert, fs.chain))
 	if err != nil {
 		return nil, nil, err
 	}

internal/pkg/cosign/fulcio/signer_test.go

@@ -106,13 +106,6 @@ func TestSigner(t *testing.T) {
 	if chain[0] == nil {
 		t.Fatal("ociSig.Chain()[0] missing certificate, got nil")
 	}
-	timestamp, err := ociSig.Timestamp()
-	if err != nil {
-		t.Fatalf("ociSig.Timestamp() returned error: %v", err)
-	}
-	if timestamp == nil {
-		t.Fatal("ociSig.Timestamp() missing TUF timestamp, got nil")
-	}
 
 	// Verify that the wrapped signer was called.
 	verifier, err := signature.LoadVerifier(pub, crypto.SHA256)

internal/pkg/cosign/rekor/signer.go

@@ -25,7 +25,6 @@ import (
 	"github.com/sigstore/cosign/internal/pkg/cosign"
 	cosignv1 "github.com/sigstore/cosign/pkg/cosign"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 
@@ -97,12 +96,7 @@ func (rs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
-	timestamp, err := tuf.GetTimestamp(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	newSig, err := mutate.Signature(sig, mutate.WithBundle(bundle), mutate.WithTimestamp(timestamp))
+	newSig, err := mutate.Signature(sig, mutate.WithBundle(bundle))
 	if err != nil {
 		return nil, nil, err
 	}

internal/pkg/cosign/rekor/signer_test.go

@@ -58,15 +58,6 @@ func TestSigner(t *testing.T) {
 		t.Fatalf("Sign() returned error: %v", err)
 	}
 
-	// Verify that the OCI signature contains a timestamp.
-	timestamp, err := ociSig.Timestamp()
-	if err != nil {
-		t.Fatalf("ociSig.Timestamp() returned error: %v", err)
-	}
-	if timestamp == nil {
-		t.Fatal("ociSig.Timestamp() missing TUF timestamp, got nil")
-	}
-
 	// Verify that the wrapped signer was called.
 	verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
 	if err != nil {

pkg/cosign/fetch.go

@@ -26,7 +26,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"knative.dev/pkg/pool"
 )
@@ -43,7 +42,6 @@ type LocalSignedPayload struct {
 	Base64Signature string              `json:"base64Signature"`
 	Cert            string              `json:"cert,omitempty"`
 	Bundle          *bundle.RekorBundle `json:"rekorBundle,omitempty"`
-	Timestamp       *tuf.Timestamp      `json:"timestamp,omitempty"`
 }
 
 type Signatures struct {

pkg/cosign/tuf/client.go

@@ -247,18 +247,6 @@ func (t *TUF) GetTarget(name string) ([]byte, error) {
 	return targetBytes, nil
 }
 
-func (t *TUF) GetTimestamp() ([]byte, error) {
-	trustedMeta, err := t.local.GetMeta()
-	if err != nil {
-		return nil, errors.Wrap(err, "getting trusted meta")
-	}
-	timestamp, ok := trustedMeta["timestamp.json"]
-	if !ok || len(timestamp) == 0 {
-		return nil, errors.New("unable to get TUF timestamp")
-	}
-	return timestamp, nil
-}
-
 func localStore(cacheRoot string) (client.LocalStore, error) {
 	local, err := tuf_leveldbstore.FileLocalStore(cacheRoot)
 	if err != nil {

pkg/cosign/tuf/client_test.go

@@ -220,13 +220,6 @@ func checkTargetsAndMeta(t *testing.T, tuf *TUF) {
 		t.Error("expected error reading target, got nil")
 	}
 
-	// Check the TUF timestamp metadata
-	if ts, err := tuf.GetTimestamp(); err != nil {
-		t.Error("expected no error reading timestamp, got err")
-	} else if len(ts) == 0 {
-		t.Errorf("expected timestamp length of %d, got 0", len(ts))
-	}
-
 	// Check root status matches
 	status, err := tuf.getRootStatus()
 	if err != nil {

pkg/oci/internal/signature/layer.go

@@ -25,17 +25,15 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
 
 const (
-	sigkey       = "dev.cosignproject.cosign/signature"
-	certkey      = "dev.sigstore.cosign/certificate"
-	chainkey     = "dev.sigstore.cosign/chain"
-	BundleKey    = "dev.sigstore.cosign/bundle"
-	TimestampKey = "dev.sigstore.cosign/timestamp"
+	sigkey    = "dev.cosignproject.cosign/signature"
+	certkey   = "dev.sigstore.cosign/certificate"
+	chainkey  = "dev.sigstore.cosign/chain"
+	BundleKey = "dev.sigstore.cosign/bundle"
 )
 
 type sigLayer struct {
@@ -118,16 +116,3 @@ func (s *sigLayer) Bundle() (*bundle.RekorBundle, error) {
 	}
 	return &b, nil
 }
-
-// Timestamp implements oci.Signature
-func (s *sigLayer) Timestamp() (*tuf.Timestamp, error) {
-	timestamp := s.desc.Annotations[TimestampKey]
-	if timestamp == "" {
-		return nil, nil
-	}
-	var ts tuf.Timestamp
-	if err := json.Unmarshal([]byte(timestamp), &ts); err != nil {
-		return nil, errors.Wrap(err, "unmarshaling timestamp")
-	}
-	return &ts, nil
-}