feat: support attach attestation (#1253)

Signed-off-by: Batuhan Apaydın <[email protected]>
sigstore · Dec 28, 2021 · 591601c · 591601c
1 parent 2e99320
commit 591601c
Show file tree

Hide file tree

Showing 5 changed files with 159 additions and 2 deletions.
diff --git a/cmd/cosign/cli/attach.go b/cmd/cosign/cli/attach.go
@@ -16,10 +16,9 @@
 package cli
 
 import (
-	"github.com/spf13/cobra"
-
 	"github.com/sigstore/cosign/cmd/cosign/cli/attach"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/spf13/cobra"
 )
 
 func Attach() *cobra.Command {
@@ -31,6 +30,7 @@ func Attach() *cobra.Command {
 	cmd.AddCommand(
 		attachSignature(),
 		attachSBOM(),
+		attachAttestation(),
 	)
 
 	return cmd
@@ -75,3 +75,21 @@ func attachSBOM() *cobra.Command {
 
 	return cmd
 }
+
+func attachAttestation() *cobra.Command {
+	o := &options.AttachAttestationOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "attestation",
+		Short:   "Attach attestation to the supplied container image",
+		Example: "  cosign attach attestation <image uri>",
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return attach.AttestationCmd(cmd.Context(), o.Registry, o.Attestation, args[0])
+		},
+	}
+
+	o.AddFlags(cmd)
+
+	return cmd
+}
diff --git a/cmd/cosign/cli/attach/attestation.go b/cmd/cosign/cli/attach/attestation.go
@@ -0,0 +1,88 @@
+// Copyright 2021 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attach
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/pkg/errors"
+	ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/pkg/oci/mutate"
+	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/pkg/oci/static"
+	"github.com/sigstore/cosign/pkg/types"
+)
+
+func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayload, imageRef string) error {
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "constructing client options")
+	}
+
+	fmt.Fprintln(os.Stderr, "Using payload from:", signedPayload)
+	payload, err := os.ReadFile(signedPayload)
+	if err != nil {
+		return err
+	}
+
+	env := ssldsse.Envelope{}
+	if err := json.Unmarshal(payload, &env); err != nil {
+		return err
+	}
+
+	if env.PayloadType != types.IntotoPayloadType {
+		return fmt.Errorf("invalid payloadType %s on envelope. Expected %s", env.PayloadType, types.IntotoPayloadType)
+	}
+
+	if len(env.Signatures) == 0 {
+		return fmt.Errorf("could not attach attestation without having signatures")
+	}
+
+	ref, err := name.ParseReference(imageRef)
+	if err != nil {
+		return err
+	}
+	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
+	if err != nil {
+		return err
+	}
+	// Overwrite "ref" with a digest to avoid a race where we use a tag
+	// multiple times, and it potentially points to different things at
+	// each access.
+	ref = digest // nolint
+
+	att, err := static.NewAttestation(payload)
+	if err != nil {
+		return err
+	}
+
+	se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
+	if err != nil {
+		return err
+	}
+
+	newSE, err := mutate.AttachAttestationToEntity(se, att)
+	if err != nil {
+		return err
+	}
+
+	// Publish the signatures associated with this entity
+	return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...)
+}
diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go
@@ -76,3 +76,17 @@ func (o *AttachSBOMOptions) MediaType() (types.MediaType, error) {
 		return "unknown", fmt.Errorf("unknown SBOM type: %q, expected (spdx|cyclonedx|syft)", o.SBOMType)
 	}
 }
+
+// AttachAttestationOptions is the top level wrapper for the attach attestation command.
+type AttachAttestationOptions struct {
+	Attestation string
+	Registry    RegistryOptions
+}
+
+// AddFlags implements Interface
+func (o *AttachAttestationOptions) AddFlags(cmd *cobra.Command) {
+	o.Registry.AddFlags(cmd)
+
+	cmd.Flags().StringVar(&o.Attestation, "attestation", "",
+		"path to the predicate")
+}
diff --git a/doc/cosign_attach.md b/doc/cosign_attach.md
diff --git a/doc/cosign_attach_attestation.md b/doc/cosign_attach_attestation.md