Create siglayer package, which is used by and

Signed-off-by: Priya Wadhwa <[email protected]>

pkg/oci/layout/image.go

@@ -22,6 +22,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	"github.com/sigstore/cosign/pkg/oci"
+	"github.com/sigstore/cosign/pkg/oci/siglayer"
 )
 
 // SignedImage provides access to a remote image reference, and its signatures.
@@ -69,12 +70,7 @@ func (s *sigs) Get() ([]oci.Signature, error) {
 		if d == nil {
 			continue
 		}
-		// convert descriptor to oci.Signature
-		signatures = append(signatures, &sigLayer{
-			Layer: l,
-			img:   s,
-			desc:  *d,
-		})
+		signatures = append(signatures, siglayer.New(l, s, *d))
 	}
 	return signatures, nil
 }

pkg/oci/layout/write.go

@@ -18,26 +18,24 @@ package layout
 import (
 	"path/filepath"
 
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
-
-	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/empty"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
+	"github.com/sigstore/cosign/pkg/oci"
 )
 
-func WriteSignedImage(path string, ref name.Reference) error {
+// WriteSignedImage writes the image and all related signatures, attestations and attachments
+func WriteSignedImage(path string, si oci.SignedImage) error {
 	// First, write the image
-	if err := write(path, imagePath, ref); err != nil {
+	if err := write(path, imagePath, si); err != nil {
 		return errors.Wrap(err, "writing image")
 	}
-	// Then, write the signatures
-	sigRef, err := ociremote.SignatureTag(ref)
+	sigs, err := si.Signatures()
 	if err != nil {
-		return err
+		return errors.Wrap(err, "getting signatures")
 	}
-	if err := write(path, signaturesPath, sigRef); err != nil {
+	if err := write(path, signaturesPath, sigs); err != nil {
 		return errors.Wrap(err, "writing signatures")
 	}
 	// TODO (priyawadhwa@) write attestations and attachments
@@ -54,18 +52,13 @@ func signaturesPath(path string) string {
 
 type pathFunc func(string) string
 
-func write(path string, pf pathFunc, ref name.Reference) error {
+func write(path string, pf pathFunc, img v1.Image) error {
 	p := pf(path)
 	// write empty image
 	layoutPath, err := layout.Write(p, empty.Index)
 	if err != nil {
 		return err
 	}
-	// get the image
-	img, err := remote.Image(ref)
-	if err != nil {
-		return err
-	}
 	// write image to disk
 	if err := layoutPath.AppendImage(img); err != nil {
 		return err

pkg/oci/remote/remote.go

@@ -26,13 +26,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci"
 )
 
-const (
-	sigkey    = "dev.cosignproject.cosign/signature"
-	certkey   = "dev.sigstore.cosign/certificate"
-	chainkey  = "dev.sigstore.cosign/chain"
-	BundleKey = "dev.sigstore.cosign/bundle"
-)
-
 // These enable mocking for unit testing without faking an entire registry.
 var (
 	remoteImage = remote.Image

pkg/oci/remote/remote_test.go

@@ -16,7 +16,6 @@
 package remote
 
 import (
-	"encoding/base64"
 	"testing"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -25,21 +24,6 @@ import (
 	"github.com/pkg/errors"
 )
 
-func must(img v1.Image, err error) v1.Image {
-	if err != nil {
-		panic(err.Error())
-	}
-	return img
-}
-
-func mustDecode(s string) []byte {
-	b, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		panic(err.Error())
-	}
-	return b
-}
-
 func TestTagMethods(t *testing.T) {
 	rg := remoteGet
 	defer func() {

pkg/oci/remote/signatures.go

@@ -24,6 +24,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/empty"
+	"github.com/sigstore/cosign/pkg/oci/siglayer"
 )
 
 // Signatures fetches the signatures image represented by the named reference.
@@ -63,11 +64,7 @@ func (s *sigs) Get() ([]oci.Signature, error) {
 		if err != nil {
 			return nil, err
 		}
-		signatures = append(signatures, &sigLayer{
-			Layer: layer,
-			img:   s,
-			desc:  desc,
-		})
+		signatures = append(signatures, siglayer.New(layer, s, desc))
 	}
 	return signatures, nil
 }

pkg/oci/layout/layer.go → pkg/oci/siglayer/siglayer.go

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package layout
+package siglayer
 
 import (
 	"crypto/x509"
@@ -37,10 +37,18 @@ const (
 
 type sigLayer struct {
 	v1.Layer
-	img  *sigs
+	img  oci.Signatures
 	desc v1.Descriptor
 }
 
+func New(l v1.Layer, img oci.Signatures, desc v1.Descriptor) *sigLayer {
+	return &sigLayer{
+		Layer: l,
+		img:   img,
+		desc:  desc,
+	}
+}
+
 var _ oci.Signature = (*sigLayer)(nil)
 
 // Annotations implements oci.Signature

pkg/oci/remote/layer_test.go → pkg/oci/siglayer/siglayer_test.go

@@ -13,10 +13,11 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package remote
+package siglayer
 
 import (
 	"bytes"
+	"encoding/base64"
 	"fmt"
 	"testing"
 
@@ -30,6 +31,46 @@ import (
 	ociempty "github.com/sigstore/cosign/pkg/oci/empty"
 )
 
+type sigs struct {
+	v1.Image
+}
+
+// Get implements oci.Signatures
+func (s *sigs) Get() ([]oci.Signature, error) {
+	m, err := s.Manifest()
+	if err != nil {
+		return nil, err
+	}
+	signatures := make([]oci.Signature, 0, len(m.Layers))
+	for _, desc := range m.Layers {
+		layer, err := s.Image.LayerByDigest(desc.Digest)
+		if err != nil {
+			return nil, err
+		}
+		signatures = append(signatures, &sigLayer{
+			Layer: layer,
+			img:   s,
+			desc:  desc,
+		})
+	}
+	return signatures, nil
+}
+
+func must(img v1.Image, err error) v1.Image {
+	if err != nil {
+		panic(err.Error())
+	}
+	return img
+}
+
+func mustDecode(s string) []byte {
+	b, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		panic(err.Error())
+	}
+	return b
+}
+
 func TestSignature(t *testing.T) {
 	layer, err := random.Layer(300 /* byteSize */, types.DockerLayer)
 	if err != nil {