diff --git a/cmd/cosign/cli/init.go b/cmd/cosign/cli/init.go index 21a9c741de9..c057edf1444 100644 --- a/cmd/cosign/cli/init.go +++ b/cmd/cosign/cli/init.go @@ -19,10 +19,6 @@ import ( "context" _ "embed" // To enable the `go:embed` directive. "flag" - "io/ioutil" - "net/http" - "path/filepath" - "strings" "github.com/peterbourgon/ff/v3/ffcli" ctuf "github.com/sigstore/cosign/pkg/cosign/tuf" @@ -31,29 +27,6 @@ import ( //go:embed 1.root.json var initialRoot string -func loadFileOrURL(fileRef string) ([]byte, error) { - var raw []byte - var err error - if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") { - // #nosec G107 - resp, err := http.Get(fileRef) - if err != nil { - return nil, err - } - defer resp.Body.Close() - raw, err = ioutil.ReadAll(resp.Body) - if err != nil { - return nil, err - } - } else { - raw, err = ioutil.ReadFile(filepath.Clean(fileRef)) - if err != nil { - return nil, err - } - } - return raw, nil -} - func Init() *ffcli.Command { var ( flagset = flag.NewFlagSet("cosign init", flag.ExitOnError) diff --git a/cmd/cosign/cli/util.go b/cmd/cosign/cli/util.go index 2167f6bbef3..41b7f4058d0 100644 --- a/cmd/cosign/cli/util.go +++ b/cmd/cosign/cli/util.go @@ -17,7 +17,7 @@ package cli import ( "context" "crypto" - "io/ioutil" + "io" "net/http" "os" "path/filepath" @@ -53,28 +53,39 @@ func TargetRepositoryForImage(img name.Reference) (name.Repository, error) { return name.NewRepository(wantRepo) } -func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) { - // The key could be plaintext, in a file, at a URL, or in KMS. - if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil { - // KMS specified - return kmsKey, nil - } - +func loadFileOrURL(fileRef string) ([]byte, error) { var raw []byte - - if strings.HasPrefix(keyRef, "http://") || strings.HasPrefix(keyRef, "https://") { - // key-url specified + var err error + if strings.HasPrefix(fileRef, "http://") || strings.HasPrefix(fileRef, "https://") { // #nosec G107 - resp, err := http.Get(keyRef) + resp, err := http.Get(fileRef) if err != nil { return nil, err } defer resp.Body.Close() - raw, err = ioutil.ReadAll(resp.Body) + raw, err = io.ReadAll(resp.Body) + if err != nil { + return nil, err + } + } else { + raw, err = os.ReadFile(filepath.Clean(fileRef)) if err != nil { return nil, err } - } else if raw, err = ioutil.ReadFile(filepath.Clean(keyRef)); err != nil { + } + return raw, nil +} + +func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verifier, err error) { + // The key could be plaintext, in a file, at a URL, or in KMS. + if kmsKey, err := kms.Get(ctx, keyRef, crypto.SHA256); err == nil { + // KMS specified + return kmsKey, nil + } + + raw, err := loadFileOrURL(keyRef) + + if err != nil { return nil, err } diff --git a/cmd/cosign/cli/verify_blob.go b/cmd/cosign/cli/verify_blob.go index 0c39ee3dc4b..fbad0cd8927 100644 --- a/cmd/cosign/cli/verify_blob.go +++ b/cmd/cosign/cli/verify_blob.go @@ -166,17 +166,17 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str return err } } else { - b, err := ioutil.ReadFile(filepath.Clean(sigRef)) + targetSig, err := loadFileOrURL(sigRef) if err != nil { return err } - // If in a file, it could be raw or base64-encoded. - // We want them to be encoded eventually, but not double encoded! - if isb64(b) { - b64sig = string(b) + + if isb64(targetSig) { + b64sig = string(targetSig) } else { - b64sig = base64.StdEncoding.EncodeToString(b) + b64sig = base64.StdEncoding.EncodeToString(targetSig) } + } var blobBytes []byte