Skip to content

Commit

Permalink
add input for --provenance-repository while image verification
Browse files Browse the repository at this point in the history
Signed-off-by: saisatishkarra <[email protected]>
  • Loading branch information
saisatishkarra committed Jan 15, 2024
1 parent f09d99f commit 107f4e9
Show file tree
Hide file tree
Showing 7 changed files with 46 additions and 22 deletions.
3 changes: 3 additions & 0 deletions cli/slsa-verifier/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ func verifyImageCmd() *cobra.Command {
if cmd.Flags().Changed("provenance-path") {
v.ProvenancePath = &o.ProvenancePath
}
if cmd.Flags().Changed("provenance-repository") {
v.ProvenanceRepository = &o.ProvenanceRepository
}
if cmd.Flags().Changed("source-branch") {
v.SourceBranch = &o.SourceBranch
}
Expand Down
8 changes: 6 additions & 2 deletions cli/slsa-verifier/verify/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ type VerifyOptions struct {
BuildWorkflowInputs workflowInputs
BuilderID string
/* Other */
ProvenancePath string
PrintProvenance bool
ProvenancePath string
ProvenanceRepository string
PrintProvenance bool
}

var _ Interface = (*VerifyOptions)(nil)
Expand All @@ -66,6 +67,9 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
/* Other options */
cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
"path to a provenance file")
/* Other options */
cmd.Flags().StringVar(&o.ProvenanceRepository, "provenance-repository", "",
"image repository for provenance. Format: <registry>/<repository>")

cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
"[optional] print the verified provenance to stdout")
Expand Down
24 changes: 15 additions & 9 deletions cli/slsa-verifier/verify/verify_image.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,15 @@ type ComputeDigestFn func(string) (string, error)
// Note: nil branch, tag, version-tag and builder-id means we ignore them during verification.
type VerifyImageCommand struct {
// May be nil if supplied alongside in the registry
ProvenancePath *string
BuilderID *string
SourceURI string
SourceBranch *string
SourceTag *string
SourceVersionTag *string
BuildWorkflowInputs map[string]string
PrintProvenance bool
ProvenancePath *string
ProvenanceRepository *string
BuilderID *string
SourceURI string
SourceBranch *string
SourceTag *string
SourceVersionTag *string
BuildWorkflowInputs map[string]string
PrintProvenance bool
}

func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*utils.TrustedBuilderID, error) {
Expand Down Expand Up @@ -70,7 +71,12 @@ func (c *VerifyImageCommand) Exec(ctx context.Context, artifacts []string) (*uti
}
}

verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceOpts, builderOpts)
var provenanceRepository string
if c.ProvenanceRepository != nil {
provenanceRepository = *c.ProvenanceRepository
}

verifiedProvenance, outBuilderID, err := verifiers.VerifyImage(ctx, artifacts[0], provenance, provenanceRepository, provenanceOpts, builderOpts)
if err != nil {
return nil, err
}
Expand Down
4 changes: 2 additions & 2 deletions register/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ type SLSAVerifier interface {

// VerifyImage verifies a provenance for a supplied OCI image.
VerifyImage(ctx context.Context,
provenance []byte, artifactImage string,
provenanceOpts *options.ProvenanceOpts,
provenance []byte, provenanceRepository string,
artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error)

Expand Down
4 changes: 2 additions & 2 deletions verifiers/internal/gcb/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context,

// VerifyImage verifies provenance for an OCI image.
func (v *GCBVerifier) VerifyImage(ctx context.Context,
provenance []byte, artifactImage string,
provenanceOpts *options.ProvenanceOpts,
provenance []byte, provenanceRepository string,
artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
prov, err := ProvenanceFromBytes(provenance)
Expand Down
22 changes: 16 additions & 6 deletions verifiers/internal/gha/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"os"
"strings"

"github.com/google/go-containerregistry/pkg/name"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/v2/pkg/cosign"
"github.com/sigstore/rekor/pkg/client"
Expand Down Expand Up @@ -245,8 +246,8 @@ func (v *GHAVerifier) VerifyArtifact(ctx context.Context,

// VerifyImage verifies provenance for an OCI image.
func (v *GHAVerifier) VerifyImage(ctx context.Context,
provenance []byte, artifactImage string,
provenanceOpts *options.ProvenanceOpts,
provenance []byte, provenanceRepository string,
artifactImage string, provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
/* Retrieve any valid signed attestations that chain up to Fulcio root CA. */
Expand All @@ -255,10 +256,19 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
return nil, nil, err
}

// Parse any provenance target repository set using environment variable COSIGN_REPOSITORY
provenanceTargetRepository, err := ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
var provenanceTargetRepository name.Repository
// Consume input for --provenance-repository when set
if provenanceRepository != "" {
provenanceTargetRepository, err = name.NewRepository(provenanceRepository)
if err != nil {
return nil, nil, err
}
} else {
// If user input --provenance-repository is empty, look for COSIGN_REPOSITORY environment
provenanceTargetRepository, err = ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
}
}

registryClientOpts := []ociremote.Option{}
Expand Down
3 changes: 2 additions & 1 deletion verifiers/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,15 @@ func getVerifier(builderOpts *options.BuilderOpts) (register.SLSAVerifier, error

func VerifyImage(ctx context.Context, artifactImage string,
provenance []byte,
provenanceRepository string,
provenanceOpts *options.ProvenanceOpts,
builderOpts *options.BuilderOpts,
) ([]byte, *utils.TrustedBuilderID, error) {
verifier, err := getVerifier(builderOpts)
if err != nil {
return nil, nil, err
}
return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
return verifier.VerifyImage(ctx, provenance, provenanceRepository, artifactImage, provenanceOpts, builderOpts)
}

func VerifyArtifact(ctx context.Context,
Expand Down

0 comments on commit 107f4e9

Please sign in to comment.