Update cosign to v2

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · May 15, 2023 · afc324d · afc324d
1 parent 2678c75
commit afc324d
Show file tree

Hide file tree

Showing 7 changed files with 225 additions and 975 deletions.
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/controller/helmchart_controller_test.go b/internal/controller/helmchart_controller_test.go
@@ -34,9 +34,9 @@ import (
 	"time"
 
 	. "github.com/onsi/gomega"
-	coptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/pkg/cosign"
+	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	hchart "helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	helmreg "helm.sh/helm/v3/pkg/registry"
@@ -2633,11 +2633,13 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignature(t *testing.T
 					Timeout: timeout,
 				}
 
-				err = sign.SignCmd(ro, ko, coptions.RegistryOptions{Keychain: oci.Anonymous{}},
-					nil, []string{fmt.Sprintf("%s/testrepo/%s:%s", server.registryHost, metadata.Name, metadata.Version)}, "",
-					"", true, "",
-					"", "", false,
-					false, "", false)
+				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+					Upload:           true,
+					SkipConfirmation: true,
+					TlogUpload:       false,
+					Registry:         coptions.RegistryOptions{Keychain: oci.Anonymous{}, AllowInsecure: true},
+				},
+					[]string{fmt.Sprintf("%s/testrepo/%s:%s", server.registryHost, metadata.Name, metadata.Version)})
 				g.Expect(err).ToNot(HaveOccurred())
 			}
 

diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -31,7 +31,6 @@ import (
 	"time"
 
 	"github.com/Masterminds/semver/v3"
-	soci "github.com/fluxcd/source-controller/internal/oci"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	"github.com/google/go-containerregistry/pkg/crane"
@@ -69,6 +68,7 @@ import (
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	ociv1 "github.com/fluxcd/source-controller/api/v1beta2"
 	serror "github.com/fluxcd/source-controller/internal/error"
+	soci "github.com/fluxcd/source-controller/internal/oci"
 	sreconcile "github.com/fluxcd/source-controller/internal/reconcile"
 	"github.com/fluxcd/source-controller/internal/reconcile/summarize"
 	"github.com/fluxcd/source-controller/internal/util"

diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go
@@ -43,9 +43,9 @@ import (
 	gcrv1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	. "github.com/onsi/gomega"
-	coptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/pkg/cosign"
+	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1239,11 +1239,12 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignature(t *testing.T) {
 				ro := &coptions.RootOptions{
 					Timeout: timeout,
 				}
-				err = sign.SignCmd(ro, ko, coptions.RegistryOptions{Keychain: keychain},
-					nil, []string{artifactURL}, "",
-					"", true, "",
-					"", "", false,
-					false, "", true)
+				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+					Upload:           true,
+					SkipConfirmation: true,
+					TlogUpload:       false,
+					Registry:         coptions.RegistryOptions{Keychain: keychain, AllowInsecure: true},
+				}, []string{artifactURL})
 				g.Expect(err).ToNot(HaveOccurred())
 			}
 

diff --git a/internal/oci/verifier.go b/internal/oci/verifier.go
@@ -22,14 +22,14 @@ import (
 	"fmt"
 
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
-	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
-	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 
 	"github.com/google/go-containerregistry/pkg/name"
-	coptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/pkg/cosign"
-	"github.com/sigstore/cosign/pkg/oci"
+	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/pkg/oci"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 )
@@ -120,6 +120,11 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 			return nil, fmt.Errorf("unable to create Rekor client: %w", err)
 		}
 		checkOpts.RekorClient = rc
+
+		checkOpts.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("getting Rekor public keys: %w", err)
+		}
 	}
 
 	return &CosignVerifier{
@@ -129,7 +134,17 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 
 // VerifyImageSignatures verify the authenticity of the given ref OCI image.
 func (v *CosignVerifier) VerifyImageSignatures(ctx context.Context, ref name.Reference) ([]oci.Signature, bool, error) {
-	return cosign.VerifyImageSignatures(ctx, ref, v.opts)
+	opts := v.opts
+
+	// TODO: expose the match conditions in the CRD
+	opts.Identities = []cosign.Identity{
+		{
+			IssuerRegExp:  ".*",
+			SubjectRegExp: ".*",
+		},
+	}
+
+	return cosign.VerifyImageSignatures(ctx, ref, opts)
 }
 
 // Verify verifies the authenticity of the given ref OCI image.

diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go
@@ -38,6 +38,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	"github.com/fluxcd/pkg/masktoken"
+
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
@@ -422,7 +423,11 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
 		if file, ok := os.LookupEnv("AZURE_FEDERATED_TOKEN_FILE"); ok {
 			if _, ok := os.LookupEnv("AZURE_AUTHORITY_HOST"); ok {
 				if tenantID, ok := os.LookupEnv("AZURE_TENANT_ID"); ok {
-					if token, _ := azidentity.NewWorkloadIdentityCredential(tenantID, clientID, file, &azidentity.WorkloadIdentityCredentialOptions{}); token != nil {
+					if token, _ := azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+						ClientID:      clientID,
+						TenantID:      tenantID,
+						TokenFilePath: file,
+					}); token != nil {
 						creds = append(creds, token)
 					}
 				}