resolving conflicts from merge with verifiers branch

Tom Meadows · Tom Meadows · commit f23b1f26cc47 · 2022-01-17T15:27:22.000Z
Signed-off-by: Tom Meadows &lt;thomas.meadows@jetstack.io&gt;
diff --git a/README.md b/README.md
@@ -51,25 +51,33 @@ The provider can be configured with a configuration file passed with the
 `-config-file=<file>` flag.
 
 The verification options for specific image references can be configured by
-defining verifiers. 
+defining verifiers for an image reference or image reference pattern. The
+validator iterates over the list of `imageVerifiers` and uses the first
+matching item.
 
-If a matching verifier can't be found then it will return an error for that image
+If a matching item can't be found then it will return an error for that image
 in the response.
 
 ```yaml
-verifiers:
-  # Verify images in the my-project GCR registry with GCP KMS
+imageVerifiers:
+  # Verify images in the my-project GCR registry with GCP KMS and the rekor
+  # server
   - image: "eu.gcr.io/my-project/*"
-    options:
-      key: "gcpkms://projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key"
+    verifiers:
+      - options:
+          key: "gcpkms://projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key"
+      - options:
+          rekorURL: "https://rekor.sigstore.dev"
 
-  # Verify images from my-registry with cosign.pub
+  # Verify images from my-registry with /cosign.pub
   - image: "my-registry:12345/*"
-    options:
-      key: "/cosign.pub"
+    verifiers:
+      - options:
+          key: "/cosign.pub"
 
   # Verify any other image with the rekor server
   - image: "*"
-    options:
-      rekorURL: "https://rekor.sigstore.dev"
+    verifiers:
+      - options:
+          rekorURL: "https://rekor.sigstore.dev"
 ```
diff --git a/config.go b/config.go
@@ -1,3 +1,17 @@
+// Copyright The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package main
 
 import (
diff --git a/provider.go b/provider.go
@@ -37,6 +37,8 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/pkcs11key"
 	"github.com/sigstore/cosign/pkg/oci"
 	sigs "github.com/sigstore/cosign/pkg/signature"
+	rekorclient "github.com/sigstore/rekor/pkg/generated/client"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/payload"
 )
 
@@ -129,8 +131,8 @@ func validate(cfg *Config) func(w http.ResponseWriter, req *http.Request) {
 }
 
 type checkedMetadata struct {
-	ImageSignatures       []payload.SimpleContainerImage `json:"imageSignatures"`
-	AttestationSignatures []in_toto.Statement            `json:"attestationSignatures"`
+	Signatures   []payload.SimpleContainerImage `json:"signatures"`
+	Attestations []in_toto.Statement            `json:"attestations"`
 }
 
 func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier) (*checkedMetadata, error) {
@@ -149,17 +151,19 @@ func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier
 			RootCerts:          fulcio.GetRoots(),
 		}
 		if o.Options.RekorURL != "" {
-			rekorClient, err := rekor.NewClient(o.Options.RekorURL)
+			var rekorClient *rekorclient.Rekor
+			rekorClient, err = rekor.NewClient(o.Options.RekorURL)
 			if err != nil {
-				return nil, fmt.Errorf("rekor.NewClient: %v", err)
+				return nil, fmt.Errorf("creating rekor client: %v", err)
 			}
 			co.RekorClient = rekorClient
-			fmt.Printf("using rekor url %s to verify %s\n", o.Options.RekorURL, key)
+			fmt.Printf("error using rekor url %s to verify %s\n", o.Options.RekorURL, key)
 		}
 		if o.Options.Key != "" {
-			pubKey, err := sigs.PublicKeyFromKeyRef(ctx, o.Options.Key)
+			var pubKey signature.Verifier
+			pubKey, err = sigs.PublicKeyFromKeyRef(ctx, o.Options.Key)
 			if err != nil {
-				return nil, fmt.Errorf("publicKeyFromKeyRef: %v", err)
+				return nil, fmt.Errorf("error getting public key from key reference: %v", err)
 			}
 			pkcs11Key, ok := pubKey.(*pkcs11key.Key)
 			if ok {
@@ -171,14 +175,14 @@ func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier
 
 		ref, err := name.ParseReference(key)
 		if err != nil {
-			return nil, fmt.Errorf("parseReference: %v", err)
+			return nil, fmt.Errorf("error parsing image reference: %v", err)
 		}
 
 		metadata := &checkedMetadata{}
 		if contains(o.Verifies, "imageSignature") {
 			checkedSignatures, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co)
 			if err != nil {
-				return nil, fmt.Errorf("verifyImageSignatures: %v", err)
+				return nil, fmt.Errorf("error verifying image signatures: %v", err)
 			}
 
 			if co.RekorClient != nil && !bundleVerified {
@@ -189,9 +193,9 @@ func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier
 				return nil, fmt.Errorf("no valid signatures found for %s", key)
 			}
 
-			metadata.ImageSignatures, err = formatSignaturePayloads(checkedSignatures)
+			metadata.Signatures, err = formatSignaturePayloads(checkedSignatures)
 			if err != nil {
-				return nil, fmt.Errorf("formatSignaturePayloads: %v", err)
+				return nil, fmt.Errorf("error formatting signature payload: %v", err)
 			}
 
 			fmt.Println("signature verified for: ", key)
@@ -202,7 +206,7 @@ func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier
 
 			checkedAttestations, bundleVerified, err := cosign.VerifyImageAttestations(ctx, ref, co)
 			if err != nil {
-				return nil, fmt.Errorf("verifyImageAttestations: %v", err)
+				return nil, fmt.Errorf("error verifying attestations: %v", err)
 			}
 			if co.RekorClient != nil && !bundleVerified {
 				return nil, fmt.Errorf("no valid attestations found for: %s", key)
@@ -213,7 +217,7 @@ func verifyImageSignatures(ctx context.Context, key string, verifiers []Verifier
 				return nil, fmt.Errorf("formatAttestations: %v", err)
 			}
 
-			metadata.AttestationSignatures = AttestationPayloads
+			metadata.Attestations = AttestationPayloads
 
 			fmt.Println("attestation verified for: ", key)
 			fmt.Printf("%d number of valid attestations found for %s, found attestations: %v\n", len(checkedAttestations), key, checkedAttestations)
@@ -254,7 +258,7 @@ func formatAttestations(verifiedAttestations []oci.Signature) ([]in_toto.Stateme
 
 		statementRaw, err := base64.StdEncoding.DecodeString(payload)
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "error decoding payload: %v", err)
+			fmt.Fprintf(os.Stderr, "error decoding attestation payload: %v", err)
 		}
 
 		var statement in_toto.Statement
