get.porter.sh/porter@v1.3.0/pkg/signing/plugins/cosign/cosign.go

get.porter.sh/porter@v1.3.0/pkg/signing/plugins/cosign/cosign.go (about)

     1  package cosign
     2  
     3  import (
     4  	"context"
     5  	"errors"
     6  	"fmt"
     7  	"os"
     8  	"os/exec"
     9  
    10  	"get.porter.sh/porter/pkg/portercontext"
    11  	"get.porter.sh/porter/pkg/signing/plugins"
    12  	"get.porter.sh/porter/pkg/tracing"
    13  )
    14  
    15  var _ plugins.SigningProtocol = &Cosign{}
    16  
    17  // Signer implements an in-memory signer for testing.
    18  type Cosign struct {
    19  	PublicKey        string
    20  	PrivateKey       string
    21  	RegistryMode     string
    22  	Experimental     bool
    23  	InsecureRegistry bool
    24  }
    25  
    26  func NewSigner(c *portercontext.Context, cfg PluginConfig) *Cosign {
    27  
    28  	s := &Cosign{
    29  		PublicKey:        cfg.PublicKey,
    30  		PrivateKey:       cfg.PrivateKey,
    31  		RegistryMode:     cfg.RegistryMode,
    32  		Experimental:     cfg.Experimental,
    33  		InsecureRegistry: cfg.InsecureRegistry,
    34  	}
    35  
    36  	return s
    37  }
    38  
    39  func (s *Cosign) Connect(ctx context.Context) error {
    40  	_, log := tracing.StartSpan(ctx)
    41  	defer log.EndSpan()
    42  
    43  	if err := exec.Command("cosign", "version").Run(); err != nil {
    44  		return errors.New("cosign was not found")
    45  	}
    46  
    47  	return nil
    48  }
    49  
    50  func (s *Cosign) Sign(ctx context.Context, ref string) error {
    51  	_, log := tracing.StartSpan(ctx)
    52  	defer log.EndSpan()
    53  	log.Infof("Cosign Signer is Signing %s", ref)
    54  	args := []string{"sign", ref, "--tlog-upload=false", "--key", s.PrivateKey, "--yes"}
    55  	if s.RegistryMode != "" {
    56  		args = append(args, "--registry-referrers-mode", s.RegistryMode)
    57  	}
    58  	if s.InsecureRegistry {
    59  		args = append(args, "--allow-insecure-registry")
    60  	}
    61  	cmd := exec.Command("cosign", args...)
    62  	cmd.Env = append(cmd.Env, os.Environ()...)
    63  	if s.Experimental {
    64  		cmd.Env = append(cmd.Env, "COSIGN_EXPERIMENTAL=1")
    65  	}
    66  	out, err := cmd.CombinedOutput()
    67  	if err != nil {
    68  		return fmt.Errorf("%s: %w", string(out), err)
    69  	}
    70  	log.Infof("%s", out)
    71  	return nil
    72  }
    73  
    74  func (s *Cosign) Verify(ctx context.Context, ref string) error {
    75  	_, log := tracing.StartSpan(ctx)
    76  	defer log.EndSpan()
    77  
    78  	log.Infof("Cosign Signer is Verifying %s", ref)
    79  	args := []string{"verify", "--key", s.PublicKey, ref, "--insecure-ignore-tlog"}
    80  	if s.RegistryMode == "oci-1-1" {
    81  		args = append(args, "--experimental-oci11")
    82  	}
    83  	if s.InsecureRegistry {
    84  		args = append(args, "--allow-insecure-registry")
    85  	}
    86  	cmd := exec.Command("cosign", args...)
    87  	out, err := cmd.CombinedOutput()
    88  	if err != nil {
    89  		return fmt.Errorf("%s: %w", string(out), err)
    90  	}
    91  	log.Infof("%s", out)
    92  	return nil
    93  }