zotregistry.io/zot@v1.4.4-0.20231124084042-02a8ed785457/pkg/test/signature/cosign.go

zotregistry.io/zot@v1.4.4-0.20231124084042-02a8ed785457/pkg/test/signature/cosign.go (about)

     1  package signature
     2  
     3  import (
     4  	"context"
     5  	"encoding/json"
     6  	"fmt"
     7  	"os"
     8  	"path"
     9  	"time"
    10  
    11  	godigest "github.com/opencontainers/go-digest"
    12  	ispec "github.com/opencontainers/image-spec/specs-go/v1"
    13  	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
    14  	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
    15  	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
    16  )
    17  
    18  func GetCosignSignatureTagForManifest(manifest ispec.Manifest) (string, error) {
    19  	manifestBlob, err := json.Marshal(manifest)
    20  	if err != nil {
    21  		return "", err
    22  	}
    23  
    24  	manifestDigest := godigest.FromBytes(manifestBlob)
    25  
    26  	return GetCosignSignatureTagForDigest(manifestDigest), nil
    27  }
    28  
    29  func GetCosignSignatureTagForDigest(manifestDigest godigest.Digest) string {
    30  	return manifestDigest.Algorithm().String() + "-" + manifestDigest.Encoded() + ".sig"
    31  }
    32  
    33  func SignImageUsingCosign(repoTag, port string, withReferrers bool) error {
    34  	cwd, err := os.Getwd()
    35  	if err != nil {
    36  		return err
    37  	}
    38  
    39  	defer func() { _ = os.Chdir(cwd) }()
    40  
    41  	tdir, err := os.MkdirTemp("", "cosign")
    42  	if err != nil {
    43  		return err
    44  	}
    45  
    46  	defer os.RemoveAll(tdir)
    47  
    48  	_ = os.Chdir(tdir)
    49  
    50  	// generate a keypair
    51  	os.Setenv("COSIGN_PASSWORD", "")
    52  
    53  	err = generate.GenerateKeyPairCmd(context.TODO(), "", "cosign", nil)
    54  	if err != nil {
    55  		return err
    56  	}
    57  
    58  	imageURL := fmt.Sprintf("localhost:%s/%s", port, repoTag)
    59  
    60  	const timeoutPeriod = 5
    61  
    62  	signOpts := options.SignOptions{
    63  		Registry:          options.RegistryOptions{AllowInsecure: true},
    64  		AnnotationOptions: options.AnnotationOptions{Annotations: []string{"tag=1.0"}},
    65  		Upload:            true,
    66  	}
    67  
    68  	if withReferrers {
    69  		signOpts.RegistryExperimental = options.RegistryExperimentalOptions{
    70  			RegistryReferrersMode: options.RegistryReferrersModeOCI11,
    71  		}
    72  	}
    73  
    74  	// sign the image
    75  	return sign.SignCmd(&options.RootOptions{Verbose: true, Timeout: timeoutPeriod * time.Minute},
    76  		options.KeyOpts{KeyRef: path.Join(tdir, "cosign.key"), PassFunc: generate.GetPass},
    77  		signOpts,
    78  		[]string{imageURL})
    79  }