diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a0a1fef3d30..ab9b1389ca4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -44,20 +44,22 @@ jobs: packages: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true # will use the latest release available for ko - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + - uses: ko-build/setup-ko@d982fec422852203cfb2053a8ec6ad302280d04d # v0.8 - name: Set up Cloud SDK - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 + uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8 with: workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-cosign' service_account: 'github-actions@projectsigstore.iam.gserviceaccount.com' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ada22ee0947..0c07673abba 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,10 +51,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Utilize Go Module Cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: | ~/go/pkg/mod @@ -64,9 +66,9 @@ jobs: ${{ runner.os }}-go- - name: Set correct version of Golang to use during CodeQL run - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/conformance-nightly.yml b/.github/workflows/conformance-nightly.yml new file mode 100644 index 00000000000..83f69eb9593 --- /dev/null +++ b/.github/workflows/conformance-nightly.yml @@ -0,0 +1,73 @@ +# Copyright 2024 The Sigstore Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Conformance Tests Nightly + +on: + schedule: + - cron: '0 0 * * *' # 12:00 AM UTC + workflow_dispatch: + +permissions: + contents: read + issues: write + +jobs: + conformance: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' + check-latest: true + + - run: make cosign conformance + + - uses: sigstore/sigstore-conformance@main + with: + entrypoint: ${{ github.workspace }}/conformance + + - name: Create Issue on Failure + if: failure() + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { owner, repo } = context.repo; + const runId = context.runId; + const issueTitle = 'Conformance Tests Failed'; + const issueBody = `The nightly conformance tests have failed. Please check the logs for more details.\n\nWorkflow run: https://github.com/${owner}/${repo}/actions/runs/${runId}\n\ncc @sigstore/security-response-team @sigstore/cosign-codeowners`; + const issueLabel = 'bug'; + + const existingIssues = await github.rest.issues.listForRepo({ + owner, + repo, + state: 'open', + labels: issueLabel, + }); + + const issueExists = existingIssues.data.some(issue => issue.title === issueTitle); + + if (!issueExists) { + await github.rest.issues.create({ + owner, + repo, + title: issueTitle, + body: issueBody, + labels: [issueLabel], + }); + } diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 78e81812349..ba4e84dee02 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -29,14 +29,16 @@ jobs: conformance: runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true - run: make cosign conformance - - uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11 + - uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16 with: entrypoint: ${{ github.workspace }}/conformance diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 5ae3aa5ecfe..7a28520a00a 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -35,7 +35,9 @@ jobs: steps: - name: Check out code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v2.4.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v2.4.0 + with: + persist-credentials: false - name: Do Not Submit uses: chainguard-dev/actions/donotsubmit@84c993eaf02da1c325854fb272a4df9184bd80fc # main diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 39e1e1fa560..78820265f46 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -39,10 +39,12 @@ jobs: runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true - name: Run cross platform e2e tests @@ -52,10 +54,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true - name: Run pkcs11 end-to-end tests @@ -82,17 +86,19 @@ jobs: VAULT_TOKEN: "root" VAULT_ADDR: "http://localhost:8200" COSIGN_YES: "true" - SCAFFOLDING_RELEASE_VERSION: "v0.7.11" + SCAFFOLDING_RELEASE_VERSION: "v0.7.18" steps: - name: Checkout - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: setup vault - uses: cpanato/vault-installer@892767a16fcd6afa5c4cceb557a6aacb73427ebb # v1.1.0 + uses: cpanato/vault-installer@e7c1d664fa15219e89e43739e39a9df11ba00849 # v1.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 @@ -112,13 +118,15 @@ jobs: runs-on: ubuntu-latest env: - SCAFFOLDING_RELEASE_VERSION: "v0.7.11" + SCAFFOLDING_RELEASE_VERSION: "v0.7.18" steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true - name: Setup mirror diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index f92b097e455..2c1b45c307a 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -48,10 +48,12 @@ jobs: COSIGN_YES: "true" steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true - name: build cosign and check sign-blob and verify-blob shell: bash diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index 229aae66d4f..37827d9634d 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -48,15 +48,17 @@ jobs: KO_PREFIX: ghcr.io/${{ github.repository }} steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true cache: true # Install tools. - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + - uses: ko-build/setup-ko@d982fec422852203cfb2053a8ec6ad302280d04d # v0.8 - name: build cosign from the HEAD run: | diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index e3b263daea2..aa4fc6fe473 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -31,16 +31,17 @@ jobs: contents: read steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0 with: - version: v1.60 - args: --timeout=5m + version: v1.63 golangci-test-e2e: name: lint-test-e2e @@ -50,13 +51,15 @@ jobs: contents: read steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: '1.22' + go-version-file: 'go.mod' check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0 with: - version: v1.60 + version: v1.63 args: --timeout=5m --build-tags e2e ./test diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 9e1a0663580..7d15639047e 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -33,7 +33,10 @@ jobs: strategy: matrix: k8s-version: - - v1.27.x + - v1.29.x + - v1.30.x + - v1.31.x + - v1.32.x tuf-root: - remote - air-gap @@ -43,24 +46,26 @@ jobs: env: KO_DOCKER_REPO: "registry.local:5000/policy-controller" - SCAFFOLDING_RELEASE_VERSION: "v0.7.11" + SCAFFOLDING_RELEASE_VERSION: "v0.7.18" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w KOCACHE: ~/ko COSIGN_YES: "true" steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true # will use the latest release available for ko - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + - uses: ko-build/setup-ko@d982fec422852203cfb2053a8ec6ad302280d04d # v0.8 - name: Install yq - uses: mikefarah/yq@bbdd97482f2d439126582a59689eb1c855944955 # v4.44.3 + uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1 - name: build cosign run: | @@ -108,25 +113,25 @@ jobs: - name: Sign demoimage with cosign run: | - ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} + ./cosign sign --rekor-url ${REKOR_URL} --fulcio-url ${FULCIO_URL} --yes --allow-insecure-registry ${demoimage} --identity-token ${OIDC_TOKEN} - name: Create attestation for it run: | echo -n 'foobar e2e test' > ./predicate-file - ./cosign attest --predicate ./predicate-file --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} + ./cosign attest --predicate ./predicate-file --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} - name: Sign a blob run: | - ./cosign sign-blob README.md --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --output-certificate cert.pem --output-signature sig --yes --identity-token ${{ env.OIDC_TOKEN }} + ./cosign sign-blob README.md --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --output-certificate cert.pem --output-signature sig --yes --identity-token ${OIDC_TOKEN} - name: Verify with cosign run: | - ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" + ./cosign verify --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" - name: Verify custom attestation with cosign, works run: | echo '::group:: test custom verify-attestation success' - if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then + if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} ; then echo Failed to verify attestation with a valid policy exit 1 else @@ -137,7 +142,7 @@ jobs: - name: Verify custom attestation with cosign, fails run: | echo '::group:: test custom verify-attestation success' - if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo custom verify-attestation succeeded with cue policy that should not work exit 1 else @@ -147,7 +152,7 @@ jobs: - name: Verify a blob run: | - ./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" + ./cosign verify-blob README.md --rekor-url ${REKOR_URL} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" - name: Collect diagnostics if: ${{ failure() }} @@ -155,12 +160,12 @@ jobs: - name: Create vuln attestation for it run: | - ./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} + ./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${FULCIO_URL} --rekor-url ${REKOR_URL} --allow-insecure-registry --yes ${demoimage} --identity-token ${OIDC_TOKEN} - name: Verify vuln attestation with cosign, works run: | echo '::group:: test vuln verify-attestation success' - if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo Failed to verify attestation with a valid policy exit 1 else @@ -171,7 +176,7 @@ jobs: - name: Verify vuln attestation with cosign, fails run: | echo '::group:: test vuln verify-attestation success' - if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then + if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${REKOR_URL} --allow-insecure-registry ${demoimage} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then echo verify-attestation succeeded with cue policy that should not work exit 1 else diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml index 624724c57ee..c1b5a7eacb2 100644 --- a/.github/workflows/scorecard-action.yml +++ b/.github/workflows/scorecard-action.yml @@ -40,7 +40,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -61,7 +61,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 6ef3dafdaf0..a8e6ac3fb81 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -28,11 +28,6 @@ on: branches: ['main', 'release-*'] pull_request: -permissions: read-all - -env: - GO_VERSION: '1.22' - jobs: unit-tests: name: Run unit tests @@ -46,9 +41,11 @@ jobs: OS: ${{ matrix.os }} steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: # In order: # * Module download cache @@ -63,9 +60,9 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: ${{ env.GO_VERSION }} + go-version-file: 'go.mod' check-latest: true - name: Run Go tests env: @@ -73,7 +70,7 @@ jobs: GODEBUG: x509sha1=1 run: go test -tags=sct -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) - name: Upload Coverage Report - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 + uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1 with: env_vars: OS - name: Run Go tests w/ `-race` @@ -86,9 +83,13 @@ jobs: e2e-tests: name: Run e2e tests runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Related to https://github.com/sigstore/cosign/issues/3149 - name: free up disk space run: | @@ -143,7 +144,7 @@ jobs: - name: check disk space run: df -h # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: # In order: # * Module download cache @@ -158,11 +159,11 @@ jobs: key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: ${{ env.GO_VERSION }} + go-version-file: 'go.mod' check-latest: true - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + - uses: ko-build/setup-ko@d982fec422852203cfb2053a8ec6ad302280d04d # v0.8 - name: setup kind cluster run: | # Used to test: cosign generate-key-pair k8s://... @@ -179,15 +180,19 @@ jobs: e2e-windows-powershell-tests: name: Run PowerShell E2E tests runs-on: windows-latest + permissions: + contents: read steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: ${{ env.GO_VERSION }} + go-version-file: 'go.mod' check-latest: true # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: # In order: # * Module download cache @@ -205,11 +210,15 @@ jobs: license-check: name: license boilerplate check runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: - go-version: ${{ env.GO_VERSION }} + go-version-file: 'go.mod' check-latest: true - name: Install addlicense run: go install github.com/google/addlicense@latest diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 5facf2f1421..827798b7f80 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,14 +26,14 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: ghcr.io/sigstore/cosign/cosign:v2.4.0-dev@sha256:a97b592b9f73390edcd6ceb5799a62513a906cbdffcdc63f53585910c71b0708 + image: ghcr.io/sigstore/cosign/cosign:v2.4.2-dev@sha256:b69af124cb744c22eba955ebaf9514b42b1556811211e1cd744331350ccd815a steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.22.7-0@sha256:cb23bfe5773191f1ccc9d60fb73392d5ffc87257e2e019ffe81edb8b352a5284 \ + cosign verify ghcr.io/gythialy/golang-cross:v1.23.6-0@sha256:6e8da612570af388b204b833c0925c669d00f7654cf964e5bc3e808013234c05 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.22.7-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.23.6-0" env: TUF_ROOT: /tmp @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.22.7-0@sha256:cb23bfe5773191f1ccc9d60fb73392d5ffc87257e2e019ffe81edb8b352a5284 + image: ghcr.io/gythialy/golang-cross:v1.23.6-0@sha256:6e8da612570af388b204b833c0925c669d00f7654cf964e5bc3e808013234c05 volumes: - /usr:/host_usr - /opt:/host_opt @@ -51,7 +51,9 @@ jobs: permissions: {} steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Error: fatal: detected dubious ownership in repository at '/__w/cosign/cosign' # To add an exception for this directory, call: diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml index a4c8b4041d4..5a962f96129 100644 --- a/.github/workflows/verify-docgen.yaml +++ b/.github/workflows/verify-docgen.yaml @@ -36,9 +36,11 @@ jobs: steps: - name: deps run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - go-version: '1.22' + persist-credentials: false + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 + with: + go-version-file: 'go.mod' check-latest: true - run: ./cmd/help/verify.sh diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index a2baf4367c1..cf082181e06 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -34,7 +34,9 @@ jobs: steps: - name: Check out code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: chainguard-dev/actions/trailing-space@7071df0659dbd4a79804731f0da2d0f1dba0b356 # main if: ${{ always() }} diff --git a/.gitignore b/.gitignore index b2f7ef0bdb1..20b7cd3775e 100644 --- a/.gitignore +++ b/.gitignore @@ -30,5 +30,7 @@ cosignImagerefs bundle signature certificate +sigstore-conformance +conformance **verify-experimental* diff --git a/.golangci.yml b/.golangci.yml index 0c11ef40e40..6ea232c0165 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -42,8 +42,9 @@ linters-settings: - 'os\.Getenv.*' - 'os\.LookupEnv.*' exclude-godoc-examples: false -output: - uniq-by-line: false + gosec: + excludes: + - G115 # integer overflow conversion int64 -> uint64 issues: exclude-rules: - path: _test\.go @@ -55,6 +56,7 @@ issues: - forbidigo max-issues-per-linter: 0 max-same-issues: 0 + uniq-by-line: false run: issues-exit-code: 1 timeout: 10m diff --git a/.goreleaser.yml b/.goreleaser.yml index fda598af27c..ad1b89c478f 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -11,7 +11,7 @@ env: before: hooks: - go mod tidy - - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' + - git --no-pager diff --exit-code go.mod go.sum gomod: proxy: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 61a6cfb8206..1efa651ba8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,47 @@ +# v2.4.2 + +## Features + +* Updated open-policy-agent to 1.1.0 library (#4036) + - Note that only Rego v0 policies are supported at this time +* Add UseSignedTimestamps to CheckOpts, refactor TSA options (#4006) +* Add support for verifying root checksum in cosign initialize (#3953) +* Detect if user supplied a valid protobuf bundle (#3931) +* Add a log message if user doesn't provide `--trusted-root` (#3933) +* Support mTLS towards container registry (#3922) +* Add bundle create helper command (#3901) +* Add trusted-root create helper command (#3876) + +## Bug Fixes + +* fix: set tls config while retaining other fields from default http transport (#4007) +* policy fuzzer: ignore known panics (#3993) +* Fix for multiple WithRemote options (#3982) +* Add nightly conformance test workflow (#3979) +* Fix copy --only for signatures + update/align docs (#3904) + +## Documentation + +* Remove usage.md from spec, point to client spec (#3918) +* move reference from gcr to ghcr (#3897) + +## Contributors + +* AdamKorcz +* Aditya Sirish +* Bob Callaway +* Carlos Tadeu Panato Junior +* Cody Soyland +* Colleen Murphy +* Hayden B +* Jussi Kukkonen +* Marco Franssen +* Nianyu Shen +* Slavek Kabrda +* Søren Juul +* Warren Hodgkinson +* Zach Steindler + # v2.4.1 v2.4.1 largely contains bug fixes and updates dependencies. diff --git a/CODEOWNERS b/CODEOWNERS index e765bb242cd..5a90a4cea90 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,19 +1,6 @@ -@sigstore/cosign-codeowners +* @sigstore/cosign-codeowners -# The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order): - -# asraa -# bobcallaway -# dekkagaijin -# dentrax -# developer-guy -# dlorenc -# font -# hectorj2f -# loosebazooka -# luhring -# lukehinds -# mattmoor -# n3wscott -# priyawadhwa -# vaikas +/.github/ @sigstore/dep-maintainers +/release/ @sigstore/dep-maintainers +go.mod @sigstore/dep-maintainers +go.sum @sigstore/dep-maintainers diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cefd858f891..fb482c51771 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -41,6 +41,21 @@ make test **Make sure all tests pass** without any failures or errors. +#### Conformance tests + +To run the conformance tests, first install the conformance test runner: + +```shell +make conformance-runner +``` + +Then build `cosign` and `conformance` (the executable that adapts conformance tests to the cosign command), and run the tests: + +```shell +make cosign conformance +make conformance-tests +``` + ### Running Lint To run the linting checks, use the following command: diff --git a/Dockerfile.cosign.rh b/Dockerfile.cosign.rh index 7e063aa8071..f26833cee13 100644 --- a/Dockerfile.cosign.rh +++ b/Dockerfile.cosign.rh @@ -1,5 +1,5 @@ # Build stage -FROM registry.access.redhat.com/ubi9/go-toolset@sha256:4589c7d8a49990cd846cda580bd0cc11c72cc6121fe8b3f01f94c7c6a28f8a56 AS build-env +FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.23@sha256:4805e1cb2d1bd9d3c5de5d6986056bbda94ca7b01642f721d83d26579d333c60 AS build-env WORKDIR /cosign COPY . . @@ -22,7 +22,7 @@ RUN git config --global --add safe.directory /cosign && \ git update-index --no-assume-unchanged Dockerfile.cosign.rh # Install Cosign -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:fb77e447ab97f3fecd15d2fa5361a99fe2f34b41422e8ebb3612eecd33922fa0 +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:bafd57451de2daa71ed301b277d49bd120b474ed438367f087eac0b885a668dc LABEL description="Cosign is a container signing tool that leverages simple, secure, and auditable signatures based on simple primitives and best practices." LABEL io.k8s.description="Cosign is a container signing tool that leverages simple, secure, and auditable signatures based on simple primitives and best practices." diff --git a/Makefile b/Makefile index c67b4032fb9..0157e022900 100644 --- a/Makefile +++ b/Makefile @@ -84,6 +84,12 @@ cosign: $(SRCS) cosign-pivkey-pkcs11key: $(SRCS) CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign +install: $(SRCS) + CGO_ENABLED=1 $(GOEXE) install -trimpath -ldflags "$(LDFLAGS)" ./cmd/cosign + +install-pivkey-pkcs11key: $(SRCS) + CGO_ENABLED=1 $(GOEXE) install -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" ./cmd/cosign + .PHONY: cross cross: $(foreach GOOS, $(PLATFORMS),\ @@ -106,9 +112,6 @@ lint: golangci-lint ## Run golangci-lint linter test: $(GOEXE) test $(shell $(GOEXE) list ./... | grep -v third_party/) -conformance: - $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/conformance - clean: rm -rf cosign rm -rf dist/ @@ -127,6 +130,34 @@ define create_kocache_path mkdir -p $(KOCACHE_PATH) endef +################### +# conformance tests +################### + +conformance: + $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/conformance + +CONFORMANCE_RUNNER_PATH = sigstore-conformance +$(CONFORMANCE_RUNNER_PATH): + git clone https://github.com/sigstore/sigstore-conformance $@ + +.PHONY: conformance-runner +conformance-runner: + $(MAKE) $(CONFORMANCE_RUNNER_PATH) conformance-runner-pull conformance-runner-build + +.PHONY: conformance-runner-pull +conformance-runner-pull: + cd $(CONFORMANCE_RUNNER_PATH) && git pull + +.PHONY: conformance-runner-build +conformance-runner-build: + cd $(CONFORMANCE_RUNNER_PATH) && $(MAKE) dev + +CONFORMANCE_BIN = $(shell pwd)/conformance +.PHONY: conformance-tests +conformance-tests: + cd $(CONFORMANCE_RUNNER_PATH) && env/bin/pytest test --entrypoint=$(CONFORMANCE_BIN) + ########## # ko build ########## diff --git a/README.md b/README.md index f4ceb7716ad..7083fd71df4 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Signing OCI containers (and other artifacts) using [Sigstore](https://sigstore.d [![Go Report Card](https://goreportcard.com/badge/github.com/sigstore/cosign)](https://goreportcard.com/report/github.com/sigstore/cosign) [![e2e-tests](https://github.com/sigstore/cosign/actions/workflows/e2e-tests.yml/badge.svg)](https://github.com/sigstore/cosign/actions/workflows/e2e-tests.yml) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5715/badge)](https://bestpractices.coreinfrastructure.org/projects/5715) -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/cosign/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sigstore/cosign) Cosign aims to make signatures **invisible infrastructure**. @@ -63,10 +63,10 @@ introduce breaking changes may be accepted, but will be considered lower priorit ## Dockerfile -Here is how to install and use cosign inside a Dockerfile through the gcr.io/projectsigstore/cosign image: +Here is how to install and use cosign inside a Dockerfile through the ghcr.io/sigstore/cosign/cosign image: ```shell -FROM gcr.io/projectsigstore/cosign:v1.13.0 as cosign-bin +FROM ghcr.io/sigstore/cosign/cosign:v2.4.1 as cosign-bin # Source: https://github.com/chainguard-images/static FROM cgr.dev/chainguard/static:latest diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index 420e16bd631..4d43702aa5e 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -15,9 +15,6 @@ package main import ( - "crypto/sha256" - "encoding/base64" - "encoding/pem" "fmt" "log" "os" @@ -25,25 +22,18 @@ import ( "path/filepath" "strings" - protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" - protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore-go/pkg/bundle" - "google.golang.org/protobuf/encoding/protojson" ) var bundlePath *string -var certPath *string var certOIDC *string var certSAN *string var identityToken *string -var signaturePath *string var trustedRootPath *string func usage() { fmt.Println("Usage:") - fmt.Printf("\t%s sign --identity-token TOKEN --signature FILE --certificate FILE FILE\n", os.Args[0]) fmt.Printf("\t%s sign-bundle --identity-token TOKEN --bundle FILE FILE\n", os.Args[0]) - fmt.Printf("\t%s verify --signature FILE --certificate FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0]) fmt.Printf("\t%s verify-bundle --bundle FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0]) } @@ -59,9 +49,6 @@ func parseArgs() { case "--bundle": bundlePath = &os.Args[i+1] i += 2 - case "--certificate": - certPath = &os.Args[i+1] - i += 2 case "--certificate-oidc-issuer": certOIDC = &os.Args[i+1] i += 2 @@ -71,9 +58,6 @@ func parseArgs() { case "--identity-token": identityToken = &os.Args[i+1] i += 2 - case "--signature": - signaturePath = &os.Args[i+1] - i += 2 case "--trusted-root": trustedRootPath = &os.Args[i+1] i += 2 @@ -94,101 +78,10 @@ func main() { args := []string{} switch os.Args[1] { - case "sign": - args = append(args, "sign-blob") - if signaturePath != nil { - args = append(args, "--output-signature", *signaturePath) - } - if certPath != nil { - args = append(args, "--output-certificate", *certPath) - } - args = append(args, "-y") - case "sign-bundle": args = append(args, "sign-blob") args = append(args, "-y") - case "verify": - args = append(args, "verify-blob") - - // TODO: for now, we handle `verify` by constructing a bundle - // (see https://github.com/sigstore/cosign/issues/3700) - // - // Today cosign only supports `--trusted-root` with the new bundle - // format. When cosign supports `--trusted-root` with detached signed - // material, we can supply this content with `--certificate` - // and `--signature` instead. - fileBytes, err := os.ReadFile(os.Args[len(os.Args)-1]) - if err != nil { - log.Fatal(err) - } - - fileDigest := sha256.Sum256(fileBytes) - - pb := protobundle.Bundle{ - MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1", - } - - if signaturePath != nil { - sig, err := os.ReadFile(*signaturePath) - if err != nil { - log.Fatal(err) - } - - sigBytes, err := base64.StdEncoding.DecodeString(string(sig)) - if err != nil { - log.Fatal(err) - } - - pb.Content = &protobundle.Bundle_MessageSignature{ - MessageSignature: &protocommon.MessageSignature{ - MessageDigest: &protocommon.HashOutput{ - Algorithm: protocommon.HashAlgorithm_SHA2_256, - Digest: fileDigest[:], - }, - Signature: sigBytes, - }, - } - } - if certPath != nil { - cert, err := os.ReadFile(*certPath) - if err != nil { - log.Fatal(err) - } - - pemCert, _ := pem.Decode(cert) - if pemCert == nil { - log.Fatalf("unable to load cerficate from %s", *certPath) - } - - signingCert := protocommon.X509Certificate{ - RawBytes: pemCert.Bytes, - } - - pb.VerificationMaterial = &protobundle.VerificationMaterial{ - Content: &protobundle.VerificationMaterial_X509CertificateChain{ - X509CertificateChain: &protocommon.X509CertificateChain{ - Certificates: []*protocommon.X509Certificate{&signingCert}, - }, - }, - } - } - - bundleFile, err := os.CreateTemp(os.TempDir(), "bundle.sigstore.json") - if err != nil { - log.Fatal(err) - } - bundleFileName := bundleFile.Name() - pbBytes, err := protojson.Marshal(&pb) - if err != nil { - log.Fatal(err) - } - if err := os.WriteFile(bundleFileName, pbBytes, 0600); err != nil { - log.Fatal(err) - } - bundlePath = &bundleFileName - args = append(args, "--insecure-ignore-tlog") - case "verify-bundle": args = append(args, "verify-blob") @@ -242,20 +135,4 @@ func main() { if err != nil { log.Fatal(err) } - - if os.Args[1] == "sign" && certPath != nil { - // We want the signature to be base64 encoded, but not the certificate - // So base64 decode the certificate - cert, err := os.ReadFile(*certPath) - if err != nil { - log.Fatal(err) - } - certB64Decode, err := base64.StdEncoding.DecodeString(string(cert)) - if err != nil { - log.Fatal(err) - } - if err := os.WriteFile(*certPath, certB64Decode, 0600); err != nil { - log.Fatal(err) - } - } } diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index beb8ecf0bf9..be4369f87d3 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -31,7 +31,8 @@ import ( "strings" "time" - "github.com/pkg/errors" + "errors" + "github.com/secure-systems-lab/go-securesystemslib/dsse" "google.golang.org/protobuf/encoding/protojson" @@ -157,7 +158,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { - return errors.Wrap(err, "signing") + return fmt.Errorf("signing: %w", err) } var rfc3161Timestamp *cbundle.RFC3161Timestamp diff --git a/cmd/cosign/cli/attest/attest_blob_test.go b/cmd/cosign/cli/attest/attest_blob_test.go index f563c7e6f33..3893651536e 100644 --- a/cmd/cosign/cli/attest/attest_blob_test.go +++ b/cmd/cosign/cli/attest/attest_blob_test.go @@ -28,8 +28,9 @@ import ( "strings" "testing" + "errors" + "github.com/in-toto/in-toto-golang/in_toto" - "github.com/pkg/errors" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" diff --git a/cmd/cosign/cli/bundle.go b/cmd/cosign/cli/bundle.go new file mode 100644 index 00000000000..b02a870ef9d --- /dev/null +++ b/cmd/cosign/cli/bundle.go @@ -0,0 +1,71 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cli + +import ( + "context" + + "github.com/spf13/cobra" + + "github.com/sigstore/cosign/v2/cmd/cosign/cli/bundle" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" +) + +func Bundle() *cobra.Command { + cmd := &cobra.Command{ + Use: "bundle", + Short: "Interact with a Sigstore protobuf bundle", + Long: "Tools for interacting with a Sigstore protobuf bundle", + } + + cmd.AddCommand(bundleCreate()) + + return cmd +} + +func bundleCreate() *cobra.Command { + o := &options.BundleCreateOptions{} + + cmd := &cobra.Command{ + Use: "create", + Short: "Create a Sigstore protobuf bundle", + Long: "Create a Sigstore protobuf bundle by supplying signed material", + RunE: func(cmd *cobra.Command, _ []string) error { + bundleCreateCmd := &bundle.CreateCmd{ + Artifact: o.Artifact, + AttestationPath: o.AttestationPath, + BundlePath: o.BundlePath, + CertificatePath: o.CertificatePath, + IgnoreTlog: o.IgnoreTlog, + KeyRef: o.KeyRef, + Out: o.Out, + RekorURL: o.RekorURL, + RFC3161TimestampPath: o.RFC3161TimestampPath, + SignaturePath: o.SignaturePath, + Sk: o.Sk, + Slot: o.Slot, + } + + ctx, cancel := context.WithTimeout(cmd.Context(), ro.Timeout) + defer cancel() + + return bundleCreateCmd.Exec(ctx) + }, + } + + o.AddFlags(cmd) + return cmd +} diff --git a/cmd/cosign/cli/bundle/bundle.go b/cmd/cosign/cli/bundle/bundle.go new file mode 100644 index 00000000000..54778e45e99 --- /dev/null +++ b/cmd/cosign/cli/bundle/bundle.go @@ -0,0 +1,219 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package bundle + +import ( + "context" + "crypto/x509" + "encoding/base64" + "encoding/json" + "encoding/pem" + "fmt" + "os" + + "github.com/secure-systems-lab/go-securesystemslib/dsse" + "github.com/sigstore/rekor/pkg/generated/client" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" + + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/pkg/cosign/bundle" + "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" + "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" + sigs "github.com/sigstore/cosign/v2/pkg/signature" +) + +type CreateCmd struct { + Artifact string + AttestationPath string + BundlePath string + CertificatePath string + IgnoreTlog bool + KeyRef string + Out string + RekorURL string + RFC3161TimestampPath string + SignaturePath string + Sk bool + Slot string +} + +func (c *CreateCmd) Exec(ctx context.Context) (err error) { + if c.Artifact == "" { + return fmt.Errorf("must supply --artifact") + } + + // We require some signature + if options.NOf(c.BundlePath, c.SignaturePath) == 0 { + return fmt.Errorf("must at least supply signature via --bundle or --signature") + } + + var cert *x509.Certificate + var envelope dsse.Envelope + var rekorClient *client.Rekor + var sigBytes, signedTimestamp []byte + var sigVerifier signature.Verifier + + if c.BundlePath != "" { + b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath) + if err != nil { + return err + } + + if b.Cert != "" { + certPEM, err := base64.StdEncoding.DecodeString(b.Cert) + if err != nil { + return err + } + certs, err := cryptoutils.UnmarshalCertificatesFromPEM(certPEM) + if err != nil { + return err + } + if len(certs) == 0 { + return fmt.Errorf("no certs found in bundle") + } + cert = certs[0] + } + + if b.Base64Signature != "" { + // Could be a DSSE envelope or plain signature + signature, err := base64.StdEncoding.DecodeString(b.Base64Signature) + if err != nil { + return err + } + + // See if DSSE JSON unmashalling succeeds + err = json.Unmarshal(signature, &envelope) + if err != nil { + // Guess that it is a plain signature + sigBytes = signature + } + } + } + + if c.SignaturePath != "" { + signatureB64, err := os.ReadFile(c.SignaturePath) + if err != nil { + return err + } + + sigBytes, err = base64.StdEncoding.DecodeString(string(signatureB64)) + if err != nil { + return err + } + } + + if c.RFC3161TimestampPath != "" { + timestampBytes, err := os.ReadFile(c.RFC3161TimestampPath) + if err != nil { + return err + } + + var rfc3161Timestamp bundle.RFC3161Timestamp + err = json.Unmarshal(timestampBytes, &rfc3161Timestamp) + if err != nil { + return err + } + + signedTimestamp = rfc3161Timestamp.SignedRFC3161Timestamp + } + + if c.CertificatePath != "" { + certBytes, err := os.ReadFile(c.CertificatePath) + if err != nil { + return err + } + + certDecoded, err := base64.StdEncoding.DecodeString(string(certBytes)) + if err != nil { + return err + } + + block, _ := pem.Decode(certDecoded) + if block == nil { + return fmt.Errorf("unable to decode provided certificate") + } + + cert, err = x509.ParseCertificate(block.Bytes) + if err != nil { + return err + } + } + + if c.AttestationPath != "" { + attestationBytes, err := os.ReadFile(c.AttestationPath) + if err != nil { + return err + } + + err = json.Unmarshal(attestationBytes, &envelope) + if err != nil { + return err + } + } + + if c.KeyRef != "" { + sigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) + if err != nil { + return fmt.Errorf("loading public key: %w", err) + } + pkcs11Key, ok := sigVerifier.(*pkcs11key.Key) + if ok { + defer pkcs11Key.Close() + } + } else if c.Sk { + sk, err := pivkey.GetKeyWithSlot(c.Slot) + if err != nil { + return fmt.Errorf("opening piv token: %w", err) + } + defer sk.Close() + sigVerifier, err = sk.Verifier() + if err != nil { + return fmt.Errorf("loading public key from token: %w", err) + } + } + + if c.RekorURL != "" { + rekorClient, err = rekor.NewClient(c.RekorURL) + if err != nil { + return err + } + } + + bundle, err := verify.AssembleNewBundle(ctx, sigBytes, signedTimestamp, &envelope, c.Artifact, cert, c.IgnoreTlog, sigVerifier, nil, rekorClient) + if err != nil { + return err + } + + bundleBytes, err := bundle.MarshalJSON() + if err != nil { + return err + } + + if c.Out != "" { + err = os.WriteFile(c.Out, bundleBytes, 0600) + if err != nil { + return err + } + } else { + fmt.Println(string(bundleBytes)) + } + + return nil +} diff --git a/cmd/cosign/cli/bundle/bundle_test.go b/cmd/cosign/cli/bundle/bundle_test.go new file mode 100644 index 00000000000..4b64a7aea9c --- /dev/null +++ b/cmd/cosign/cli/bundle/bundle_test.go @@ -0,0 +1,150 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package bundle + +import ( + "context" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/json" + "encoding/pem" + "os" + "path/filepath" + "testing" + + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v2/test" + sgBundle "github.com/sigstore/sigstore-go/pkg/bundle" + "github.com/sigstore/sigstore/pkg/cryptoutils" +) + +func TestCreateCmd(t *testing.T) { + ctx := context.Background() + + artifact := "hello world" + digest := sha256.Sum256([]byte(artifact)) + + td := t.TempDir() + artifactPath := filepath.Join(td, "artifact") + err := os.WriteFile(artifactPath, []byte(artifact), 0600) + checkErr(t, err) + + // Test signing with a key + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + checkErr(t, err) + sigBytes, err := privateKey.Sign(rand.Reader, digest[:], crypto.SHA256) + checkErr(t, err) + + signature := base64.StdEncoding.EncodeToString(sigBytes) + sigPath := filepath.Join(td, "sig") + err = os.WriteFile(sigPath, []byte(signature), 0600) + checkErr(t, err) + + publicKeyPath := filepath.Join(td, "key.pub") + pubKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey) + checkErr(t, err) + pemBlock := &pem.Block{ + Type: "PUBLIC KEY", + Bytes: pubKeyBytes, + } + err = os.WriteFile(publicKeyPath, pem.EncodeToMemory(pemBlock), 0600) + checkErr(t, err) + + outPath := filepath.Join(td, "bundle.sigstore.json") + + bundleCreate := CreateCmd{ + Artifact: artifactPath, + KeyRef: publicKeyPath, + IgnoreTlog: true, + Out: outPath, + SignaturePath: sigPath, + } + + err = bundleCreate.Exec(ctx) + checkErr(t, err) + + b, err := sgBundle.LoadJSONFromPath(outPath) + checkErr(t, err) + + if b.Bundle.VerificationMaterial == nil { + t.Fatal("bundle does not have verification material") + } + + if b.Bundle.VerificationMaterial.GetPublicKey() == nil { + t.Fatal("bundle verification material does not have public key") + } + + if b.Bundle.GetMessageSignature() == nil { + t.Fatal("bundle does not have message signature") + } + + // Test using an identity certificate in an old bundle format + rootCert, rootKey, _ := test.GenerateRootCa() + leafCert, privKey, _ := test.GenerateLeafCert("subject", "oidc-issuer", rootCert, rootKey) + + sigBytes, err = privKey.Sign(rand.Reader, digest[:], crypto.SHA256) + checkErr(t, err) + + signedPayload := cosign.LocalSignedPayload{} + signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sigBytes) + + certBytes, err := cryptoutils.MarshalCertificateToPEM(leafCert) + checkErr(t, err) + + signedPayload.Cert = base64.StdEncoding.EncodeToString(certBytes) + bundleContents, err := json.Marshal(signedPayload) + checkErr(t, err) + + bundlePath := filepath.Join(td, "old-bundle.json") + err = os.WriteFile(bundlePath, bundleContents, 0600) + checkErr(t, err) + + bundleCreate = CreateCmd{ + Artifact: artifactPath, + BundlePath: bundlePath, + IgnoreTlog: true, + Out: outPath, + } + + err = bundleCreate.Exec(ctx) + checkErr(t, err) + + b, err = sgBundle.LoadJSONFromPath(outPath) + checkErr(t, err) + + if b.Bundle.VerificationMaterial == nil { + t.Fatal("bundle does not have verification material") + } + + if b.Bundle.VerificationMaterial.GetCertificate() == nil { + t.Fatal("bundle verification material does not have certificate") + } + + if b.Bundle.GetMessageSignature() == nil { + t.Fatal("bundle does not have message signature") + } +} + +func checkErr(t *testing.T, err error) { + if err != nil { + t.Fatal(err) + } +} diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go index 6c67e890c40..95cac877283 100644 --- a/cmd/cosign/cli/commands.go +++ b/cmd/cosign/cli/commands.go @@ -95,6 +95,7 @@ func New() *cobra.Command { cmd.AddCommand(Attach()) cmd.AddCommand(Attest()) cmd.AddCommand(AttestBlob()) + cmd.AddCommand(Bundle()) cmd.AddCommand(Clean()) cmd.AddCommand(Debug()) cmd.AddCommand(Tree()) @@ -120,6 +121,7 @@ func New() *cobra.Command { cmd.AddCommand(VerifyBlob()) cmd.AddCommand(VerifyBlobAttestation()) cmd.AddCommand(Triangulate()) + cmd.AddCommand(TrustedRoot()) cmd.AddCommand(Env()) cmd.AddCommand(version.WithFont("starwars")) diff --git a/cmd/cosign/cli/copy/copy.go b/cmd/cosign/cli/copy/copy.go index 6575c71fb4b..fefe8d3bc88 100644 --- a/cmd/cosign/cli/copy/copy.go +++ b/cmd/cosign/cli/copy/copy.go @@ -21,7 +21,6 @@ import ( "net/http" "os" "runtime" - "strings" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" @@ -38,7 +37,7 @@ import ( // CopyCmd implements the logic to copy the supplied container image and signatures. // nolint -func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstImg string, sigOnly, force bool, copyOnly, platform string) error { +func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstImg string, sigOnly, force bool, copyOnly []string, platform string) error { no := regOpts.NameOptions() srcRef, err := name.ParseReference(srcImg, no...) if err != nil { @@ -80,7 +79,10 @@ func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstIm } onlyFlagSet := false - tags := parseOnlyOpt(copyOnly, sigOnly) + tags, err := parseOnlyOpt(copyOnly, sigOnly) + if err != nil { + return err + } if len(tags) > 0 { onlyFlagSet = true } else { @@ -180,13 +182,21 @@ func remoteCopy(ctx context.Context, pusher *remote.Pusher, src, dest name.Refer return pusher.Push(ctx, dest, got) } -func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap { +func parseOnlyOpt(onlyFlag []string, sigOnly bool) ([]tagMap, error) { var tags []tagMap - tagSet := sets.New(strings.Split(onlyFlag, ",")...) + tagSet := sets.New(onlyFlag...) if sigOnly { fmt.Fprintf(os.Stderr, "--sig-only is deprecated, use --only=sig instead") - tagSet.Insert("sign") + tagSet.Insert("sig") + } + + validTags := []string{"sig", "sbom", "att"} + validTagsSet := sets.New(validTags...) + for tag := range tagSet { + if !validTagsSet.Has(tag) { + return nil, fmt.Errorf("invalid value for --only: %s, only the following values are supported: %s", tag, validTags) + } } if tagSet.Has("sig") { @@ -198,5 +208,5 @@ func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap { if tagSet.Has("att") { tags = append(tags, ociremote.AttestationTag) } - return tags + return tags, nil } diff --git a/cmd/cosign/cli/copy/copy_test.go b/cmd/cosign/cli/copy/copy_test.go index df66dd68463..737e0df9dd6 100644 --- a/cmd/cosign/cli/copy/copy_test.go +++ b/cmd/cosign/cli/copy/copy_test.go @@ -16,9 +16,11 @@ package copy import ( "context" + "reflect" "testing" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" ) func TestCopyAttachmentTagPrefix(t *testing.T) { @@ -33,7 +35,7 @@ func TestCopyAttachmentTagPrefix(t *testing.T) { err := CopyCmd(ctx, options.RegistryOptions{ RefOpts: refOpts, - }, srcImg, destImg, false, true, "", "") + }, srcImg, destImg, false, true, []string{}, "") if err == nil { t.Fatal("failed to copy with attachment-tag-prefix") } @@ -45,8 +47,124 @@ func TestCopyPlatformOpt(t *testing.T) { srcImg := "alpine" destImg := "test-alpine" - err := CopyCmd(ctx, options.RegistryOptions{}, srcImg, destImg, false, true, "", "linux/amd64") + err := CopyCmd(ctx, options.RegistryOptions{}, srcImg, destImg, false, true, []string{}, "linux/amd64") if err == nil { t.Fatal("failed to copy with platform") } } + +func TestParseOnlyOpt(t *testing.T) { + tests := []struct { + only []string + sigOnly bool + expectErr bool + expectTagMap []tagMap + }{ + { + only: []string{"bogus"}, + sigOnly: true, + expectErr: true, + }, + { + only: []string{}, + sigOnly: true, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag}, + }, + { + only: []string{"sig"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag}, + }, + { + only: []string{"sig"}, + sigOnly: true, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag}, + }, + { + only: []string{"sbom"}, + sigOnly: true, + expectErr: false, + expectTagMap: []tagMap{ociremote.SBOMTag, ociremote.SignatureTag}, + }, + { + only: []string{"att"}, + sigOnly: true, + expectErr: false, + expectTagMap: []tagMap{ociremote.AttestationTag, ociremote.SignatureTag}, + }, + { + only: []string{"sbom"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.SBOMTag}, + }, + { + only: []string{"att"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.AttestationTag}, + }, + { + only: []string{"att", "sbom"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.AttestationTag, ociremote.SBOMTag}, + }, + { + only: []string{"sig", "sbom"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag, ociremote.SBOMTag}, + }, + { + only: []string{"sig", "att"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag, ociremote.AttestationTag}, + }, + { + only: []string{"sig", "att", "sbom"}, + sigOnly: false, + expectErr: false, + expectTagMap: []tagMap{ociremote.SignatureTag, ociremote.AttestationTag, ociremote.SBOMTag}, + }, + { + only: []string{"sig", "att", "sbom", "bad"}, + sigOnly: false, + expectErr: true, + }, + } + + for _, test := range tests { + result, err := parseOnlyOpt(test.only, test.sigOnly) + if (err != nil) != test.expectErr { + t.Errorf("unexpected failure from parseOnlyOpt: expectErr=%v, err = %v", test.expectErr, err) + } else if !compareTagMaps(result, test.expectTagMap) { + t.Errorf("result tag map did not match expected value: result: %v expected: %v", result, test.expectTagMap) + } + } +} + +func compareTagMaps(slice1, slice2 []tagMap) bool { + if len(slice1) != len(slice2) { + return false // Different lengths can't be equal + } + + for _, fn1 := range slice1 { + found := false + for _, fn2 := range slice2 { + if reflect.DeepEqual(reflect.ValueOf(fn1), reflect.ValueOf(fn2)) { + found = true + break // Found a match, move to the next fn1 + } + } + if !found { + return false // fn1 not found in slice2 + } + } + + return true // All functions in slice1 found in slice2 +} diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index d3ef3af5a87..5969d0e8f92 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -24,6 +24,7 @@ import ( "os" "strings" + "github.com/go-jose/go-jose/v3/jwt" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign/privacy" "github.com/sigstore/cosign/v2/internal/pkg/cosign/fulcio/fulcioroots" @@ -33,7 +34,6 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" - "go.step.sm/crypto/jose" "golang.org/x/term" ) @@ -211,7 +211,7 @@ func NewClient(fulcioURL string) (api.LegacyClient, error) { // or a path to an identity token via the --identity-token flag func idToken(s string) (string, error) { // If this is a valid raw token or is empty, just return it - if _, err := jose.ParseSigned(s); err == nil || s == "" { + if _, err := jwt.ParseSigned(s); err == nil || s == "" { return s, nil } diff --git a/cmd/cosign/cli/initialize.go b/cmd/cosign/cli/initialize.go index a701ebb49fa..322ca99eb11 100644 --- a/cmd/cosign/cli/initialize.go +++ b/cmd/cosign/cli/initialize.go @@ -41,19 +41,22 @@ Any updated TUF repository will be written to $HOME/.sigstore/root/. Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates with Fulcio root CA) are pulled form the trusted metadata.`, - Example: `cosign initialize -mirror -out + Example: `cosign initialize --mirror --out # initialize root with distributed root keys, default mirror, and default out path. cosign initialize # initialize with an out-of-band root key file, using the default mirror. -cosign initialize -root +cosign initialize --root # initialize with an out-of-band root key file and custom repository mirror. -cosign initialize -mirror -root `, +cosign initialize --mirror --root + +# initialize with an out-of-band root key file and custom repository mirror while verifying root checksum. +cosign initialize --mirror --root --root-checksum `, PersistentPreRun: options.BindViper, RunE: func(cmd *cobra.Command, _ []string) error { - return initialize.DoInitialize(cmd.Context(), o.Root, o.Mirror) + return initialize.DoInitializeWithRootChecksum(cmd.Context(), o.Root, o.Mirror, o.RootChecksum) }, } diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go index 158bc0a5f0d..eca80ea15ea 100644 --- a/cmd/cosign/cli/initialize/init.go +++ b/cmd/cosign/cli/initialize/init.go @@ -20,17 +20,38 @@ import ( _ "embed" // To enable the `go:embed` directive. "encoding/json" "fmt" + "os" + "strings" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/pkg/blob" "github.com/sigstore/sigstore/pkg/tuf" ) func DoInitialize(ctx context.Context, root, mirror string) error { + return doInitialize(ctx, root, mirror, "", true) +} + +func DoInitializeWithRootChecksum(ctx context.Context, root, mirror, rootChecksum string) error { + return doInitialize(ctx, root, mirror, rootChecksum, false) +} + +func doInitialize(ctx context.Context, root, mirror, rootChecksum string, forceSkipChecksumValidation bool) error { // Get the initial trusted root contents. var rootFileBytes []byte var err error if root != "" { - rootFileBytes, err = blob.LoadFileOrURL(root) + if !forceSkipChecksumValidation { + if rootChecksum == "" && (strings.HasPrefix(root, "http://") || strings.HasPrefix(root, "https://")) { + fmt.Fprintln(os.Stderr, options.RootWithoutChecksumDeprecation) + } + } + verifyChecksum := !forceSkipChecksumValidation && (rootChecksum != "") + if verifyChecksum { + rootFileBytes, err = blob.LoadFileOrURLWithChecksum(root, rootChecksum) + } else { + rootFileBytes, err = blob.LoadFileOrURL(root) + } if err != nil { return err } diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go index cb7b9a2ceb3..17174305d1f 100644 --- a/cmd/cosign/cli/options/attach.go +++ b/cmd/cosign/cli/options/attach.go @@ -80,7 +80,7 @@ func (o *AttachSBOMOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.SBOM, "sbom", "", "path to the sbom, or {-} for stdin") - _ = cmd.Flags().SetAnnotation("sbom", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("sbom", sbomExts...) cmd.Flags().StringVar(&o.SBOMType, "type", "spdx", "type of sbom (spdx|cyclonedx|syft)") diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index 8139cddaefa..eca2c93d492 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -54,18 +54,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{"key"}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate", certificateExts...) cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ "signing certificate and end with the root certificate. Included in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate-chain", certificateExts...) cmd.Flags().BoolVar(&o.NoUpload, "no-upload", false, "do not upload the generated attestation") diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index b6f48b49671..b641c5b328e 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -58,33 +58,34 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{"key"}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate", certificateExts...) cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ "signing certificate and end with the root certificate. Included in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate-chain", certificateExts...) cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "", "write the signature to FILE") - _ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-signature", signatureExts...) cmd.Flags().StringVar(&o.OutputAttestation, "output-attestation", "", "write the attestation to FILE") + // _ = cmd.MarkFlagFilename("output-attestation") // no typical extensions cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "", "write the certificate to FILE") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", certificateExts...) cmd.Flags().StringVar(&o.BundlePath, "bundle", "", "write everything required to verify the blob to a FILE") - _ = cmd.Flags().SetAnnotation("bundle", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("bundle", bundleExts...) // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, @@ -107,5 +108,5 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "", "path to an RFC 3161 timestamp bundle FILE") - _ = cmd.Flags().SetAnnotation("rfc3161-timestamp-bundle", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle") // no typical extensions } diff --git a/cmd/cosign/cli/options/bundle.go b/cmd/cosign/cli/options/bundle.go new file mode 100644 index 00000000000..a8a090d4c2b --- /dev/null +++ b/cmd/cosign/cli/options/bundle.go @@ -0,0 +1,87 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package options + +import ( + "github.com/spf13/cobra" +) + +type BundleCreateOptions struct { + Artifact string + AttestationPath string + BundlePath string + CertificatePath string + IgnoreTlog bool + KeyRef string + Out string + RekorURL string + RFC3161TimestampPath string + SignaturePath string + Sk bool + Slot string +} + +var _ Interface = (*BundleCreateOptions)(nil) + +func (o *BundleCreateOptions) AddFlags(cmd *cobra.Command) { + cmd.Flags().StringVar(&o.Artifact, "artifact", "", + "path to artifact FILE") + // _ = cmd.MarkFlagFilename("artifact") // no typical extensions + + cmd.Flags().StringVar(&o.AttestationPath, "attestation", "", + "path to attestation FILE") + // _ = cmd.MarkFlagFilename("attestation") // no typical extensions + + cmd.Flags().StringVar(&o.BundlePath, "bundle", "", + "path to old format bundle FILE") + _ = cmd.MarkFlagFilename("bundle", bundleExts...) + + cmd.Flags().StringVar(&o.CertificatePath, "certificate", "", + "path to the signing certificate, likely from Fulco.") + _ = cmd.MarkFlagFilename("certificate", certificateExts...) + + cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false, + "ignore transparency log verification, to be used when an artifact "+ + "signature has not been uploaded to the transparency log.") + + cmd.Flags().StringVar(&o.KeyRef, "key", "", + "path to the public key file, KMS URI or Kubernetes Secret") + _ = cmd.MarkFlagFilename("key", publicKeyExts...) + + cmd.Flags().StringVar(&o.Out, "out", "", "path to output bundle") + _ = cmd.MarkFlagFilename("out", bundleExts...) + + cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "https://rekor.sigstore.dev", + "address of rekor STL server") + + cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "", + "path to RFC3161 timestamp FILE") + // _ = cmd.MarkFlagFilename("rfc3161-timestamp") // no typical extensions + + cmd.Flags().StringVar(&o.SignaturePath, "signature", "", + "path to base64-encoded signature over attestation in DSSE format") + _ = cmd.MarkFlagFilename("signature", signatureExts...) + + cmd.Flags().BoolVar(&o.Sk, "sk", false, + "whether to use a hardware security key") + + cmd.Flags().StringVar(&o.Slot, "slot", "", + "security key slot to use for generated key (default: signature) "+ + "(authentication|signature|card-authentication|key-management)") + + cmd.MarkFlagsMutuallyExclusive("bundle", "certificate") + cmd.MarkFlagsMutuallyExclusive("bundle", "signature") +} diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go index 3df7b4b962e..b14d408fe20 100644 --- a/cmd/cosign/cli/options/certificate.go +++ b/cmd/cosign/cli/options/certificate.go @@ -46,7 +46,7 @@ var _ Interface = (*RekorOptions)(nil) func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.") - _ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate", certificateExts...) cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "", "The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.") @@ -82,24 +82,25 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) { "when building the certificate chains for the signing certificate. "+ "The flag is optional and must be used together with --ca-roots, conflicts with "+ "--certificate-chain.") - _ = cmd.Flags().SetAnnotation("ca-intermediates", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("ca-intermediates", certificateExts...) cmd.Flags().StringVar(&o.CARoots, "ca-roots", "", "path to a bundle file of CA certificates in PEM format which will be needed "+ "when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.") - _ = cmd.Flags().SetAnnotation("ca-roots", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("ca-roots", certificateExts...) cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ "signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.") - _ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate-chain", certificateExts...) cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain") cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain") cmd.Flags().StringVar(&o.SCT, "sct", "", "path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+ "If a certificate contains an SCT, verification will check both the detached and embedded SCTs.") + // _ = cmd.MarkFlagFilename("sct") // no typical extensions cmd.Flags().BoolVar(&o.IgnoreSCT, "insecure-ignore-sct", false, "when set, verification will not check that a certificate contains an embedded SCT, a proof of "+ "inclusion in a certificate transparency log") diff --git a/cmd/cosign/cli/options/copy.go b/cmd/cosign/cli/options/copy.go index 7f4d5f373ca..1beafcbabcb 100644 --- a/cmd/cosign/cli/options/copy.go +++ b/cmd/cosign/cli/options/copy.go @@ -21,7 +21,7 @@ import ( // CopyOptions is the top level wrapper for the copy command. type CopyOptions struct { - CopyOnly string + CopyOnly []string SignatureOnly bool Force bool Platform string @@ -34,8 +34,8 @@ var _ Interface = (*CopyOptions)(nil) func (o *CopyOptions) AddFlags(cmd *cobra.Command) { o.Registry.AddFlags(cmd) - cmd.Flags().StringVar(&o.CopyOnly, "only", "", - "custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att") + cmd.Flags().StringSliceVar(&o.CopyOnly, "only", []string{}, + "custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom") cmd.Flags().BoolVar(&o.SignatureOnly, "sig-only", false, "[DEPRECATED] only copy the image signature") diff --git a/cmd/cosign/cli/options/deprecate.go b/cmd/cosign/cli/options/deprecate.go index 76084afa179..39900375f90 100644 --- a/cmd/cosign/cli/options/deprecate.go +++ b/cmd/cosign/cli/options/deprecate.go @@ -19,3 +19,8 @@ const SBOMAttachmentDeprecation = "WARNING: SBOM attachments are deprecated " + "and support will be removed in a Cosign release soon after 2024-02-22 " + "(see https://github.com/sigstore/cosign/issues/2755). " + "Instead, please use SBOM attestations." + +const RootWithoutChecksumDeprecation = "WARNING: Fetching initial root from URL " + + "without providing its checksum is deprecated and will be disallowed in " + + "a future Cosign release. Please provide the initial root checksum " + + "via the --root-checksum argument." diff --git a/cmd/cosign/cli/options/files.go b/cmd/cosign/cli/options/files.go index 0467ac1c622..1d3bde17c2e 100644 --- a/cmd/cosign/cli/options/files.go +++ b/cmd/cosign/cli/options/files.go @@ -54,5 +54,5 @@ func (o *FilesOptions) String() string { func (o *FilesOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringSliceVarP(&o.Files, "files", "f", nil, ":[platform/arch]") - _ = cmd.Flags().SetAnnotation("files", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("files") // no typical extensions } diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go index 139731a77ce..e30d6b63813 100644 --- a/cmd/cosign/cli/options/fulcio.go +++ b/cmd/cosign/cli/options/fulcio.go @@ -39,6 +39,7 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "", "identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") + // _ = cmd.MarkFlagFilename("identity-token") // no typical extensions cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "", "fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials") diff --git a/cmd/cosign/cli/options/import_key_pair.go b/cmd/cosign/cli/options/import_key_pair.go index 9c645fed0a0..55e66c226a0 100644 --- a/cmd/cosign/cli/options/import_key_pair.go +++ b/cmd/cosign/cli/options/import_key_pair.go @@ -36,11 +36,11 @@ var _ Interface = (*ImportKeyPairOptions)(nil) func (o *ImportKeyPairOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVarP(&o.Key, "key", "k", "", "import key pair to use for signing") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().StringVarP(&o.OutputKeyPrefix, "output-key-prefix", "o", "import-cosign", "name used for outputted key pairs") - _ = cmd.Flags().SetAnnotation("output-key-prefix", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("output-key-prefix") // no typical extensions cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false, "skip confirmation prompts for overwriting existing key") diff --git a/cmd/cosign/cli/options/initialize.go b/cmd/cosign/cli/options/initialize.go index ab91955ee7c..d5eed5346a6 100644 --- a/cmd/cosign/cli/options/initialize.go +++ b/cmd/cosign/cli/options/initialize.go @@ -22,8 +22,9 @@ import ( // InitializeOptions is the top level wrapper for the initialize command. type InitializeOptions struct { - Mirror string - Root string + Mirror string + Root string + RootChecksum string } var _ Interface = (*InitializeOptions)(nil) @@ -35,5 +36,8 @@ func (o *InitializeOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Root, "root", "", "path to trusted initial root. defaults to embedded root") - _ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{}) + _ = cmd.MarkFlagDirname("root") + + cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "", + "checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:") } diff --git a/cmd/cosign/cli/options/load.go b/cmd/cosign/cli/options/load.go index 167361d087e..c2c54abc0ff 100644 --- a/cmd/cosign/cli/options/load.go +++ b/cmd/cosign/cli/options/load.go @@ -32,6 +32,6 @@ func (o *LoadOptions) AddFlags(cmd *cobra.Command) { o.Registry.AddFlags(cmd) cmd.Flags().StringVar(&o.Directory, "dir", "", "path to directory where the signed image is stored on disk") - _ = cmd.Flags().SetAnnotation("dir", cobra.BashCompSubdirsInDir, []string{}) + _ = cmd.MarkFlagDirname("dir") _ = cmd.MarkFlagRequired("dir") } diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index c68421be604..b62e2d14db2 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -64,7 +64,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "", "Path to file containing OIDC client secret for application") - _ = cmd.Flags().SetAnnotation("oidc-client-secret-file", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("oidc-client-secret-file") // no typical extensions cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "", "OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") diff --git a/cmd/cosign/cli/options/options.go b/cmd/cosign/cli/options/options.go index f69d8309e29..014348549d9 100644 --- a/cmd/cosign/cli/options/options.go +++ b/cmd/cosign/cli/options/options.go @@ -21,3 +21,37 @@ type Interface interface { // AddFlags adds this options' flags to the cobra command. AddFlags(cmd *cobra.Command) } + +var bundleExts = []string{ + "bundle", +} +var certificateExts = []string{ + "cert", + "crt", + "pem", +} +var logExts = []string{ + "log", +} +var moduleExts = []string{ + "dll", + "dylib", + "so", +} +var privateKeyExts = []string{ + "key", +} +var publicKeyExts = []string{ + "pub", +} +var sbomExts = []string{ + "json", + "xml", + "spdx", +} +var signatureExts = []string{ + "sig", +} +var wasmExts = []string{ + "wasm", +} diff --git a/cmd/cosign/cli/options/pkcs11_tool.go b/cmd/cosign/cli/options/pkcs11_tool.go index e673184e2d3..c391e9de7b6 100644 --- a/cmd/cosign/cli/options/pkcs11_tool.go +++ b/cmd/cosign/cli/options/pkcs11_tool.go @@ -31,7 +31,7 @@ var _ Interface = (*PKCS11ToolListTokensOptions)(nil) func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath), "absolute path to the PKCS11 module") - _ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("module-path", moduleExts...) } // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options. @@ -47,7 +47,7 @@ var _ Interface = (*PKCS11ToolListKeysUrisOptions)(nil) func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath), "absolute path to the PKCS11 module") - _ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("module-path", moduleExts...) cmd.Flags().UintVar(&o.SlotID, "slot-id", 0, "id of the PKCS11 slot, uses 0 if empty") diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go index af05ce46954..b5a01f7cfab 100644 --- a/cmd/cosign/cli/options/predicate.go +++ b/cmd/cosign/cli/options/predicate.go @@ -94,6 +94,7 @@ func (o *PredicateLocalOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Path, "predicate", "", "path to the predicate file.") + _ = cmd.MarkFlagFilename("predicate", sbomExts...) _ = cmd.MarkFlagRequired("predicate") } diff --git a/cmd/cosign/cli/options/public_key.go b/cmd/cosign/cli/options/public_key.go index e3c7341a31b..2297360a675 100644 --- a/cmd/cosign/cli/options/public_key.go +++ b/cmd/cosign/cli/options/public_key.go @@ -34,9 +34,9 @@ func (o *PublicKeyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().StringVar(&o.OutFile, "outfile", "", "path to a payload file to use rather than generating one") - _ = cmd.Flags().SetAnnotation("outfile", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("outfile", publicKeyExts...) } diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go index 61edb47d48b..6840d532974 100644 --- a/cmd/cosign/cli/options/registry.go +++ b/cmd/cosign/cli/options/registry.go @@ -17,10 +17,12 @@ package options import ( "context" "crypto/tls" + "crypto/x509" "errors" "fmt" "io" "net/http" + "os" ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login" "github.com/chrismellard/docker-credential-acr-env/pkg/credhelper" @@ -45,6 +47,10 @@ type RegistryOptions struct { RefOpts ReferenceOptions Keychain Keychain AuthConfig authn.AuthConfig + RegistryCACert string + RegistryClientCert string + RegistryClientKey string + RegistryServerName string // RegistryClientOpts allows overriding the result of GetRegistryClientOpts. RegistryClientOpts []remote.Option @@ -72,6 +78,21 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.AuthConfig.RegistryToken, "registry-token", "", "registry bearer auth token") + cmd.Flags().StringVar(&o.RegistryCACert, "registry-cacert", "", + "path to the X.509 CA certificate file in PEM format to be used for the connection to the registry") + _ = cmd.MarkFlagFilename("registry-cacert", certificateExts...) + + cmd.Flags().StringVar(&o.RegistryClientCert, "registry-client-cert", "", + "path to the X.509 certificate file in PEM format to be used for the connection to the registry") + _ = cmd.MarkFlagFilename("registry-client-cert", certificateExts...) + + cmd.Flags().StringVar(&o.RegistryClientKey, "registry-client-key", "", + "path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry") + _ = cmd.MarkFlagFilename("registry-client-key", privateKeyExts...) + + cmd.Flags().StringVar(&o.RegistryServerName, "registry-server-name", "", + "SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry") + o.RefOpts.AddFlags(cmd) } @@ -131,8 +152,11 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain)) } - if o.AllowInsecure { - opts = append(opts, remote.WithTransport(&http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}})) // #nosec G402 + tlsConfig, err := o.getTLSConfig() + if err == nil { + tr := http.DefaultTransport.(*http.Transport).Clone() + tr.TLSClientConfig = tlsConfig + opts = append(opts, remote.WithTransport(tr)) } // Reuse a remote.Pusher and a remote.Puller for all operations that use these opts. @@ -193,3 +217,41 @@ func (o *RegistryExperimentalOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().Var(&o.RegistryReferrersMode, "registry-referrers-mode", "mode for fetching references from the registry. allowed: legacy, oci-1-1") } + +func (o *RegistryOptions) getTLSConfig() (*tls.Config, error) { + var tlsConfig tls.Config + + if o.RegistryCACert != "" { + f, err := os.Open(o.RegistryCACert) + if err != nil { + return nil, err + } + defer f.Close() + caCertBytes, err := io.ReadAll(f) + if err != nil { + return nil, fmt.Errorf("unable to read CA certs from %s: %w", o.RegistryCACert, err) + } + pool := x509.NewCertPool() + if !pool.AppendCertsFromPEM(caCertBytes) { + return nil, fmt.Errorf("no valid CA certs found in %s", o.RegistryCACert) + } + tlsConfig.RootCAs = pool + } + + if o.RegistryClientCert != "" && o.RegistryClientKey != "" { + cert, err := tls.LoadX509KeyPair(o.RegistryClientCert, o.RegistryClientKey) + if err != nil { + return nil, fmt.Errorf("unable to read client certs from cert %s, key %s: %w", + o.RegistryClientCert, o.RegistryClientKey, err) + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + + if o.RegistryServerName != "" { + tlsConfig.ServerName = o.RegistryServerName + } + + tlsConfig.InsecureSkipVerify = o.AllowInsecure // #nosec G402 + + return &tlsConfig, nil +} diff --git a/cmd/cosign/cli/options/registry_test.go b/cmd/cosign/cli/options/registry_test.go new file mode 100644 index 00000000000..6f788dda012 --- /dev/null +++ b/cmd/cosign/cli/options/registry_test.go @@ -0,0 +1,211 @@ +// Copyright 2021 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package options + +import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "math/big" + "os" + "strings" + "testing" + "time" +) + +func generatePrivateKey(t *testing.T) *rsa.PrivateKey { + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + t.Fatal(err) + } + + return privateKey +} + +func writePrivateKey(t *testing.T, privateKey *rsa.PrivateKey, fileLocation string) { + // Encode the private key to PEM format + privateKeyPEM := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: x509.MarshalPKCS1PrivateKey(privateKey), + }) + + // Write the private key to the specified file + err := os.WriteFile(fileLocation, privateKeyPEM, 0600) + if err != nil { + t.Fatal(err) + } +} + +func generateCertificate(t *testing.T, dir string, isCa bool) (certficateLocation, privateKeyLocation string) { + certficateLocation = createTempFile(t, dir) + privateKeyLocation = createTempFile(t, dir) + + // Generate a private key for the CA + privateKey := generatePrivateKey(t) + + // Create a self-signed certificate for the CA + caTemplate := &x509.Certificate{ + Subject: pkix.Name{ + CommonName: "Test CA", + }, + NotBefore: time.Now().Add(time.Hour * -24), + NotAfter: time.Now().Add(time.Hour * 24), + KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + BasicConstraintsValid: true, + IsCA: isCa, + SerialNumber: big.NewInt(1337), + } + + caCertDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &privateKey.PublicKey, privateKey) + if err != nil { + t.Fatal(err) + } + + // Encode the CA certificate to PEM format + caCertPEM := pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: caCertDER, + }) + + // Write the CA certificate to the specified file + err = os.WriteFile(certficateLocation, caCertPEM, 0644) + if err != nil { + t.Fatal(err) + } + + writePrivateKey(t, privateKey, privateKeyLocation) + + return certficateLocation, privateKeyLocation +} + +func TestGetTLSConfig(t *testing.T) { + tempDir := t.TempDir() // Create a temporary directory for testing + t.Cleanup(func() { + os.RemoveAll(tempDir) + }) + validCaCertificate, validCaKey := generateCertificate(t, tempDir, true) + validClientCertificate, validClientKey := generateCertificate(t, tempDir, false) + + tests := []struct { + name string + registryCACert string + registryClientCert string + registryClientKey string + registryServerName string + allowInsecure bool + expectError string + }{ + { + name: "Valid CA Cert, Client Cert and Key, Server Name, Allow Insecure", + registryCACert: validCaCertificate, + registryClientCert: validClientCertificate, + registryClientKey: validClientKey, + registryServerName: "example.com", + allowInsecure: true, + }, + { + name: "Wrong key for client cert", + registryCACert: validCaCertificate, + registryClientCert: validClientCertificate, + registryClientKey: validCaKey, // using ca key for client cert must fail + registryServerName: "example.com", + allowInsecure: true, + expectError: fmt.Sprintf("unable to read client certs from cert %s, key %s: tls: private key does not match public key", validClientCertificate, validCaKey), + }, + { + name: "Wrong ca key", + registryCACert: validClientKey, // using client key for ca cert must fail + registryClientCert: validClientCertificate, + registryClientKey: validClientKey, + registryServerName: "example.com", + allowInsecure: true, + expectError: fmt.Sprintf("no valid CA certs found in %s", validClientKey), + }, + { + name: "Invalid CA path", + registryCACert: "/not/existing/path/fooobar", // this path is not expected to exist + registryClientCert: validClientCertificate, + registryClientKey: validClientKey, + registryServerName: "example.com", + allowInsecure: true, + expectError: "open /not/existing/path/fooobar: ", // the error message is OS dependent + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + o := &RegistryOptions{ + RegistryCACert: tt.registryCACert, + RegistryClientCert: tt.registryClientCert, + RegistryClientKey: tt.registryClientKey, + RegistryServerName: tt.registryServerName, + AllowInsecure: tt.allowInsecure, + } + + tlsConfig, err := o.getTLSConfig() + if tt.expectError != "" { + if err == nil || !strings.HasPrefix(err.Error(), tt.expectError) { + t.Errorf("getTLSConfig()\nerror: \"%v\",\nexpectError: \"%v\"", err, tt.expectError) + return + } + } else { + if err != nil { + t.Errorf("getTLSConfig() error = %v, expectError %v", err, tt.expectError) + return + } + } + + if err == nil { + if tt.registryCACert != "" { + if tlsConfig.RootCAs == nil { + t.Errorf("Expected RootCAs to be set") + } + } + + if tt.registryClientCert != "" && tt.registryClientKey != "" { + if len(tlsConfig.Certificates) == 0 { + t.Errorf("Expected Certificates to be set") + } + } + + if tt.registryServerName != "" { + if tlsConfig.ServerName != tt.registryServerName { + t.Errorf("Expected ServerName to be %s, got %s", tt.registryServerName, tlsConfig.ServerName) + } + } + + if tt.allowInsecure { + if !tlsConfig.InsecureSkipVerify { + t.Errorf("Expected InsecureSkipVerify to be true") + } + } + } + }) + } +} + +// Helper function to create temporary files for testing +func createTempFile(t *testing.T, dir string) string { + tmpfile, err := os.CreateTemp(dir, "registry-test-") + if err != nil { + t.Fatal(err) + } + defer tmpfile.Close() + + return tmpfile.Name() +} diff --git a/cmd/cosign/cli/options/root.go b/cmd/cosign/cli/options/root.go index cb15af0dc31..92bb01e6a92 100644 --- a/cmd/cosign/cli/options/root.go +++ b/cmd/cosign/cli/options/root.go @@ -44,7 +44,7 @@ var _ Interface = (*RootOptions)(nil) func (o *RootOptions) AddFlags(cmd *cobra.Command) { cmd.PersistentFlags().StringVar(&o.OutputFile, "output-file", "", "log output to a file") - _ = cmd.Flags().SetAnnotation("output-file", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-file", logExts...) cmd.PersistentFlags().BoolVarP(&o.Verbose, "verbose", "d", false, "log debug output") diff --git a/cmd/cosign/cli/options/save.go b/cmd/cosign/cli/options/save.go index 7c4f623de61..761d4bb42eb 100644 --- a/cmd/cosign/cli/options/save.go +++ b/cmd/cosign/cli/options/save.go @@ -32,6 +32,6 @@ func (o *SaveOptions) AddFlags(cmd *cobra.Command) { o.Registry.AddFlags(cmd) cmd.Flags().StringVar(&o.Directory, "dir", "", "path to dir where the signed image should be stored on disk") - _ = cmd.Flags().SetAnnotation("dir", cobra.BashCompSubdirsInDir, []string{}) + _ = cmd.MarkFlagDirname("dir") _ = cmd.MarkFlagRequired("dir") } diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index 70ec9acab62..bcacfd7e63f 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -66,42 +66,43 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate", certificateExts...) cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ "signing certificate and end with the root certificate. Included in the OCI Signature") - _ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate-chain", certificateExts...) cmd.Flags().BoolVar(&o.Upload, "upload", true, "whether to upload the signature") cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "", "write the signature to FILE") - _ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-signature", signatureExts...) cmd.Flags().StringVar(&o.OutputPayload, "output-payload", "", "write the signed payload to FILE") - _ = cmd.Flags().SetAnnotation("output-payload", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("output-payload") // no typical extensions cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "", "write the certificate to FILE") - _ = cmd.Flags().SetAnnotation("output-certificate", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-certificate", certificateExts...) cmd.Flags().StringVar(&o.PayloadPath, "payload", "", "path to a payload file to use rather than generating one") - _ = cmd.Flags().SetAnnotation("payload", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("payload") // no typical extensions cmd.Flags().BoolVarP(&o.Recursive, "recursive", "r", false, "if a multi-arch image is specified, additionally sign each discrete image") cmd.Flags().StringVar(&o.Attachment, "attachment", "", "DEPRECATED, related image attachment to sign (sbom), default none") + _ = cmd.MarkFlagFilename("attachment", sbomExts...) cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false, "skip confirmation prompts for non-destructive operations") @@ -111,12 +112,15 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "", "path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-cacert", certificateExts...) cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "", "path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-cert", certificateExts...) cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "", "path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-key", privateKeyExts...) cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "", "SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server") @@ -124,7 +128,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "", "url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr") - _ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"}) + _ = cmd.MarkFlagFilename("certificate", certificateExts...) cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index d6326690684..db08489c2a7 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -56,25 +56,26 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", privateKeyExts...) cmd.Flags().BoolVar(&o.Base64Output, "b64", true, "whether to base64 encode the output") cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "", "write the signature to FILE") - _ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-signature", signatureExts...) // TODO: remove when output flag is fully deprecated cmd.Flags().StringVar(&o.Output, "output", "", "write the signature to FILE") + _ = cmd.MarkFlagFilename("output", signatureExts...) cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "", "write the certificate to FILE") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("output-certificate", certificateExts...) cmd.Flags().StringVar(&o.BundlePath, "bundle", "", "write everything required to verify the blob to a FILE") - _ = cmd.Flags().SetAnnotation("bundle", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("bundle", bundleExts...) // TODO: have this default to true as a breaking change cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, @@ -88,12 +89,15 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "", "path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-cacert", certificateExts...) cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "", "path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-cert", certificateExts...) cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "", "path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server") + _ = cmd.MarkFlagFilename("timestamp-client-key", privateKeyExts...) cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "", "SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server") @@ -103,7 +107,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "", "write the RFC3161 timestamp to a file") - _ = cmd.Flags().SetAnnotation("rfc3161-timestamp", cobra.BashCompFilenameExt, []string{}) + // _ = cmd.MarkFlagFilename("rfc3161-timestamp") // no typical extensions cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go new file mode 100644 index 00000000000..21561aa527a --- /dev/null +++ b/cmd/cosign/cli/options/trustedroot.go @@ -0,0 +1,66 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package options + +import ( + "github.com/spf13/cobra" +) + +type TrustedRootCreateOptions struct { + CertChain []string + CtfeKeyPath []string + CtfeStartTime []string + Out string + RekorKeyPath []string + RekorStartTime []string + TSACertChainPath []string +} + +var _ Interface = (*TrustedRootCreateOptions)(nil) + +func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) { + cmd.Flags().StringArrayVar(&o.CertChain, "certificate-chain", nil, + "path to a list of CA certificates in PEM format which will be needed "+ + "when building the certificate chain for the signing certificate. "+ + "Must start with the parent intermediate CA certificate of the "+ + "signing certificate and end with the root certificate.") + _ = cmd.MarkFlagFilename("certificate-chain", certificateExts...) + + cmd.Flags().StringArrayVar(&o.CtfeKeyPath, "ctfe-key", nil, + "path to a PEM-encoded public key used by certificate authority for "+ + "certificate transparency log.") + _ = cmd.MarkFlagFilename("ctfe-key", publicKeyExts...) + + cmd.Flags().StringArrayVar(&o.CtfeStartTime, "ctfe-start-time", nil, + "RFC 3339 string describing validity start time for key use by "+ + "certificate transparency log.") + + cmd.Flags().StringVar(&o.Out, "out", "", "path to output trusted root") + // _ = cmd.MarkFlagFilename("output") // no typical extensions + + cmd.Flags().StringArrayVar(&o.RekorKeyPath, "rekor-key", nil, + "path to a PEM-encoded public key used by transparency log like Rekor.") + _ = cmd.MarkFlagFilename("rekor-key", publicKeyExts...) + + cmd.Flags().StringArrayVar(&o.RekorStartTime, "rekor-start-time", nil, + "RFC 3339 string describing validity start time for key use by "+ + "transparency log like Rekor.") + + cmd.Flags().StringArrayVar(&o.TSACertChainPath, "timestamp-certificate-chain", nil, + "path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+ + "Optionally may contain intermediate CA certificates") + _ = cmd.MarkFlagFilename("timestamp-certificate-chain", certificateExts...) +} diff --git a/cmd/cosign/cli/options/upload.go b/cmd/cosign/cli/options/upload.go index 9ef6a0b72f5..37c928b8842 100644 --- a/cmd/cosign/cli/options/upload.go +++ b/cmd/cosign/cli/options/upload.go @@ -54,6 +54,6 @@ func (o *UploadWASMOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVarP(&o.File, "file", "f", "", "path to the wasm file to upload") - _ = cmd.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("file", wasmExts...) _ = cmd.MarkFlagRequired("file") } diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go index 3cdbb0e8a62..6ab0d7ca863 100644 --- a/cmd/cosign/cli/options/verify.go +++ b/cmd/cosign/cli/options/verify.go @@ -92,22 +92,25 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the public key file, KMS URI or Kubernetes Secret") - _ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{}) + _ = cmd.MarkFlagFilename("key", publicKeyExts...) cmd.Flags().BoolVar(&o.CheckClaims, "check-claims", true, "whether to check the claims found") cmd.Flags().StringVar(&o.Attachment, "attachment", "", "DEPRECATED, related image attachment to verify (sbom), default none") + _ = cmd.MarkFlagFilename("attachment", sbomExts...) cmd.Flags().StringVarP(&o.Output, "output", "o", "json", "output format for the signing image information (json|text)") cmd.Flags().StringVar(&o.SignatureRef, "signature", "", "signature content or path or remote URL") + _ = cmd.MarkFlagFilename("signature", signatureExts...) cmd.Flags().StringVar(&o.PayloadRef, "payload", "", "payload path or remote URL") + // _ = cmd.MarkFlagFilename("payload") // no typical extensions cmd.Flags().BoolVar(&o.LocalImage, "local-image", false, "whether the specified image is a path to an image saved locally via 'cosign save'") diff --git a/cmd/cosign/cli/piv_tool.go b/cmd/cosign/cli/piv_tool.go index 6e97ef104b0..855b1a8dead 100644 --- a/cmd/cosign/cli/piv_tool.go +++ b/cmd/cosign/cli/piv_tool.go @@ -20,10 +20,9 @@ package cli import ( "encoding/json" - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/pivcli" + "github.com/spf13/cobra" ) var pivToolForce bool diff --git a/cmd/cosign/cli/pivcli/commands.go b/cmd/cosign/cli/pivcli/commands.go index 5ff13fdac5a..2f532eaaf79 100644 --- a/cmd/cosign/cli/pivcli/commands.go +++ b/cmd/cosign/cli/pivcli/commands.go @@ -29,7 +29,7 @@ import ( "os" "strings" - "github.com/go-piv/piv-go/piv" + "github.com/go-piv/piv-go/v2/piv" "github.com/manifoldco/promptui" "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" @@ -46,7 +46,7 @@ func SetManagementKeyCmd(_ context.Context, oldKey, newKey string, randomKey boo if err != nil { return err } - var newBytes *[24]byte + var newBytes *[]byte if randomKey { if !Confirm("Resetting management key to random value. You must factory reset the device to change this value") { return nil @@ -286,14 +286,14 @@ func ResetKeyCmd(ctx context.Context) error { return yk.Reset() } -func keyBytes(s string) (*[24]byte, error) { +func keyBytes(s string) (*[]byte, error) { if s == "" { return &piv.DefaultManagementKey, nil } if len(s) > 24 { return nil, errors.New("key too long, must be <24 characters") } - ret := [24]byte{} + ret := []byte{} copy(ret[:], s) return &ret, nil } @@ -312,8 +312,8 @@ var Confirm = func(p string) bool { return strings.ToLower(result) == "y" } -func randomManagementKey() (*[24]byte, error) { - var newKeyBytes [24]byte +func randomManagementKey() (*[]byte, error) { + var newKeyBytes []byte n, err := io.ReadFull(rand.Reader, newKeyBytes[:]) if err != nil { return nil, err diff --git a/cmd/cosign/cli/pkcs11_tool.go b/cmd/cosign/cli/pkcs11_tool.go index e740eee94c1..bc8e80a4bdc 100644 --- a/cmd/cosign/cli/pkcs11_tool.go +++ b/cmd/cosign/cli/pkcs11_tool.go @@ -18,10 +18,9 @@ package cli import ( - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/pkcs11cli" + "github.com/spf13/cobra" ) var pkcs11ToolForce bool diff --git a/cmd/cosign/cli/public_key.go b/cmd/cosign/cli/public_key.go index 0c075735584..6f1b225082e 100644 --- a/cmd/cosign/cli/public_key.go +++ b/cmd/cosign/cli/public_key.go @@ -18,11 +18,10 @@ package cli import ( "os" - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" + "github.com/spf13/cobra" ) func PublicKey() *cobra.Command { diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index a4ae71210f6..e21fc6f7623 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -19,11 +19,10 @@ import ( "fmt" "os" - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" + "github.com/spf13/cobra" ) func Sign() *cobra.Command { diff --git a/cmd/cosign/cli/tree.go b/cmd/cosign/cli/tree.go index 7882e9c2281..d0a4a635fdc 100644 --- a/cmd/cosign/cli/tree.go +++ b/cmd/cosign/cli/tree.go @@ -20,13 +20,11 @@ import ( "fmt" "os" - v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/google/go-containerregistry/pkg/name" - "github.com/spf13/cobra" - + v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/spf13/cobra" ) func Tree() *cobra.Command { diff --git a/cmd/cosign/cli/triangulate.go b/cmd/cosign/cli/triangulate.go index 0cf60e978a8..711b564d02e 100644 --- a/cmd/cosign/cli/triangulate.go +++ b/cmd/cosign/cli/triangulate.go @@ -18,10 +18,9 @@ package cli import ( "flag" - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/triangulate" + "github.com/spf13/cobra" ) func Triangulate() *cobra.Command { diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go new file mode 100644 index 00000000000..7dfd43f18e5 --- /dev/null +++ b/cmd/cosign/cli/trustedroot.go @@ -0,0 +1,65 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cli + +import ( + "context" + + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/trustedroot" + "github.com/spf13/cobra" +) + +func TrustedRoot() *cobra.Command { + cmd := &cobra.Command{ + Use: "trusted-root", + Short: "Interact with a Sigstore protobuf trusted root", + Long: "Tools for interacting with a Sigstore protobuf trusted root", + } + + cmd.AddCommand(trustedRootCreate()) + + return cmd +} + +func trustedRootCreate() *cobra.Command { + o := &options.TrustedRootCreateOptions{} + + cmd := &cobra.Command{ + Use: "create", + Short: "Create a Sigstore protobuf trusted root", + Long: "Create a Sigstore protobuf trusted root by supplying verification material", + RunE: func(cmd *cobra.Command, _ []string) error { + trCreateCmd := &trustedroot.CreateCmd{ + CertChain: o.CertChain, + CtfeKeyPath: o.CtfeKeyPath, + CtfeStartTime: o.CtfeStartTime, + Out: o.Out, + RekorKeyPath: o.RekorKeyPath, + RekorStartTime: o.RekorStartTime, + TSACertChainPath: o.TSACertChainPath, + } + + ctx, cancel := context.WithTimeout(cmd.Context(), ro.Timeout) + defer cancel() + + return trCreateCmd.Exec(ctx) + }, + } + + o.AddFlags(cmd) + return cmd +} diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go new file mode 100644 index 00000000000..794c932084c --- /dev/null +++ b/cmd/cosign/cli/trustedroot/trustedroot.go @@ -0,0 +1,221 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package trustedroot + +import ( + "context" + "crypto" + "crypto/x509" + "encoding/hex" + "encoding/pem" + "fmt" + "os" + "time" + + "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/cryptoutils" +) + +type CreateCmd struct { + CertChain []string + CtfeKeyPath []string + CtfeStartTime []string + Out string + RekorKeyPath []string + RekorStartTime []string + TSACertChainPath []string +} + +func (c *CreateCmd) Exec(_ context.Context) error { + var fulcioCertAuthorities []root.CertificateAuthority + ctLogs := make(map[string]*root.TransparencyLog) + var timestampAuthorities []root.TimestampingAuthority + rekorTransparencyLogs := make(map[string]*root.TransparencyLog) + + for i := 0; i < len(c.CertChain); i++ { + fulcioAuthority, err := parseCAPEMFile(c.CertChain[i]) + if err != nil { + return err + } + fulcioCertAuthorities = append(fulcioCertAuthorities, fulcioAuthority) + } + + for i := 0; i < len(c.CtfeKeyPath); i++ { + ctLogPubKey, id, idBytes, err := getPubKey(c.CtfeKeyPath[i]) + if err != nil { + return err + } + + startTime := time.Unix(0, 0) + + if i < len(c.CtfeStartTime) { + startTime, err = time.Parse(time.RFC3339, c.CtfeStartTime[i]) + if err != nil { + return err + } + } + + ctLogs[id] = &root.TransparencyLog{ + HashFunc: crypto.SHA256, + ID: idBytes, + ValidityPeriodStart: startTime, + PublicKey: *ctLogPubKey, + SignatureHashFunc: crypto.SHA256, + } + } + + for i := 0; i < len(c.RekorKeyPath); i++ { + tlogPubKey, id, idBytes, err := getPubKey(c.RekorKeyPath[i]) + if err != nil { + return err + } + + startTime := time.Unix(0, 0) + + if i < len(c.RekorStartTime) { + startTime, err = time.Parse(time.RFC3339, c.RekorStartTime[i]) + if err != nil { + return err + } + } + + rekorTransparencyLogs[id] = &root.TransparencyLog{ + HashFunc: crypto.SHA256, + ID: idBytes, + ValidityPeriodStart: startTime, + PublicKey: *tlogPubKey, + SignatureHashFunc: crypto.SHA256, + } + } + + for i := 0; i < len(c.TSACertChainPath); i++ { + timestampAuthority, err := parseTAPEMFile(c.TSACertChainPath[i]) + if err != nil { + return err + } + timestampAuthorities = append(timestampAuthorities, timestampAuthority) + } + + newTrustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01, + fulcioCertAuthorities, ctLogs, timestampAuthorities, + rekorTransparencyLogs, + ) + if err != nil { + return err + } + + var trBytes []byte + + trBytes, err = newTrustedRoot.MarshalJSON() + if err != nil { + return err + } + + if c.Out != "" { + err = os.WriteFile(c.Out, trBytes, 0600) + if err != nil { + return err + } + } else { + fmt.Println(string(trBytes)) + } + + return nil +} + +func parseCAPEMFile(path string) (root.CertificateAuthority, error) { + certs, err := parseCerts(path) + if err != nil { + return nil, err + } + + var ca root.FulcioCertificateAuthority + ca.Root = certs[len(certs)-1] + ca.ValidityPeriodStart = certs[len(certs)-1].NotBefore + if len(certs) > 1 { + ca.Intermediates = certs[:len(certs)-1] + } + + return &ca, nil +} + +func parseTAPEMFile(path string) (root.TimestampingAuthority, error) { + certs, err := parseCerts(path) + if err != nil { + return nil, err + } + + var ta root.SigstoreTimestampingAuthority + ta.Root = certs[len(certs)-1] + ta.ValidityPeriodStart = certs[len(certs)-1].NotBefore + if len(certs) > 1 { + ta.Intermediates = certs[:len(certs)-1] + } + + return &ta, nil +} + +func parseCerts(path string) ([]*x509.Certificate, error) { + var certs []*x509.Certificate + + contents, err := os.ReadFile(path) + if err != nil { + return nil, err + } + + for block, contents := pem.Decode(contents); block != nil; block, contents = pem.Decode(contents) { + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certs = append(certs, cert) + + if len(contents) == 0 { + break + } + } + + if len(certs) == 0 { + return nil, fmt.Errorf("no certificates in file %s", path) + } + + return certs, nil +} + +func getPubKey(path string) (*crypto.PublicKey, string, []byte, error) { + pemBytes, err := os.ReadFile(path) + if err != nil { + return nil, "", []byte{}, err + } + + pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(pemBytes) + if err != nil { + return nil, "", []byte{}, err + } + + keyID, err := cosign.GetTransparencyLogID(pubKey) + if err != nil { + return nil, "", []byte{}, err + } + + idBytes, err := hex.DecodeString(keyID) + if err != nil { + return nil, "", []byte{}, err + } + + return &pubKey, keyID, idBytes, nil +} diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go new file mode 100644 index 00000000000..f6ba2a9da46 --- /dev/null +++ b/cmd/cosign/cli/trustedroot/trustedroot_test.go @@ -0,0 +1,133 @@ +// +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package trustedroot + +import ( + "context" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "math/big" + "os" + "path/filepath" + "testing" + + "github.com/sigstore/sigstore-go/pkg/root" +) + +func TestCreateCmd(t *testing.T) { + ctx := context.Background() + + // Make some certificate chains + td := t.TempDir() + + fulcioChainPath := filepath.Join(td, "fulcio.pem") + makeChain(t, fulcioChainPath, 2) + + tsaChainPath := filepath.Join(td, "timestamp.pem") + makeChain(t, tsaChainPath, 3) + + outPath := filepath.Join(td, "trustedroot.json") + + trustedrootCreate := CreateCmd{ + CertChain: []string{fulcioChainPath}, + Out: outPath, + TSACertChainPath: []string{tsaChainPath}, + } + + err := trustedrootCreate.Exec(ctx) + checkErr(t, err) + + tr, err := root.NewTrustedRootFromPath(outPath) + checkErr(t, err) + + fulcioCAs := tr.FulcioCertificateAuthorities() + + if len(fulcioCAs) != 1 { + t.Fatal("unexpected number of fulcio certificate authorities") + } + + if len(fulcioCAs[0].(*root.FulcioCertificateAuthority).Intermediates) != 1 { + t.Fatal("unexpected number of fulcio intermediate certificates") + } + + timestampAuthorities := tr.TimestampingAuthorities() + if len(timestampAuthorities) != 1 { + t.Fatal("unexpected number of timestamp authorities") + } + + if len(timestampAuthorities[0].(*root.SigstoreTimestampingAuthority).Intermediates) != 2 { + t.Fatal("unexpected number of timestamp intermediate certificates") + } +} + +func makeChain(t *testing.T, path string, size int) { + fd, err := os.Create(path) + checkErr(t, err) + + defer fd.Close() + + chainCert := &x509.Certificate{ + SerialNumber: big.NewInt(1), + BasicConstraintsValid: true, + IsCA: true, + } + chainKey, err := rsa.GenerateKey(rand.Reader, 512) //nolint:gosec + checkErr(t, err) + rootDer, err := x509.CreateCertificate(rand.Reader, chainCert, chainCert, &chainKey.PublicKey, chainKey) + checkErr(t, err) + + for i := 1; i < size; i++ { + intermediateCert := &x509.Certificate{ + SerialNumber: big.NewInt(1 + int64(i)), + BasicConstraintsValid: true, + IsCA: true, + } + intermediateKey, err := rsa.GenerateKey(rand.Reader, 512) //nolint:gosec + checkErr(t, err) + intermediateDer, err := x509.CreateCertificate(rand.Reader, intermediateCert, chainCert, &intermediateKey.PublicKey, chainKey) + checkErr(t, err) + + block := &pem.Block{ + Type: "CERTIFICATE", + Bytes: intermediateDer, + } + err = pem.Encode(fd, block) + checkErr(t, err) + + chainCert = intermediateCert + chainKey = intermediateKey + } + + // Write out root last + block := &pem.Block{ + Type: "CERTIFICATE", + Bytes: rootDer, + } + err = pem.Encode(fd, block) + checkErr(t, err) + + // Ensure we handle unexpected content at the end of the PEM file + _, err = fd.Write([]byte("asdf\n")) + checkErr(t, err) +} + +func checkErr(t *testing.T, err error) { + if err != nil { + t.Fatal(err) + } +} diff --git a/cmd/cosign/cli/upload.go b/cmd/cosign/cli/upload.go index 6dd90da5bc6..69c8530d036 100644 --- a/cmd/cosign/cli/upload.go +++ b/cmd/cosign/cli/upload.go @@ -18,10 +18,9 @@ package cli import ( "flag" - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/upload" + "github.com/spf13/cobra" ) func Upload() *cobra.Command { diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 703898523b7..d306756cda9 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -20,12 +20,10 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - - "github.com/spf13/cobra" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" "github.com/sigstore/cosign/v2/internal/ui" + "github.com/spf13/cobra" ) const ignoreTLogMessage = "Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the %s." @@ -139,6 +137,7 @@ against the transparency log.`, IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog, MaxWorkers: o.CommonVerifyOptions.MaxWorkers, ExperimentalOCI11: o.CommonVerifyOptions.ExperimentalOCI11, + UseSignedTimestamps: o.CommonVerifyOptions.UseSignedTimestamps, } if o.CommonVerifyOptions.MaxWorkers == 0 { @@ -245,6 +244,7 @@ against the transparency log.`, TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath, IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog, MaxWorkers: o.CommonVerifyOptions.MaxWorkers, + UseSignedTimestamps: o.CommonVerifyOptions.UseSignedTimestamps, } if o.CommonVerifyOptions.MaxWorkers == 0 { diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 17fd63e8330..f5fc86bfddf 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -84,17 +84,6 @@ type VerifyCommand struct { ExperimentalOCI11 bool } -func (c *VerifyCommand) loadTSACertificates(ctx context.Context) (*cosign.TSACertificates, error) { - if c.TSACertChainPath == "" && !c.UseSignedTimestamps { - return nil, fmt.Errorf("TSA certificate chain path not provided and use-signed-timestamps not set") - } - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return nil, fmt.Errorf("unable to load TSA certificates: %w", err) - } - return tsaCertificates, nil -} - // Exec runs the verification command func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if len(images) == 0 { @@ -144,13 +133,15 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { IgnoreTlog: c.IgnoreTlog, MaxWorkers: c.MaxWorkers, ExperimentalOCI11: c.ExperimentalOCI11, + UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, } if c.CheckClaims { co.ClaimVerifier = cosign.SimpleClaimVerifier } - if c.TSACertChainPath != "" || c.UseSignedTimestamps { - tsaCertificates, err := c.loadTSACertificates(ctx) + // If we are using signed timestamps, we need to load the TSA certificates + if co.UseSignedTimestamps { + tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) } diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 93c27690455..bf25cbb467a 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -72,17 +72,6 @@ type VerifyAttestationCommand struct { UseSignedTimestamps bool } -func (c *VerifyAttestationCommand) loadTSACertificates(ctx context.Context) (*cosign.TSACertificates, error) { - if c.TSACertChainPath == "" && !c.UseSignedTimestamps { - return nil, fmt.Errorf("TSA certificate chain path not provided and use-signed-timestamps not set") - } - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return nil, fmt.Errorf("unable to load TSA certificates: %w", err) - } - return tsaCertificates, nil -} - // Exec runs the verification command func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (err error) { if len(images) == 0 { @@ -119,6 +108,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e Offline: c.Offline, IgnoreTlog: c.IgnoreTlog, MaxWorkers: c.MaxWorkers, + UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, } if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier @@ -131,8 +121,9 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } } - if c.TSACertChainPath != "" || c.UseSignedTimestamps { - tsaCertificates, err := c.loadTSACertificates(ctx) + // If we are using signed timestamps, we need to load the TSA certificates + if co.UseSignedTimestamps { + tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) } diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 79475c90d80..25932f43f87 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -16,10 +16,12 @@ package verify import ( + "bytes" "context" "crypto" "crypto/x509" "encoding/base64" + "encoding/hex" "encoding/json" "errors" "fmt" @@ -27,6 +29,7 @@ import ( "io/fs" "os" "path/filepath" + "strings" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" @@ -38,6 +41,9 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/v2/pkg/oci/static" sigs "github.com/sigstore/cosign/v2/pkg/signature" + sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" + "github.com/sigstore/sigstore-go/pkg/root" + sgverify "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" ) @@ -69,17 +75,6 @@ type VerifyBlobCmd struct { IgnoreTlog bool } -func (c *VerifyBlobCmd) loadTSACertificates(ctx context.Context) (*cosign.TSACertificates, error) { - if c.TSACertChainPath == "" && !c.UseSignedTimestamps { - return nil, fmt.Errorf("either TSA certificate chain path must be provided or use-signed-timestamps must be set") - } - tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) - if err != nil { - return nil, fmt.Errorf("unable to load TSA certificates: %w", err) - } - return tsaCertificates, nil -} - // nolint func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { // Require a certificate/key OR a local bundle file that has the cert. @@ -92,22 +87,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { return &options.PubKeyParseError{} } - if c.KeyOpts.NewBundleFormat { - if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 1 { - return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") - } - err := verifyNewBundle(ctx, c.BundlePath, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, blobRef, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT) - if err == nil { - ui.Infof(ctx, "Verified OK") - } - return err - } else if c.TrustedRootPath != "" { - return fmt.Errorf("--trusted-root only supported with --new-bundle-format") - } - - var cert *x509.Certificate - opts := make([]static.Option, 0) - var identities []cosign.Identity var err error if c.KeyRef == "" { @@ -117,16 +96,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { } } - sig, err := base64signature(c.SigRef, c.BundlePath) - if err != nil { - return err - } - - blobBytes, err := payloadBytes(blobRef) - if err != nil { - return err - } - co := &cosign.CheckOpts{ CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger, CertGithubWorkflowSha: c.CertGithubWorkflowSHA, @@ -137,15 +106,96 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { Identities: identities, Offline: c.Offline, IgnoreTlog: c.IgnoreTlog, + UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, + NewBundleFormat: c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath), } - if c.RFC3161TimestampPath != "" && !(c.TSACertChainPath != "" || c.UseSignedTimestamps) { - return fmt.Errorf("either TSA certificate chain path must be provided or use-signed-timestamps must be set when using RFC3161 timestamp path") + + // Keys are optional! + var cert *x509.Certificate + opts := make([]static.Option, 0) + switch { + case c.KeyRef != "": + co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) + if err != nil { + return fmt.Errorf("loading public key: %w", err) + } + pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) + if ok { + defer pkcs11Key.Close() + } + case c.Sk: + sk, err := pivkey.GetKeyWithSlot(c.Slot) + if err != nil { + return fmt.Errorf("opening piv token: %w", err) + } + defer sk.Close() + co.SigVerifier, err = sk.Verifier() + if err != nil { + return fmt.Errorf("loading public key from token: %w", err) + } + case c.CertRef != "": + cert, err = loadCertFromFileOrURL(c.CertRef) + if err != nil { + return err + } } - if c.TSACertChainPath != "" || c.UseSignedTimestamps { - tsaCertificates, err := c.loadTSACertificates(ctx) + + if co.NewBundleFormat { + if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 0 { + return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") + } + + if co.TrustedMaterial == nil { + co.TrustedMaterial, err = loadTrustedRoot(ctx, c.TrustedRootPath) + if err != nil { + return err + } + } + + bundle, err := sgbundle.LoadJSONFromPath(c.BundlePath) if err != nil { return err } + + var artifactPolicyOption sgverify.ArtifactPolicyOption + blobBytes, err := payloadBytes(blobRef) + if err != nil { + alg, digest, payloadDigestError := payloadDigest(blobRef) + if payloadDigestError != nil { + return err + } + artifactPolicyOption = sgverify.WithArtifactDigest(alg, digest) + } else { + artifactPolicyOption = sgverify.WithArtifact(bytes.NewReader(blobBytes)) + } + + _, err = cosign.VerifyNewBundle(ctx, co, artifactPolicyOption, bundle) + if err != nil { + return err + } + + ui.Infof(ctx, "Verified OK") + return nil + } + + blobBytes, err := payloadBytes(blobRef) + if err != nil { + return err + } + + if c.TrustedRootPath != "" { + return fmt.Errorf("--trusted-root only supported with --new-bundle-format") + } + if c.RFC3161TimestampPath != "" && !co.UseSignedTimestamps { + return fmt.Errorf("when specifying --rfc3161-timestamp-path, you must also specify --use-signed-timestamps or --timestamp-certificate-chain") + } else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps { + return fmt.Errorf("when specifying --use-signed-timestamps or --timestamp-certificate-chain, you must also specify --rfc3161-timestamp-path") + } + if co.UseSignedTimestamps { + tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) + if err != nil { + return fmt.Errorf("unable to load TSA certificates: %w", err) + } co.TSACertificate = tsaCertificates.LeafCert co.TSARootCertificates = tsaCertificates.RootCert co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts @@ -172,34 +222,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { return err } } - - // Keys are optional! - switch { - case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) - if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() - } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - co.SigVerifier, err = sk.Verifier() - if err != nil { - return fmt.Errorf("loading public key from token: %w", err) - } - case c.CertRef != "": - cert, err = loadCertFromFileOrURL(c.CertRef) - if err != nil { - return err - } - } if c.BundlePath != "" { b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath) if err != nil { @@ -300,6 +322,10 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error { } } + sig, err := base64signature(c.SigRef, c.BundlePath) + if err != nil { + return err + } signature, err := static.NewSignature(blobBytes, sig, opts...) if err != nil { return err @@ -355,3 +381,24 @@ func payloadBytes(blobRef string) ([]byte, error) { } return blobBytes, nil } + +func payloadDigest(blobRef string) (string, []byte, error) { + hexAlg, hexDigest, ok := strings.Cut(blobRef, ":") + if !ok { + return "", nil, fmt.Errorf("invalid digest format") + } + digestBytes, err := hex.DecodeString(hexDigest) + if err != nil { + return "", nil, err + } + return hexAlg, digestBytes, nil +} + +func loadTrustedRoot(_ context.Context, trustedRootPath string) (*root.TrustedRoot, error) { + if trustedRootPath != "" { + return root.NewTrustedRootFromPath(trustedRootPath) + } + // Assume we're using public good instance; fetch via TUF + // TODO: allow custom TUF settings + return root.FetchTrustedRoot() +} diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go index 3f2c33cc63b..3d52db71370 100644 --- a/cmd/cosign/cli/verify/verify_blob_attestation.go +++ b/cmd/cosign/cli/verify/verify_blob_attestation.go @@ -34,6 +34,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" internal "github.com/sigstore/cosign/v2/internal/pkg/cosign" payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size" + "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/blob" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" @@ -42,6 +43,8 @@ import ( "github.com/sigstore/cosign/v2/pkg/oci/static" "github.com/sigstore/cosign/v2/pkg/policy" sigs "github.com/sigstore/cosign/v2/pkg/signature" + sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" + sgverify "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" ) @@ -92,19 +95,6 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st return &options.KeyParseError{} } - if c.KeyOpts.NewBundleFormat { - if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 1 { - return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") - } - err = verifyNewBundle(ctx, c.BundlePath, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, artifactPath, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT) - if err == nil { - fmt.Fprintln(os.Stderr, "Verified OK") - } - return err - } else if c.TrustedRootPath != "" { - return fmt.Errorf("--trusted-root only supported with --new-bundle-format") - } - var identities []cosign.Identity if c.KeyRef == "" { identities, err = c.Identities() @@ -123,8 +113,45 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st IgnoreSCT: c.IgnoreSCT, Offline: c.Offline, IgnoreTlog: c.IgnoreTlog, + UseSignedTimestamps: c.TSACertChainPath != "" || c.UseSignedTimestamps, + NewBundleFormat: c.KeyOpts.NewBundleFormat || checkNewBundle(c.BundlePath), + } + + // Keys are optional! + var cert *x509.Certificate + opts := make([]static.Option, 0) + switch { + case c.KeyRef != "": + co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) + if err != nil { + return fmt.Errorf("loading public key: %w", err) + } + pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) + if ok { + defer pkcs11Key.Close() + } + case c.Sk: + sk, err := pivkey.GetKeyWithSlot(c.Slot) + if err != nil { + return fmt.Errorf("opening piv token: %w", err) + } + defer sk.Close() + co.SigVerifier, err = sk.Verifier() + if err != nil { + return fmt.Errorf("loading public key from token: %w", err) + } + case c.CertRef != "": + cert, err = loadCertFromFileOrURL(c.CertRef) + if err != nil { + return err + } + case c.CARoots != "": + // CA roots + possible intermediates are already loaded into co.RootCerts with the call to + // loadCertsKeylessVerification above. } + var h v1.Hash + var digest []byte if c.CheckClaims { // Get the actual digest of the blob var payload internal.HashReader @@ -146,7 +173,7 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st if _, err := io.ReadAll(&payload); err != nil { return err } - digest := payload.Sum(nil) + digest = payload.Sum(nil) h = v1.Hash{ Hex: hex.EncodeToString(digest), Algorithm: "sha256", @@ -154,15 +181,44 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - // Set up TSA, Fulcio roots and tlog public keys and clients. - if c.RFC3161TimestampPath != "" && !(c.TSACertChainPath != "" || c.UseSignedTimestamps) { - return fmt.Errorf("either TSA certificate chain path must be provided or use-signed-timestamps must be set when using RFC3161 timestamp path") + if co.NewBundleFormat { + if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 0 { + return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root") + } + + if co.TrustedMaterial == nil { + co.TrustedMaterial, err = loadTrustedRoot(ctx, c.TrustedRootPath) + if err != nil { + return err + } + } + + bundle, err := sgbundle.LoadJSONFromPath(c.BundlePath) + if err != nil { + return err + } + + _, err = cosign.VerifyNewBundle(ctx, co, sgverify.WithArtifactDigest(h.Algorithm, digest), bundle) + if err != nil { + return err + } + + ui.Infof(ctx, "Verified OK") + return nil } - if c.TSACertChainPath != "" || c.UseSignedTimestamps { + if c.TrustedRootPath != "" { + return fmt.Errorf("--trusted-root only supported with --new-bundle-format") + } + if c.RFC3161TimestampPath != "" && !co.UseSignedTimestamps { + return fmt.Errorf("when specifying --rfc3161-timestamp-path, you must also specify --use-signed-timestamps or --timestamp-certificate-chain") + } else if c.RFC3161TimestampPath == "" && co.UseSignedTimestamps { + return fmt.Errorf("when specifying --use-signed-timestamps or --timestamp-certificate-chain, you must also specify --rfc3161-timestamp-path") + } + if co.UseSignedTimestamps { tsaCertificates, err := cosign.GetTSACerts(ctx, c.TSACertChainPath, cosign.GetTufTargets) if err != nil { - return fmt.Errorf("unable to load or get TSA certificates: %w", err) + return fmt.Errorf("unable to load TSA certificates: %w", err) } co.TSACertificate = tsaCertificates.LeafCert co.TSARootCertificates = tsaCertificates.RootCert @@ -206,38 +262,6 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st } } - // Keys are optional! - var cert *x509.Certificate - opts := make([]static.Option, 0) - switch { - case c.KeyRef != "": - co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, c.KeyRef) - if err != nil { - return fmt.Errorf("loading public key: %w", err) - } - pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) - if ok { - defer pkcs11Key.Close() - } - case c.Sk: - sk, err := pivkey.GetKeyWithSlot(c.Slot) - if err != nil { - return fmt.Errorf("opening piv token: %w", err) - } - defer sk.Close() - co.SigVerifier, err = sk.Verifier() - if err != nil { - return fmt.Errorf("loading public key from token: %w", err) - } - case c.CertRef != "": - cert, err = loadCertFromFileOrURL(c.CertRef) - if err != nil { - return err - } - case c.CARoots != "": - // CA roots + possible intermediates are already loaded into co.RootCerts with the call to - // loadCertsKeylessVerification above. - } if c.BundlePath != "" { b, err := cosign.FetchLocalSignedPayloadFromPath(c.BundlePath) if err != nil { diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go index 6b1b127052c..bda8e375c10 100644 --- a/cmd/cosign/cli/verify/verify_blob_test.go +++ b/cmd/cosign/cli/verify/verify_blob_test.go @@ -327,7 +327,7 @@ func TestVerifyBlob(t *testing.T) { { name: "valid signature with public key - new bundle", blob: blobBytes, - signature: blobSignature, + signature: "", key: pubKeyBytes, bundlePath: makeLocalNewBundle(t, []byte(blobSignature), sha256.Sum256(blobBytes)), newBundle: true, @@ -337,12 +337,12 @@ func TestVerifyBlob(t *testing.T) { { name: "invalid signature with public key - new bundle", blob: blobBytes, - signature: otherSignature, + signature: "", key: pubKeyBytes, - bundlePath: makeLocalNewBundle(t, []byte(blobSignature), sha256.Sum256(blobBytes)), + bundlePath: makeLocalNewBundle(t, []byte(otherSignature), sha256.Sum256(blobBytes)), newBundle: true, skipTlogVerify: true, - shouldErr: false, + shouldErr: true, }, { name: "invalid signature with public key", @@ -624,7 +624,6 @@ func TestVerifyBlob(t *testing.T) { cmd.KeyOpts.TSACertChainPath = "" cmd.CertChain = "" } - err := cmd.Exec(context.Background(), blobPath) if (err != nil) != tt.shouldErr { t.Fatalf("verifyBlob()= %s, expected shouldErr=%t ", err, tt.shouldErr) diff --git a/cmd/cosign/cli/verify/verify_bundle.go b/cmd/cosign/cli/verify/verify_bundle.go index 01921be7ffb..3d876f9a5c5 100644 --- a/cmd/cosign/cli/verify/verify_bundle.go +++ b/cmd/cosign/cli/verify/verify_bundle.go @@ -18,146 +18,165 @@ package verify import ( "bytes" "context" + "crypto/sha256" + "crypto/x509" + "encoding/base64" + "encoding/json" "fmt" - "time" + "github.com/secure-systems-lab/go-securesystemslib/dsse" + protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" + protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" + protorekor "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1" + "github.com/sigstore/rekor/pkg/generated/client" + "github.com/sigstore/rekor/pkg/tle" sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" - "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" - "github.com/sigstore/sigstore-go/pkg/root" - "github.com/sigstore/sigstore-go/pkg/verify" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" - "github.com/sigstore/cosign/v2/pkg/cosign/pivkey" - sigs "github.com/sigstore/cosign/v2/pkg/signature" + "github.com/sigstore/cosign/v2/pkg/cosign" ) -type verifyTrustedMaterial struct { - root.TrustedMaterial - keyTrustedMaterial root.TrustedMaterial +func checkNewBundle(bundlePath string) bool { + _, err := sgbundle.LoadJSONFromPath(bundlePath) + return err == nil } -func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstrainedVerifier, error) { - return v.keyTrustedMaterial.PublicKeyVerifier(hint) -} - -func verifyNewBundle(ctx context.Context, bundlePath, trustedRootPath, keyRef, slot, certOIDCIssuer, certOIDCIssuerRegex, certIdentity, certIdentityRegexp, githubWorkflowTrigger, githubWorkflowSHA, githubWorkflowName, githubWorkflowRepository, githubWorkflowRef, artifactRef string, sk, ignoreTlog, useSignedTimestamps, ignoreSCT bool) error { - bundle, err := sgbundle.LoadJSONFromPath(bundlePath) +func AssembleNewBundle(ctx context.Context, sigBytes, signedTimestamp []byte, envelope *dsse.Envelope, artifactRef string, cert *x509.Certificate, ignoreTlog bool, sigVerifier signature.Verifier, pkOpts []signature.PublicKeyOption, rekorClient *client.Rekor) (*sgbundle.Bundle, error) { + payload, err := payloadBytes(artifactRef) if err != nil { - return err + return nil, err } + buf := bytes.NewBuffer(payload) + digest := sha256.Sum256(buf.Bytes()) - var trustedroot *root.TrustedRoot + pb := &protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + VerificationMaterial: &protobundle.VerificationMaterial{}, + } - if trustedRootPath == "" { - // Assume we're using public good instance; fetch via TUF - trustedroot, err = root.FetchTrustedRoot() + if envelope != nil && len(envelope.Signatures) > 0 { + sigDecode, err := base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig) if err != nil { - return err + return nil, err } - } else { - trustedroot, err = root.NewTrustedRootFromPath(trustedRootPath) - if err != nil { - return err - } - } - trustedmaterial := &verifyTrustedMaterial{TrustedMaterial: trustedroot} + sig := &protodsse.Signature{ + Sig: sigDecode, + } - // See if we need to wrap trusted root with provided key - if keyRef != "" { - signatureVerifier, err := sigs.PublicKeyFromKeyRef(ctx, keyRef) + payloadDecode, err := base64.StdEncoding.DecodeString(envelope.Payload) if err != nil { - return err + return nil, err } - newExpiringKey := root.NewExpiringKey(signatureVerifier, time.Time{}, time.Time{}) - trustedmaterial.keyTrustedMaterial = root.NewTrustedPublicKeyMaterial(func(_ string) (root.TimeConstrainedVerifier, error) { - return newExpiringKey, nil - }) - } else if sk { - s, err := pivkey.GetKeyWithSlot(slot) + pb.Content = &protobundle.Bundle_DsseEnvelope{ + DsseEnvelope: &protodsse.Envelope{ + Payload: payloadDecode, + PayloadType: envelope.PayloadType, + Signatures: []*protodsse.Signature{sig}, + }, + } + } else { + pb.Content = &protobundle.Bundle_MessageSignature{ + MessageSignature: &protocommon.MessageSignature{ + MessageDigest: &protocommon.HashOutput{ + Algorithm: protocommon.HashAlgorithm_SHA2_256, + Digest: digest[:], + }, + Signature: sigBytes, + }, + } + } + + if cert != nil { + pb.VerificationMaterial.Content = &protobundle.VerificationMaterial_Certificate{ + Certificate: &protocommon.X509Certificate{ + RawBytes: cert.Raw, + }, + } + } else if sigVerifier != nil { + pub, err := sigVerifier.PublicKey(pkOpts...) if err != nil { - return fmt.Errorf("opening piv token: %w", err) + return nil, err } - defer s.Close() - signatureVerifier, err := s.Verifier() + pubKeyBytes, err := x509.MarshalPKIXPublicKey(pub) if err != nil { - return fmt.Errorf("loading public key from token: %w", err) + return nil, err } + hashedBytes := sha256.Sum256(pubKeyBytes) - newExpiringKey := root.NewExpiringKey(signatureVerifier, time.Time{}, time.Time{}) - trustedmaterial.keyTrustedMaterial = root.NewTrustedPublicKeyMaterial(func(_ string) (root.TimeConstrainedVerifier, error) { - return newExpiringKey, nil - }) + pb.VerificationMaterial.Content = &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &protocommon.PublicKeyIdentifier{ + Hint: base64.StdEncoding.EncodeToString(hashedBytes[:]), + }, + } } - identityPolicies := []verify.PolicyOption{} - - verificationMaterial := bundle.GetVerificationMaterial() + if len(signedTimestamp) > 0 { + ts := &protocommon.RFC3161SignedTimestamp{ + SignedTimestamp: signedTimestamp, + } - if verificationMaterial == nil { - return fmt.Errorf("no verification material in bundle") + pb.VerificationMaterial.TimestampVerificationData = &protobundle.TimestampVerificationData{ + Rfc3161Timestamps: []*protocommon.RFC3161SignedTimestamp{ts}, + } } - if verificationMaterial.GetPublicKey() != nil { - identityPolicies = append(identityPolicies, verify.WithKey()) - } else { - sanMatcher, err := verify.NewSANMatcher(certIdentity, certIdentityRegexp) - if err != nil { - return err + if !ignoreTlog { + var pem []byte + var err error + if cert != nil { + pem, err = cryptoutils.MarshalCertificateToPEM(cert) + if err != nil { + return nil, err + } + } else if sigVerifier != nil { + pub, err := sigVerifier.PublicKey(pkOpts...) + if err != nil { + return nil, err + } + pem, err = cryptoutils.MarshalPublicKeyToPEM(pub) + if err != nil { + return nil, err + } + } + var sigB64 string + var payload []byte + if envelope != nil && len(envelope.Signatures) > 0 { + payload, err = json.Marshal(*envelope) + if err != nil { + return nil, err + } + } else { + sigB64 = base64.StdEncoding.EncodeToString(sigBytes) + payload = buf.Bytes() } - issuerMatcher, err := verify.NewIssuerMatcher(certOIDCIssuer, certOIDCIssuerRegex) + tlogEntries, err := cosign.FindTlogEntry(ctx, rekorClient, sigB64, payload, pem) if err != nil { - return err + return nil, err } - - extensions := certificate.Extensions{ - GithubWorkflowTrigger: githubWorkflowTrigger, - GithubWorkflowSHA: githubWorkflowSHA, - GithubWorkflowName: githubWorkflowName, - GithubWorkflowRepository: githubWorkflowRepository, - GithubWorkflowRef: githubWorkflowRef, + if len(tlogEntries) == 0 { + return nil, fmt.Errorf("unable to find tlog entry") + } + if len(tlogEntries) > 1 { + return nil, fmt.Errorf("too many tlog entries; should only have 1") } - certIdentity, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) + tlogEntry, err := tle.GenerateTransparencyLogEntry(tlogEntries[0]) if err != nil { - return err + return nil, err } - identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certIdentity)) - } - - // Make some educated guesses about verification policy - verifierConfig := []verify.VerifierOption{} - - if len(trustedroot.RekorLogs()) > 0 && !ignoreTlog { - verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1)) - } - - if len(trustedroot.TimestampingAuthorities()) > 0 && useSignedTimestamps { - verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1)) + pb.VerificationMaterial.TlogEntries = []*protorekor.TransparencyLogEntry{tlogEntry} } - if !ignoreSCT { - verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1)) - } - - if ignoreTlog && !useSignedTimestamps { - verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsUnsafe()) - } - - // Perform verification - payload, err := payloadBytes(artifactRef) - if err != nil { - return err - } - buf := bytes.NewBuffer(payload) - - sev, err := verify.NewSignedEntityVerifier(trustedmaterial, verifierConfig...) + b, err := sgbundle.NewBundle(pb) if err != nil { - return err + return nil, err } - _, err = sev.Verify(bundle, verify.NewPolicy(verify.WithArtifact(buf), identityPolicies...)) - return err + return b, nil } diff --git a/doc/cosign.md b/doc/cosign.md index d7f90aae469..e43bccc13d6 100644 --- a/doc/cosign.md +++ b/doc/cosign.md @@ -16,6 +16,7 @@ A tool for Container Signing, Verification and Storage in an OCI registry. * [cosign attach](cosign_attach.md) - Provides utilities for attaching artifacts to other artifacts in a registry * [cosign attest](cosign_attest.md) - Attest the supplied container image. * [cosign attest-blob](cosign_attest-blob.md) - Attest the supplied blob. +* [cosign bundle](cosign_bundle.md) - Interact with a Sigstore protobuf bundle * [cosign clean](cosign_clean.md) - Remove all signatures from an image. * [cosign completion](cosign_completion.md) - Generate completion script * [cosign copy](cosign_copy.md) - Copy the supplied container image and signatures. @@ -37,6 +38,7 @@ A tool for Container Signing, Verification and Storage in an OCI registry. * [cosign sign-blob](cosign_sign-blob.md) - Sign the supplied blob, outputting the base64-encoded signature to stdout. * [cosign tree](cosign_tree.md) - Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations * [cosign triangulate](cosign_triangulate.md) - Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type. +* [cosign trusted-root](cosign_trusted-root.md) - Interact with a Sigstore protobuf trusted root * [cosign upload](cosign_upload.md) - Provides utilities for uploading artifacts to a registry * [cosign verify](cosign_verify.md) - Verify a signature on the supplied container image * [cosign verify-attestation](cosign_verify-attestation.md) - Verify an attestation on the supplied container image diff --git a/doc/cosign_attach_attestation.md b/doc/cosign_attach_attestation.md index 8498ed21370..2c53d1d508e 100644 --- a/doc/cosign_attach_attestation.md +++ b/doc/cosign_attach_attestation.md @@ -29,7 +29,11 @@ cosign attach attestation [flags] --attestation stringArray path to the attestation envelope -h, --help help for attestation --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_attach_sbom.md b/doc/cosign_attach_sbom.md index 07948123883..f4d5cd846c5 100644 --- a/doc/cosign_attach_sbom.md +++ b/doc/cosign_attach_sbom.md @@ -27,8 +27,12 @@ cosign attach sbom [flags] -h, --help help for sbom --input-format string type of sbom input format (json|xml|text) --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --sbom string path to the sbom, or {-} for stdin diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md index 21e96f4f589..a0355876e0e 100644 --- a/doc/cosign_attach_signature.md +++ b/doc/cosign_attach_signature.md @@ -40,7 +40,11 @@ cosign attach signature [flags] -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --payload string path to the payload covered by the signature + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-response string path to the rekor bundle diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 19e201291d6..d31fb8fd8a5 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -67,7 +67,11 @@ cosign attest [flags] --predicate string path to the predicate file. --record-creation-timestamp set the createdAt timestamp in the attestation artifact to the time it was created; by default, cosign sets this to the zero value -r, --recursive if a multi-arch image is specified, additionally sign each discrete image + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-entry-type string specifies the type to be used for a rekor entry upload. Options are intoto or dsse (default). (default "dsse") diff --git a/doc/cosign_bundle.md b/doc/cosign_bundle.md new file mode 100644 index 00000000000..27c77009d25 --- /dev/null +++ b/doc/cosign_bundle.md @@ -0,0 +1,27 @@ +## cosign bundle + +Interact with a Sigstore protobuf bundle + +### Synopsis + +Tools for interacting with a Sigstore protobuf bundle + +### Options + +``` + -h, --help help for bundle +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. +* [cosign bundle create](cosign_bundle_create.md) - Create a Sigstore protobuf bundle + diff --git a/doc/cosign_bundle_create.md b/doc/cosign_bundle_create.md new file mode 100644 index 00000000000..5fe3f6a76f9 --- /dev/null +++ b/doc/cosign_bundle_create.md @@ -0,0 +1,42 @@ +## cosign bundle create + +Create a Sigstore protobuf bundle + +### Synopsis + +Create a Sigstore protobuf bundle by supplying signed material + +``` +cosign bundle create [flags] +``` + +### Options + +``` + --artifact string path to artifact FILE + --attestation string path to attestation FILE + --bundle string path to old format bundle FILE + --certificate string path to the signing certificate, likely from Fulco. + -h, --help help for create + --ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. + --key string path to the public key file, KMS URI or Kubernetes Secret + --out string path to output bundle + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") + --rfc3161-timestamp string path to RFC3161 timestamp FILE + --signature string path to base64-encoded signature over attestation in DSSE format + --sk whether to use a hardware security key + --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign bundle](cosign_bundle.md) - Interact with a Sigstore protobuf bundle + diff --git a/doc/cosign_clean.md b/doc/cosign_clean.md index bbefe406d2d..fba11ddce57 100644 --- a/doc/cosign_clean.md +++ b/doc/cosign_clean.md @@ -21,7 +21,11 @@ cosign clean [flags] -f, --force do not prompt for confirmation -h, --help help for clean --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --type CLEAN_TYPE a type of clean: (sbom is deprecated) (default all) diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md index 5cce9b638d5..8a499692808 100644 --- a/doc/cosign_copy.md +++ b/doc/cosign_copy.md @@ -36,9 +36,13 @@ cosign copy [flags] -f, --force overwrite destination image(s), if necessary -h, --help help for copy --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). - --only string custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att + --only strings custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom --platform string only copy container image and its signatures for a specific platform image + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --sig-only [DEPRECATED] only copy the image signature diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index aea4d4aadde..0b64d614cd6 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -81,7 +81,11 @@ cosign dockerfile verify [flags] -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_download_attestation.md b/doc/cosign_download_attestation.md index c1e8a656d9d..30e768ed193 100644 --- a/doc/cosign_download_attestation.md +++ b/doc/cosign_download_attestation.md @@ -22,7 +22,11 @@ cosign download attestation [flags] --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --platform string download attestation for a specific platform image --predicate-type string download attestation with matching predicateType + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_download_sbom.md b/doc/cosign_download_sbom.md index 77bbaa8c2cf..03b18f3e00a 100644 --- a/doc/cosign_download_sbom.md +++ b/doc/cosign_download_sbom.md @@ -27,7 +27,11 @@ cosign download sbom [flags] -h, --help help for sbom --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --platform string download SBOM for a specific platform image + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_download_signature.md b/doc/cosign_download_signature.md index fc830089c4f..371a8699656 100644 --- a/doc/cosign_download_signature.md +++ b/doc/cosign_download_signature.md @@ -20,7 +20,11 @@ cosign download signature [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_generate.md b/doc/cosign_generate.md index 34b55f1daac..8996f56438a 100644 --- a/doc/cosign_generate.md +++ b/doc/cosign_generate.md @@ -36,7 +36,11 @@ cosign generate [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for generate --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md index 84f4fa30272..1b927192696 100644 --- a/doc/cosign_initialize.md +++ b/doc/cosign_initialize.md @@ -25,24 +25,28 @@ cosign initialize [flags] ### Examples ``` -cosign initialize -mirror -out +cosign initialize --mirror --out # initialize root with distributed root keys, default mirror, and default out path. cosign initialize # initialize with an out-of-band root key file, using the default mirror. -cosign initialize -root +cosign initialize --root # initialize with an out-of-band root key file and custom repository mirror. -cosign initialize -mirror -root +cosign initialize --mirror --root + +# initialize with an out-of-band root key file and custom repository mirror while verifying root checksum. +cosign initialize --mirror --root --root-checksum ``` ### Options ``` - -h, --help help for initialize - --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev") - --root string path to trusted initial root. defaults to embedded root + -h, --help help for initialize + --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev") + --root string path to trusted initial root. defaults to embedded root + --root-checksum string checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512: ``` ### Options inherited from parent commands diff --git a/doc/cosign_load.md b/doc/cosign_load.md index 8051c461413..17412943270 100644 --- a/doc/cosign_load.md +++ b/doc/cosign_load.md @@ -25,7 +25,11 @@ cosign load [flags] --dir string path to directory where the signed image is stored on disk -h, --help help for load --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index dc1af148c48..4bd31816c1b 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -75,7 +75,11 @@ cosign manifest verify [flags] -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_save.md b/doc/cosign_save.md index 53cc93eb419..fa6cd9590b2 100644 --- a/doc/cosign_save.md +++ b/doc/cosign_save.md @@ -25,7 +25,11 @@ cosign save [flags] --dir string path to dir where the signed image should be stored on disk -h, --help help for save --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 9e28e10fd25..07c3bb98fa3 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -99,8 +99,12 @@ cosign sign [flags] --payload string path to a payload file to use rather than generating one --record-creation-timestamp set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value -r, --recursive if a multi-arch image is specified, additionally sign each discrete image + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_tree.md b/doc/cosign_tree.md index 6af48f1290b..53deab00abd 100644 --- a/doc/cosign_tree.md +++ b/doc/cosign_tree.md @@ -20,7 +20,11 @@ cosign tree [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for tree --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_triangulate.md b/doc/cosign_triangulate.md index 07b41494843..875bc72c257 100644 --- a/doc/cosign_triangulate.md +++ b/doc/cosign_triangulate.md @@ -20,7 +20,11 @@ cosign triangulate [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for triangulate --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --type string related attachment to triangulate (attestation|sbom|signature|digest), default signature (sbom is deprecated) (default "signature") diff --git a/doc/cosign_trusted-root.md b/doc/cosign_trusted-root.md new file mode 100644 index 00000000000..eb2dc15dfb9 --- /dev/null +++ b/doc/cosign_trusted-root.md @@ -0,0 +1,27 @@ +## cosign trusted-root + +Interact with a Sigstore protobuf trusted root + +### Synopsis + +Tools for interacting with a Sigstore protobuf trusted root + +### Options + +``` + -h, --help help for trusted-root +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. +* [cosign trusted-root create](cosign_trusted-root_create.md) - Create a Sigstore protobuf trusted root + diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md new file mode 100644 index 00000000000..486aa8a8a44 --- /dev/null +++ b/doc/cosign_trusted-root_create.md @@ -0,0 +1,37 @@ +## cosign trusted-root create + +Create a Sigstore protobuf trusted root + +### Synopsis + +Create a Sigstore protobuf trusted root by supplying verification material + +``` +cosign trusted-root create [flags] +``` + +### Options + +``` + --certificate-chain stringArray path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. + --ctfe-key stringArray path to a PEM-encoded public key used by certificate authority for certificate transparency log. + --ctfe-start-time stringArray RFC 3339 string describing validity start time for key use by certificate transparency log. + -h, --help help for create + --out string path to output trusted root + --rekor-key stringArray path to a PEM-encoded public key used by transparency log like Rekor. + --rekor-start-time stringArray RFC 3339 string describing validity start time for key use by transparency log like Rekor. + --timestamp-certificate-chain stringArray path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign trusted-root](cosign_trusted-root.md) - Interact with a Sigstore protobuf trusted root + diff --git a/doc/cosign_upload_blob.md b/doc/cosign_upload_blob.md index 0688d525624..59c0c7a1b6b 100644 --- a/doc/cosign_upload_blob.md +++ b/doc/cosign_upload_blob.md @@ -41,7 +41,11 @@ cosign upload blob [flags] -f, --files strings :[platform/arch] -h, --help help for blob --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_upload_wasm.md b/doc/cosign_upload_wasm.md index da99e0a8f96..15bc70a7f4c 100644 --- a/doc/cosign_upload_wasm.md +++ b/doc/cosign_upload_wasm.md @@ -21,7 +21,11 @@ cosign upload wasm [flags] -f, --file string path to the wasm file to upload -h, --help help for wasm --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username ``` diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 9b747ab9ef0..d370f05cf52 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -85,7 +85,11 @@ cosign verify-attestation [flags] -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files with policies to be used for validation --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 0852f21fc81..de9e10dd4c1 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -102,7 +102,11 @@ cosign verify [flags] -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure + --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry + --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry + --registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry --registry-password string registry basic auth password + --registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry --registry-token string registry bearer auth token --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/go.mod b/go.mod index 061563658b9..e8eb0e90873 100644 --- a/go.mod +++ b/go.mod @@ -1,86 +1,86 @@ module github.com/sigstore/cosign/v2 -go 1.22.7 +go 1.23.4 require ( - cuelang.org/go v0.9.2 + cuelang.org/go v0.12.0 github.com/ThalesIgnite/crypto11 v1.2.5 - github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 - github.com/buildkite/agent/v3 v3.81.0 + github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 + github.com/buildkite/agent/v3 v3.92.1 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/dustin/go-humanize v1.0.1 + github.com/go-jose/go-jose/v3 v3.0.3 github.com/go-openapi/runtime v0.28.0 github.com/go-openapi/strfmt v0.23.0 github.com/go-openapi/swag v0.23.0 - github.com/go-piv/piv-go v1.11.0 - github.com/google/certificate-transparency-go v1.2.1 + github.com/go-piv/piv-go/v2 v2.3.0 + github.com/google/certificate-transparency-go v1.3.1 github.com/google/go-cmp v0.6.0 - github.com/google/go-containerregistry v0.20.2 + github.com/google/go-containerregistry v0.20.3 github.com/google/go-github/v55 v55.0.0 github.com/in-toto/in-toto-golang v0.9.0 github.com/kelseyhightower/envconfig v1.4.0 github.com/manifoldco/promptui v0.9.0 github.com/miekg/pkcs11 v1.1.1 github.com/mitchellh/go-wordwrap v1.0.1 - github.com/moby/term v0.5.0 + github.com/moby/term v0.5.2 github.com/mozillazg/docker-credential-acr-helper v0.4.0 github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 - github.com/open-policy-agent/opa v0.68.0 - github.com/pkg/errors v0.9.1 - github.com/secure-systems-lab/go-securesystemslib v0.8.0 - github.com/sigstore/fulcio v1.6.3 - github.com/sigstore/protobuf-specs v0.3.2 - github.com/sigstore/rekor v1.3.6 - github.com/sigstore/sigstore v1.8.9 - github.com/sigstore/sigstore-go v0.6.1 - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 - github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8 - github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8 - github.com/sigstore/timestamp-authority v1.2.2 - github.com/spf13/cobra v1.8.1 - github.com/spf13/pflag v1.0.5 + github.com/open-policy-agent/opa v1.1.0 + github.com/secure-systems-lab/go-securesystemslib v0.9.0 + github.com/sigstore/fulcio v1.6.6 + github.com/sigstore/protobuf-specs v0.4.0 + github.com/sigstore/rekor v1.3.9 + github.com/sigstore/sigstore v1.8.15 + github.com/sigstore/sigstore-go v0.7.0 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.15 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.15 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.15 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.15 + github.com/sigstore/timestamp-authority v1.2.4 + github.com/spf13/cobra v1.9.1 + github.com/spf13/pflag v1.0.6 github.com/spf13/viper v1.19.0 - github.com/spiffe/go-spiffe/v2 v2.3.0 - github.com/stretchr/testify v1.9.0 + github.com/spiffe/go-spiffe/v2 v2.5.0 + github.com/stretchr/testify v1.10.0 + github.com/theupdateframework/go-tuf/v2 v2.0.2 github.com/transparency-dev/merkle v0.0.2 github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 - github.com/xanzy/go-gitlab v0.109.0 - go.step.sm/crypto v0.51.1 - golang.org/x/crypto v0.31.0 - golang.org/x/oauth2 v0.24.0 - golang.org/x/sync v0.10.0 - golang.org/x/term v0.27.0 - google.golang.org/api v0.214.0 - google.golang.org/protobuf v1.35.2 + gitlab.com/gitlab-org/api/client-go v0.123.0 + golang.org/x/crypto v0.33.0 + golang.org/x/oauth2 v0.26.0 + golang.org/x/sync v0.11.0 + golang.org/x/term v0.29.0 + google.golang.org/api v0.221.0 + google.golang.org/protobuf v1.36.5 k8s.io/api v0.28.3 k8s.io/apimachinery v0.28.3 k8s.io/client-go v0.28.3 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 - sigs.k8s.io/release-utils v0.8.4 + sigs.k8s.io/release-utils v0.11.0 ) require ( cloud.google.com/go v0.116.0 // indirect - cloud.google.com/go/auth v0.13.0 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect + cloud.google.com/go/auth v0.14.1 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect cloud.google.com/go/compute/metadata v0.6.0 // indirect cloud.google.com/go/iam v1.2.2 // indirect - cloud.google.com/go/kms v1.20.2 // indirect + cloud.google.com/go/kms v1.20.5 // indirect cloud.google.com/go/longrunning v0.6.2 // indirect - cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565 // indirect + cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect - github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.29 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect @@ -89,11 +89,11 @@ require ( github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect - github.com/agnivade/levenshtein v1.1.1 // indirect + github.com/agnivade/levenshtein v1.2.0 // indirect github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect @@ -106,52 +106,51 @@ require ( github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.55.5 // indirect - github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.33 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.35.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect - github.com/aws/smithy-go v1.20.4 // indirect + github.com/aws/aws-sdk-go v1.55.6 // indirect + github.com/aws/aws-sdk-go-v2 v1.36.1 // indirect + github.com/aws/aws-sdk-go-v2/config v1.29.6 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.59 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.37.18 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 // indirect + github.com/aws/smithy-go v1.22.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect - github.com/buildkite/go-pipeline v0.13.1 // indirect - github.com/buildkite/interpolate v0.1.3 // indirect - github.com/buildkite/roko v1.2.0 // indirect - github.com/cenkalti/backoff/v3 v3.2.2 // indirect + github.com/buildkite/go-pipeline v0.13.3 // indirect + github.com/buildkite/interpolate v0.1.5 // indirect + github.com/buildkite/roko v1.3.1 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect github.com/cloudflare/circl v1.3.7 // indirect github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/coreos/go-oidc/v3 v3.11.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect + github.com/coreos/go-oidc/v3 v3.12.0 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect - github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/cli v27.5.0+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.0 // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/emicklei/proto v1.12.1 // indirect + github.com/emicklei/proto v1.13.4 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.8.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-ini/ini v1.67.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-jose/go-jose/v4 v4.0.4 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -164,19 +163,18 @@ require ( github.com/go-openapi/validate v0.24.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-querystring v1.1.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/s2a-go v0.1.8 // indirect + github.com/google/s2a-go v0.1.9 // indirect github.com/google/tink/go v1.7.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect - github.com/googleapis/gax-go/v2 v2.14.0 // indirect + github.com/googleapis/gax-go/v2 v2.14.1 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect @@ -187,22 +185,22 @@ require ( github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.5 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect - github.com/hashicorp/vault/api v1.14.0 // indirect + github.com/hashicorp/vault/api v1.16.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/in-toto/attestation v1.1.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect - github.com/jellydator/ttlcache/v3 v3.2.0 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jellydator/ttlcache/v3 v3.3.0 // indirect + github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect - github.com/magiconair/properties v1.8.7 // indirect + github.com/magiconair/properties v1.8.9 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect @@ -212,17 +210,18 @@ require ( github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pborman/uuid v1.2.1 // indirect - github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_golang v1.20.2 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/common v0.62.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect - github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf // indirect + github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect - github.com/rogpeppe/go-internal v1.12.0 // indirect - github.com/rs/cors v1.11.0 // indirect + github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a // indirect + github.com/rs/cors v1.11.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -234,46 +233,47 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect - github.com/tchap/go-patricia/v2 v2.3.1 // indirect + github.com/tchap/go-patricia/v2 v2.3.2 // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect - github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/urfave/negroni v1.0.0 // indirect - github.com/vbatts/tar-split v0.11.5 // indirect + github.com/vbatts/tar-split v0.11.6 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - github.com/zeebo/errs v1.3.0 // indirect + github.com/zeebo/errs v1.4.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 // indirect - go.opentelemetry.io/otel v1.30.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect - go.opentelemetry.io/otel/sdk v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.30.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect + go.opentelemetry.io/otel v1.34.0 // indirect + go.opentelemetry.io/otel/metric v1.34.0 // indirect + go.opentelemetry.io/otel/sdk v1.34.0 // indirect + go.opentelemetry.io/otel/trace v1.34.0 // indirect + go.step.sm/crypto v0.57.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.33.0 // indirect - golang.org/x/sys v0.28.0 // indirect - golang.org/x/text v0.21.0 // indirect - golang.org/x/time v0.8.0 // indirect - golang.org/x/tools v0.27.0 // indirect + golang.org/x/net v0.35.0 // indirect + golang.org/x/sys v0.30.0 // indirect + golang.org/x/text v0.22.0 // indirect + golang.org/x/time v0.10.0 // indirect + golang.org/x/tools v0.29.0 // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect - google.golang.org/grpc v1.68.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect + google.golang.org/grpc v1.70.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect diff --git a/go.sum b/go.sum index 887a88f4e2e..1737bd1b005 100644 --- a/go.sum +++ b/go.sum @@ -1,22 +1,22 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= -cloud.google.com/go/auth v0.13.0 h1:8Fu8TZy167JkW8Tj3q7dIkr2v4cndv41ouecJx0PAHs= -cloud.google.com/go/auth v0.13.0/go.mod h1:COOjD9gwfKNKz+IIduatIhYJQIc0mG3H102r/EMxX6Q= -cloud.google.com/go/auth/oauth2adapt v0.2.6 h1:V6a6XDu2lTwPZWOawrAa9HUK+DB2zfJyTuciBG5hFkU= -cloud.google.com/go/auth/oauth2adapt v0.2.6/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= +cloud.google.com/go/auth v0.14.1 h1:AwoJbzUdxA/whv1qj3TLKwh3XX5sikny2fc40wUl+h0= +cloud.google.com/go/auth v0.14.1/go.mod h1:4JHUxlGXisL0AW8kXPtUF6ztuOksyfUQNFjfsOCXkPM= +cloud.google.com/go/auth/oauth2adapt v0.2.7 h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M= +cloud.google.com/go/auth/oauth2adapt v0.2.7/go.mod h1:NTbTTzfvPl1Y3V1nPpOgl2w6d/FjO7NNUQaWSox6ZMc= cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= -cloud.google.com/go/kms v1.20.2 h1:NGTHOxAyhDVUGVU5KngeyGScrg2D39X76Aphe6NC7S0= -cloud.google.com/go/kms v1.20.2/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc= +cloud.google.com/go/kms v1.20.5 h1:aQQ8esAIVZ1atdJRxihhdxGQ64/zEbJoJnCz/ydSmKg= +cloud.google.com/go/kms v1.20.5/go.mod h1:C5A8M1sv2YWYy1AE6iSrnddSG9lRGdJq5XEdBy28Lmw= cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= -cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565 h1:R5wwEcbEZSBmeyg91MJZTxfd7WpBo2jPof3AYjRbxwY= -cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565/go.mod h1:5A4xfTzHTXfeVJBU6RAUf+QrlfTCW+017q/QiW+sMLg= -cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs= -cuelang.org/go v0.9.2/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk= +cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 h1:mRwydyTyhtRX2wXS3mqYWzR2qlv6KsmoKXmlz5vInjg= +cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1/go.mod h1:5A4xfTzHTXfeVJBU6RAUf+QrlfTCW+017q/QiW+sMLg= +cuelang.org/go v0.12.0 h1:q4W5I+RtDIA27rslQyyt6sWkXX0YS9qm43+U1/3e0kU= +cuelang.org/go v0.12.0/go.mod h1:B4+kjvGGQnbkz+GuAv1dq/R308gTkp0sO28FdMrJ2Kw= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg= @@ -25,18 +25,20 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0/go.mod h1:tlqp9mUGbsP+0z3Q+c0Q5MgSdq/OMwQhm5bffR3Q3ss= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 h1:1mvYtZfWQAnwNah/C+Z+Jb9rQH95LPE2vlmMuWAHJk8= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1/go.mod h1:75I/mXtme1JyWFtz8GocPHVFyH421IBoZErnO16dd0k= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1 h1:Bk5uOhSAenHyR5P61D/NzeQCv+4fEVV8mOkJ82NqpWw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1/go.mod h1:QZ4pw3or1WPmRBxf0cHd1tknzrT54WPBOQoGutCPvSU= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= -github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= -github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0 h1:7rKG7UmnrxX4N53TFhkYqjc+kVUZuw0fL8I3Fh+Ld9E= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0/go.mod h1:Wjo+24QJVhhl/L7jy6w9yzFF2yDOf3cKECAa8ecf9vE= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= @@ -60,8 +62,10 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= -github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 h1:kYRSnvJju5gYVyhkij+RTJ/VR6QIUaCfWeaFm2ycsjQ= +github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= @@ -71,8 +75,8 @@ github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= -github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= -github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= +github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY= +github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU= github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.2/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc= @@ -122,69 +126,61 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdK github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= -github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= -github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU= -github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks= -github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I= -github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= -github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE= -github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0= -github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.7 h1:v0D1LeMkA/X+JHAZWERrr+sUGOt8KrCZKnJA6KszkcE= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.7/go.mod h1:K9lwD0Rsx9+NSaJKsdAdlDK4b2G4KKOEve9PzHxPoMI= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= -github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= -github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= -github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= +github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk= +github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.36.1 h1:iTDl5U6oAhkNPba0e1t1hrwAo02ZMqbrGq4k5JBWM5E= +github.com/aws/aws-sdk-go-v2 v1.36.1/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM= +github.com/aws/aws-sdk-go-v2/config v1.29.6 h1:fqgqEKK5HaZVWLQoLiC9Q+xDlSp+1LYidp6ybGE2OGg= +github.com/aws/aws-sdk-go-v2/config v1.29.6/go.mod h1:Ft+WLODzDQmCTHDvqAH1JfC2xxbZ0MxpZAcJqmE1LTQ= +github.com/aws/aws-sdk-go-v2/credentials v1.17.59 h1:9btwmrt//Q6JcSdgJOLI98sdr5p7tssS9yAsGe8aKP4= +github.com/aws/aws-sdk-go-v2/credentials v1.17.59/go.mod h1:NM8fM6ovI3zak23UISdWidyZuI1ghNe2xjzUZAyT+08= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 h1:KwsodFKVQTlI5EyhRSugALzsV6mG/SGrdjlMXSZSdso= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28/go.mod h1:EY3APf9MzygVhKuPXAc5H+MkGb8k/DOSQjWS0LgkKqI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 h1:BjUcr3X3K0wZPGFg2bxOWW3VPN8rkE3/61zhP+IHviA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32/go.mod h1:80+OGC/bgzzFFTUmcuwD0lb4YutwQeKLFpmt6hoWapU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 h1:m1GeXHVMJsRsUAqG6HjZWx9dj7F5TR+cF1bjyfYyBd4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32/go.mod h1:IitoQxGfaKdVLNg0hD8/DXmAqNy0H4K2H2Sf91ti8sI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3 h1:a+210FCU/pR5hhKRaskRfX/ogcyyzFBrehcTk5DTAyU= +github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3/go.mod h1:dtD3a4sjUjVL86e0NUvaqdGvds5ED6itUiZPDaT+Gh8= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 h1:E6/Myrj9HgLF22medmDrKmbpm4ULsa+cIBNx3phirBk= +github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2/go.mod h1:OQ8NALFcchBJ/qruak6zKUQodovnTKKaReTuCkc5/9Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 h1:SYVGSFQHlchIcy6e7x12bsrxClCXSP5et8cqVhL8cuw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13/go.mod h1:kizuDaLX37bG5WZaoxGPQR/LNFXpxp0vsUnqfkWXfNE= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.18 h1:pi9M/9n1PLayBXjia7LfwgXwcpFdFO7Q2cqKOZa1ZmM= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.18/go.mod h1:vZXvmzfhdsPj/axc8+qk/2fSCP4hGyaZ1MAduWEHAxM= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 h1:/eE3DogBjYlvlbhd2ssWyeuovWunHLxfgw3s/OJa4GQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.15/go.mod h1:2PCJYpi7EKeA5SkStAmZlF6fi0uUABuhtF8ILHjGc3Y= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 h1:M/zwXiL2iXUrHputuXgmO94TVNmcenPHxgLXLutodKE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14/go.mod h1:RVwIw3y/IqxC2YEXSIkAzRDdEU1iRabDPaYjpGCbCGQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 h1:TzeR06UCMUq+KA3bDkujxK1GVGy+G8qQN/QVYzGLkQE= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.14/go.mod h1:dspXf/oYWGWo6DEvj98wpaTeqt5+DMidZD0A9BYTizc= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 h1:50sS0RWhGpW/yZx2KcDNEb1u1MANv5BMEkJgcieEDTA= +github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1/go.mod h1:ErZOtbzuHabipRTDTor0inoRlYwbsV1ovwSxjGs/uJo= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= -github.com/buildkite/agent/v3 v3.81.0 h1:JVfkng2XnsXesFXwiFwLJFkuzVu4zvoJCvedfoIXD6E= -github.com/buildkite/agent/v3 v3.81.0/go.mod h1:edJeyycODRxaFvpT22rDGwaQ5oa4eB8GjtbjgX5VpFw= -github.com/buildkite/go-pipeline v0.13.1 h1:Y9p8pQIwPtauVwNrcmTDH6+XK7jE1nLuvWVaK8oymA8= -github.com/buildkite/go-pipeline v0.13.1/go.mod h1:2HHqlSFTYgHFhzedJu0LhLs9n5c9XkYnHiQFVN5HE4U= -github.com/buildkite/interpolate v0.1.3 h1:OFEhqji1rNTRg0u9DsSodg63sjJQEb1uWbENq9fUOBM= -github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8= -github.com/buildkite/roko v1.2.0 h1:hbNURz//dQqNl6Eo9awjQOVOZwSDJ8VEbBDxSfT9rGQ= -github.com/buildkite/roko v1.2.0/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp2cP46I= +github.com/buildkite/agent/v3 v3.92.1 h1:6HLdDbU5z6ZyJ3TCt/UQEcLv2nhg/gdS4ApnsrUwhOE= +github.com/buildkite/agent/v3 v3.92.1/go.mod h1:mUNebi1cYh66iBjqVdJTgEn+sm53x8zC/XQQfpZSk9A= +github.com/buildkite/go-pipeline v0.13.3 h1:llI7sAdZ7sqYE7r8ePlmDADRhJ1K0Kua2+gv74Z9+Es= +github.com/buildkite/go-pipeline v0.13.3/go.mod h1:1uC2XdHkTV1G5jYv9K8omERIwrsYbBruBrPx1Zu1uFw= +github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU= +github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc= +github.com/buildkite/roko v1.3.1 h1:t7K30ceLLYn6k7hQP4oq1c7dVlhgD5nRcuSRDEEnY1s= +github.com/buildkite/roko v1.3.1/go.mod h1:23R9e6nHxgedznkwwfmqZ6+0VJZJZ2Sg/uVcp2cP46I= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= -github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= -github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= -github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= @@ -212,30 +208,32 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUo github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= -github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= -github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= -github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= +github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= +github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo= +github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.19 h1:tUN6H7LWqNx4hQVxomd0CVsDwaDr9gaRQaI4GpSmrsA= github.com/creack/pty v1.1.19/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= -github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= +github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= +github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936 h1:foGzavPWwtoyBvjWyKJYDYsyzy+23iBV7NKTwdk+LRY= github.com/depcheck-test/depcheck-test v0.0.0-20220607135614-199033aaa936/go.mod h1:ttKPnOepYt4LLzD+loXQ1rT6EmpyIYHro7TAJuIIlHo= -github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= -github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= -github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= -github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= -github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= -github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dgraph-io/badger/v4 v4.5.1 h1:7DCIXrQjo1LKmM96YD+hLVJ2EEsyyoWxJfpdd56HLps= +github.com/dgraph-io/badger/v4 v4.5.1/go.mod h1:qn3Be0j3TfV4kPbVoK0arXCD1/nr1ftth6sbL5jxdoA= +github.com/dgraph-io/ristretto/v2 v2.1.0 h1:59LjpOJLNDULHh8MC4UaegN52lC4JnO2dITsie/Pa8I= +github.com/dgraph-io/ristretto/v2 v2.1.0/go.mod h1:uejeqfYXpUomfse0+lO+13ATz4TypQYLJZzBSAemuB4= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo= +github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE= github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= @@ -243,20 +241,20 @@ github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1G github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7/go.mod h1:GvWntX9qiTlOud0WkQ6ewFm0LPy5JUR1Xo0Ngbd1w6Y= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= -github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= -github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM= +github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= -github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE= -github.com/emicklei/proto v1.12.1/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= +github.com/emicklei/proto v1.13.4 h1:myn1fyf8t7tAqIzV91Tj9qXpvyXXGXk8OS2H6IBSc9g= +github.com/emicklei/proto v1.13.4/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= @@ -274,8 +272,8 @@ github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7z github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= @@ -309,8 +307,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= -github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= -github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= +github.com/go-piv/piv-go/v2 v2.3.0 h1:kKkrYlgLQTMPA6BiSL25A7/x4CEh2YCG7rtb/aTkx+g= +github.com/go-piv/piv-go/v2 v2.3.0/go.mod h1:ShZi74nnrWNQEdWzRUd/3cSig3uNOcEZp+EWl0oewnI= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= @@ -330,13 +328,12 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY= -github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -355,10 +352,10 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME= -github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE= -github.com/google/flatbuffers v2.0.8+incompatible h1:ivUb1cGomAB101ZM1T0nOiWz9pSrTMoa9+EiY7igmkM= -github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/certificate-transparency-go v1.3.1 h1:akbcTfQg0iZlANZLn0L9xOeWtyCIdeoYhKrqi5iH3Go= +github.com/google/certificate-transparency-go v1.3.1/go.mod h1:gg+UQlx6caKEDQ9EElFOujyxEQEfOiQzAt6782Bvi8k= +github.com/google/flatbuffers v24.12.23+incompatible h1:ubBKR94NR4pXUCY/MUsRVzd9umNW7ht7EG9hHfS9FX8= +github.com/google/flatbuffers v24.12.23+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -367,12 +364,11 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= -github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= +github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= +github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -381,28 +377,28 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= -github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k= +github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= +github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= -github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4= -github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI= +github.com/google/trillian v1.7.1 h1:+zX8jLM3524bAMPS+VxaDIDgsMv3/ty6DuLWerHXcek= +github.com/google/trillian v1.7.1/go.mod h1:E1UMAHqpZCA8AQdrKdWmHmtUfSeiD0sDWD1cv00Xa+c= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= -github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o= -github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk= +github.com/googleapis/gax-go/v2 v2.14.1 h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q= +github.com/googleapis/gax-go/v2 v2.14.1/go.mod h1:Hb/NubMaVM88SrNkvl8X/o8XWwDJEPqouaLeN2IUxoA= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -430,8 +426,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= -github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk= +github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5LhwQN4= +github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -444,12 +440,22 @@ github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438 h1:Dj0L5fhJ9F82ZJyVOmBx6msDp/kfd1t9GRfny/mfJA0= +github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI= +github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= -github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE= -github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc= +github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= @@ -462,10 +468,12 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -478,8 +486,8 @@ github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2T github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= -github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM= +github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA= @@ -502,10 +510,10 @@ github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUb github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= -github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= -github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c h1:cqn374mizHuIWj+OSJCajGr/phAmuMug9qIX3l9CflE= +github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -542,8 +550,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= -github.com/open-policy-agent/opa v0.68.0 h1:Jl3U2vXRjwk7JrHmS19U3HZO5qxQRinQbJ2eCJYSqJQ= -github.com/open-policy-agent/opa v0.68.0/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w= +github.com/open-policy-agent/opa v1.1.0 h1:HMz2evdEMTyNqtdLjmu3Vyx06BmhNYAx67Yz3Ll9q2s= +github.com/open-policy-agent/opa v1.1.0/go.mod h1:T1pASQ1/vwfTa+e2fYcfpLCvWgYtqtiUv+IuA/dLPQs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -552,8 +560,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+ github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= -github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= -github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= +github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -563,23 +571,25 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= -github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= +github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62zIzQwvoD7Ekj3ePDF5bv9Xxy0w6AZk0qYbjUk= -github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= +github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d h1:HWfigq7lB31IeJL8iy7jkUmU/PG1Sr8jVGhS749dbUA= +github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= -github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po= -github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= +github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a h1:w3tdWGKbLGBPtR/8/oO74W6hmz0qE5q0z9aqSAewaaM= +github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a/go.mod h1:S8kfXMp+yh77OxPD4fdM6YUknrZpQxLhvxzS4gDHENY= +github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= +github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -593,34 +603,34 @@ github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGq github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4= github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k= -github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= -github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= +github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= +github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= -github.com/sigstore/fulcio v1.6.3 h1:Mvm/bP6ELHgazqZehL8TANS1maAkRoM23CRAdkM4xQI= -github.com/sigstore/fulcio v1.6.3/go.mod h1:5SDgLn7BOUVLKe1DwOEX3wkWFu5qEmhUlWm+SFf0GH8= -github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo= -github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA= -github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= -github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= -github.com/sigstore/sigstore v1.8.9 h1:NiUZIVWywgYuVTxXmRoTT4O4QAGiTEKup4N1wdxFadk= -github.com/sigstore/sigstore v1.8.9/go.mod h1:d9ZAbNDs8JJfxJrYmulaTazU3Pwr8uLL9+mii4BNR3w= -github.com/sigstore/sigstore-go v0.6.1 h1:tGkkv1oDIER+QYU5MrjqlttQOVDWfSkmYwMqkJhB/cg= -github.com/sigstore/sigstore-go v0.6.1/go.mod h1:Xe5GHmUeACRFbomUWzVkf/xYCn8xVifb9DgqJrV2dIw= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8 h1:2zHmUvaYCwV6LVeTo+OAkTm8ykOGzA9uFlAjwDPAUWM= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.8/go.mod h1:OEhheBplZinUsm7W9BupafztVZV3ldkAxEHbpAeC0Pk= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8 h1:RKk4Z+qMaLORUdT7zntwMqKiYAej1VQlCswg0S7xNSY= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8/go.mod h1:dMJdlBWKHMu2xf0wIKpbo7+QfG+RzVkBB3nHP8EMM5o= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8 h1:89Xtxj8oqZt3UlSpCP4wApFvnQ2Z/dgowW5QOVhQigI= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8/go.mod h1:Wa4xn/H3pU/yW/6tHiMXTpObBtBSGC5q29KYFEPKN6o= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8 h1:Zte3Oogkd8m+nu2oK3yHtGmN++TZWh2Lm6q2iSprT1M= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8/go.mod h1:j00crVw6ki4/WViXflw0zWgNALrAzZT+GbIK8v7Xlz4= -github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= -github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= +github.com/sigstore/fulcio v1.6.6 h1:XaMYX6TNT+8n7Npe8D94nyZ7/ERjEsNGFC+REdi/wzw= +github.com/sigstore/fulcio v1.6.6/go.mod h1:BhQ22lwaebDgIxVBEYOOqLRcN5+xOV+C9bh/GUXRhOk= +github.com/sigstore/protobuf-specs v0.4.0 h1:yoZbdh0kZYKOSiVbYyA8J3f2wLh5aUk2SQB7LgAfIdU= +github.com/sigstore/protobuf-specs v0.4.0/go.mod h1:FKW5NYhnnFQ/Vb9RKtQk91iYd0MKJ9AxyqInEwU6+OI= +github.com/sigstore/rekor v1.3.9 h1:sUjRpKVh/hhgqGMs0t+TubgYsksArZ6poLEC3MsGAzU= +github.com/sigstore/rekor v1.3.9/go.mod h1:xThNUhm6eNEmkJ/SiU/FVU7pLY2f380fSDZFsdDWlcM= +github.com/sigstore/sigstore v1.8.15 h1:9HHnZmxjPQSTPXTCZc25HDxxSTWwsGMh/ZhWZZ39maU= +github.com/sigstore/sigstore v1.8.15/go.mod h1:+Wa5mrG6A+Gss516YC9owy10q3IazqIRe0y1EoQRHHM= +github.com/sigstore/sigstore-go v0.7.0 h1:bIGPc2IbnbxnzlqQcKlh1o96bxVJ4yRElpP1gHrOH48= +github.com/sigstore/sigstore-go v0.7.0/go.mod h1:4RrCK+i+jhx7lyOG2Vgef0/kFLbKlDI1hrioUYvkxxA= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.15 h1:g/hPoaemFv/6ZJIRyb5I1lA4qU9PZwCTu/GkvFV5jEw= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.15/go.mod h1:n2yKi/b29+JB54PyONruHvvha4zugC7jzr+A16cNLvw= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.15 h1:K2GstKWXftcpmg/wHfcJFYKWuj+YRSoTgwxm3ox2FjE= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.15/go.mod h1:tOSdKYXCkplk54FSR/58UYQm1S/GlQK4Y1GgMhiq40U= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.15 h1:ThpZMfR2TecI6Ji7s/nFlcCIkwXYhZUYziJdZs3pOaw= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.15/go.mod h1:x+4wvq6tzIQRZaSdMS6/VT9nuCoepypozfzP4Tqwnqw= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.15 h1:mR+VaOSx2sUpaE8lXarinHcT8UXi+fKE4ESNBzDRAtQ= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.15/go.mod h1:6olKNL2BGrsZPLbO/7kiJzZPxU74270nDI5G3HSSykw= +github.com/sigstore/timestamp-authority v1.2.4 h1:RjXZxOWorEiem/uSr0pFHVtQpyzpcFxgugo5jVqm3mw= +github.com/sigstore/timestamp-authority v1.2.4/go.mod h1:ExrbobKdEuwuBptZIiKp1IaVBRiUeKbiuSyZTO8Okik= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA= @@ -634,21 +644,20 @@ github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9yS github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= -github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= -github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= +github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= -github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= -github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= +github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= +github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -656,21 +665,26 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs= github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= -github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= -github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/tchap/go-patricia/v2 v2.3.2 h1:xTHFutuitO2zqKAQ5rCROYgUb7Or/+IC3fts9/Yc7nM= +github.com/tchap/go-patricia/v2 v2.3.2/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/theupdateframework/go-tuf/v2 v2.0.1 h1:11p9tXpq10KQEujxjcIjDSivMKCMLguls7erXHZnxJQ= -github.com/theupdateframework/go-tuf/v2 v2.0.1/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= +github.com/theupdateframework/go-tuf/v2 v2.0.2 h1:PyNnjV9BJNzN1ZE6BcWK+5JbF+if370jjzO84SS+Ebo= +github.com/theupdateframework/go-tuf/v2 v2.0.2/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA= +github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI= +github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis= +github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0= +github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw= +github.com/tink-crypto/tink-go/v2 v2.3.0 h1:4/TA0lw0lA/iVKBL9f8R5eP7397bfc4antAMXF5JRhs= +github.com/tink-crypto/tink-go/v2 v2.3.0/go.mod h1:kfPOtXIadHlekBTeBtJrHWqoGL+Fm3JQg0wtltPuxLU= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w= @@ -680,12 +694,10 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= -github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= -github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= +github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 h1:+dBg5k7nuTE38VVdoroRsT0Z88fmvdYrI2EjzJst35I= github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1/go.mod h1:nmuySobZb4kFgFy6BptpXp/BBw+xFSyvVPP6auoJB4k= -github.com/xanzy/go-gitlab v0.109.0 h1:RcRme5w8VpLXTSTTMZdVoQWY37qTJWg+gwdQl4aAttE= -github.com/xanzy/go-gitlab v0.109.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= @@ -708,32 +720,38 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= -github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= -github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= +github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +gitlab.com/gitlab-org/api/client-go v0.123.0 h1:W3LZ5QNyiSCJA0Zchkwz8nQIUzOuDoSWMZtRDT5DjPI= +gitlab.com/gitlab-org/api/client-go v0.123.0/go.mod h1:Jh0qjLILEdbO6z/OY94RD+3NDQRUKiuFSFYozN6cpKM= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 h1:ZIg3ZT/aQ7AfKqdwp7ECpOK6vHqquXXuyTjIO8ZdmPs= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0/go.mod h1:DQAwmETtZV00skUwgD6+0U89g80NKsJE3DCKeLLPQMI= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 h1:dIIDULZJpgdiHz5tXrTgKIMLkus6jEFa7x5SOKcyR7E= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0/go.mod h1:jlRVBe7+Z1wyxFSUs48L6OBQZ5JwH2Hg/Vbl+t9rAgI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 h1:nSiV3s7wiCam610XcLbYOmMfJxB9gO4uK3Xgv5gmTgg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0/go.mod h1:hKn/e/Nmd19/x1gvIHwtOwVWM+VhuITSWip3JUDghj0= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= -go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= -go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.step.sm/crypto v0.51.1 h1:ktUg/2hetEMiBAqgz502ktZDGoDoGrcHFg3XpkmkvvA= -go.step.sm/crypto v0.51.1/go.mod h1:PdrhttNU/tG9/YsVd4fdlysBN+UV503p0o2irFZQlAw= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 h1:PS8wXpbyaDJQ2VDHHncMe9Vct0Zn1fEjpsjrLxGJoSc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= +go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= +go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE= +go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= +go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= +go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= +go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= +go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= +go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= +go.step.sm/crypto v0.57.0 h1:YjoRQDaJYAxHLVwjst0Bl0xcnoKzVwuHCJtEo2VSHYU= +go.step.sm/crypto v0.57.0/go.mod h1:+Lwp5gOVPaTa3H/Ul/TzGbxQPXZZcKIUGMS0lG6n9Go= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -755,11 +773,11 @@ golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= -golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= +golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= +golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk= -golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -793,11 +811,11 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= -golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= +golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= +golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= -golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE= +golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -807,8 +825,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= -golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= +golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -842,8 +860,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= +golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -853,8 +871,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= -golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= +golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= +golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -867,10 +885,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= -golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= -golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= -golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4= +golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -884,31 +902,31 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= -golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= +golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE= +golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= -google.golang.org/api v0.214.0 h1:h2Gkq07OYi6kusGOaT/9rnNljuXmqPnaig7WGPmKbwA= -google.golang.org/api v0.214.0/go.mod h1:bYPpLG8AyeMWwDU6NXoB00xC0DFkikVvd5MfwoxjLqE= +google.golang.org/api v0.221.0 h1:qzaJfLhDsbMeFee8zBRdt/Nc+xmOuafD/dbdgGfutOU= +google.golang.org/api v0.221.0/go.mod h1:7sOU2+TL4TxUTdbi0gWgAIg7tH5qBXxoyhtL+9x3biQ= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f h1:M65LEviCfuZTfrfzwwEoxVtgvfkFkBUbFnRbxCXuXhU= -google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f/go.mod h1:Yo94eF2nj7igQt+TiJ49KxjIH8ndLYPZMIRSiRcEbg0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= +google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f h1:gap6+3Gk41EItBuyi4XX/bp4oqJ3UwuIMl25yGinuAA= +google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:Ic02D47M+zbarjYYUlK57y316f2MoN0gjAwI3f2S95o= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 h1:2duwAxN2+k0xLNpjnHTXoMUgnv6VPSp5fiqTuwSxjmI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= -google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= +google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ= +google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -917,8 +935,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= -google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= +google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -940,8 +958,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= -gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= +gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q= +gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM= @@ -950,16 +968,16 @@ k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8= k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4= k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw= -sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0= +sigs.k8s.io/release-utils v0.11.0 h1:FUVSw2dO67M7mfcQx9AITEGnTHoBOdJNbbQ3FT3o8mA= +sigs.k8s.io/release-utils v0.11.0/go.mod h1:wAlXz8xruzvqZUsorI64dZ3lbkiDnYSlI4IYC6l2yEA= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/internal/pkg/cosign/tsa/client/client.go b/internal/pkg/cosign/tsa/client/client.go index b50531834ef..52aa11b9984 100644 --- a/internal/pkg/cosign/tsa/client/client.go +++ b/internal/pkg/cosign/tsa/client/client.go @@ -26,7 +26,6 @@ import ( "time" "github.com/digitorus/timestamp" - "github.com/pkg/errors" ) // TimestampAuthorityClient should be implemented by clients that want to request timestamp responses @@ -133,13 +132,13 @@ func (t *TimestampAuthorityClientImpl) GetTimestampResponse(tsq []byte) ([]byte, req, err := http.NewRequest("POST", t.URL, bytes.NewReader(tsq)) if err != nil { - return nil, errors.Wrap(err, "error creating HTTP request") + return nil, fmt.Errorf("error creating HTTP request: %w", err) } req.Header.Set("Content-Type", "application/timestamp-query") tsr, err := client.Do(req) if err != nil { - return nil, errors.Wrap(err, "error making request to timestamp authority") + return nil, fmt.Errorf("error making request to timestamp authority: %w", err) } if tsr.StatusCode != 200 && tsr.StatusCode != 201 { return nil, fmt.Errorf("request to timestamp authority failed with status code %d", tsr.StatusCode) @@ -147,7 +146,7 @@ func (t *TimestampAuthorityClientImpl) GetTimestampResponse(tsq []byte) ([]byte, resp, err := io.ReadAll(tsr.Body) if err != nil { - return nil, errors.Wrap(err, "error reading timestamp response") + return nil, fmt.Errorf("error reading timestamp response: %w", err) } // validate that the timestamp response is parseable diff --git a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go index 3ef51182754..f85b5f0a8b6 100644 --- a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go +++ b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go @@ -20,10 +20,9 @@ import ( "crypto/rand" "crypto/x509" "encoding/asn1" + "fmt" "time" - "github.com/pkg/errors" - "github.com/digitorus/timestamp" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -65,7 +64,7 @@ func NewTSAClient(o TSAClientOptions) (*TSAClient, error) { } certChain, err := signer.NewTimestampingCertWithChain(sv) if err != nil { - return nil, errors.Wrap(err, "generating timestamping cert chain") + return nil, fmt.Errorf("generating timestamping cert chain: %w", err) } return &TSAClient{ diff --git a/internal/pkg/cosign/tsa/signer.go b/internal/pkg/cosign/tsa/signer.go index 99c05402156..9fb0b66b407 100644 --- a/internal/pkg/cosign/tsa/signer.go +++ b/internal/pkg/cosign/tsa/signer.go @@ -18,12 +18,12 @@ import ( "bytes" "context" "crypto" + "fmt" "io" "strconv" "strings" "github.com/digitorus/timestamp" - "github.com/pkg/errors" "github.com/sigstore/cosign/v2/internal/pkg/cosign" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" @@ -38,7 +38,7 @@ import ( func GetTimestampedSignature(sigBytes []byte, tsaClient client.TimestampAuthorityClient) ([]byte, error) { requestBytes, err := createTimestampAuthorityRequest(sigBytes, crypto.SHA256, "") if err != nil { - return nil, errors.Wrap(err, "error creating timestamp request") + return nil, fmt.Errorf("error creating timestamp request: %w", err) } return tsaClient.GetTimestampResponse(requestBytes) diff --git a/pkg/blob/load.go b/pkg/blob/load.go index 543af56fac1..8ee624e93a8 100644 --- a/pkg/blob/load.go +++ b/pkg/blob/load.go @@ -15,6 +15,9 @@ package blob import ( + "crypto/sha256" + "crypto/sha512" + "encoding/hex" "fmt" "io" "net/http" @@ -72,3 +75,35 @@ func LoadFileOrURL(fileRef string) ([]byte, error) { } return raw, nil } + +func LoadFileOrURLWithChecksum(fileRef string, checksum string) ([]byte, error) { + checksumParts := strings.Split(checksum, ":") + if len(checksumParts) >= 3 { + return nil, fmt.Errorf("wrong checksum input format, must have at most 1 colon: %s", checksum) + } + + checksumAlgo := sha256.New() + checksumValue := checksumParts[len(checksumParts)-1] + if len(checksumParts) == 2 { + switch checksumParts[0] { + case "sha256": // the default set above + case "sha512": + checksumAlgo = sha512.New() + default: + return nil, fmt.Errorf("unsupported checksum algorithm: %s", checksumParts[0]) + } + } + + fileContent, err := LoadFileOrURL(fileRef) + if err != nil { + return nil, err + } + + checksumAlgo.Write(fileContent) + computedChecksum := hex.EncodeToString(checksumAlgo.Sum(nil)) + if computedChecksum != checksumValue { + return nil, fmt.Errorf("incorrect checksum for file %s: expected %s but got %s", fileRef, checksumValue, computedChecksum) + } + + return fileContent, nil +} diff --git a/pkg/blob/load_test.go b/pkg/blob/load_test.go index 2e09ff5d061..58b6948b883 100644 --- a/pkg/blob/load_test.go +++ b/pkg/blob/load_test.go @@ -22,6 +22,7 @@ import ( "os" "path" "runtime" + "strings" "testing" ) @@ -97,3 +98,52 @@ func TestLoadURL(t *testing.T) { t.Error("LoadFileOrURL(): expected error for invalid scheme") } } + +func TestLoadURLWithChecksum(t *testing.T) { + data := []byte("test") + + server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { + rw.Write(data) + })) + defer server.Close() + + // default behavior with sha256 + actual, err := LoadFileOrURLWithChecksum( + server.URL, + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + ) + if err != nil { + t.Errorf("Reading from HTTP failed: %v", err) + } else if !bytes.Equal(actual, data) { + t.Errorf("LoadFileOrURL(HTTP) = '%s'; want '%s'", actual, data) + } + + // override checksum algo to sha512 + actual, err = LoadFileOrURLWithChecksum( + server.URL, + "sha512:ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff", + ) + if err != nil { + t.Errorf("Reading from HTTP failed: %v", err) + } else if !bytes.Equal(actual, data) { + t.Errorf("LoadFileOrURL(HTTP) = '%s'; want '%s'", actual, data) + } + + // ensure it fails with the wrong checksum + _, err = LoadFileOrURLWithChecksum( + server.URL, + "certainly not a correct checksum value", + ) + if err == nil || !strings.Contains(err.Error(), "incorrect checksum") { + t.Errorf("Expected an 'incorrect checksum' error, got: %v", err) + } + + // ensure it fails with incorrect algorithm + _, err = LoadFileOrURLWithChecksum( + server.URL, + "sha321123:foobar", + ) + if err == nil || !strings.Contains(err.Error(), "unsupported checksum") { + t.Errorf("Expected an 'unsupported checksum' error, got: %v", err) + } +} diff --git a/pkg/cosign/attestation/attestation.go b/pkg/cosign/attestation/attestation.go index f5a8e9ebe3f..e675088d58e 100644 --- a/pkg/cosign/attestation/attestation.go +++ b/pkg/cosign/attestation/attestation.go @@ -23,10 +23,9 @@ import ( "strings" "time" + "github.com/in-toto/in-toto-golang/in_toto" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1" - - "github.com/in-toto/in-toto-golang/in_toto" ) const ( diff --git a/pkg/cosign/cue/cue_test.go b/pkg/cosign/cue/cue_test.go index 1c3b8d2eb19..9748fad3437 100644 --- a/pkg/cosign/cue/cue_test.go +++ b/pkg/cosign/cue/cue_test.go @@ -18,7 +18,6 @@ package cue import ( "fmt" "os" - "testing" ) @@ -158,7 +157,7 @@ func TestValidationJSON(t *testing.T) { } `, pass: false, - errorMsg: "authorityMatches.keysignature.signatures: invalid value [{subject:\"PLACEHOLDER\",issuer:\"PLACEHOLDER\"}] (does not satisfy list.MinItems(2)): len(list) < MinItems(2) (1 < 2) (and 2 more errors)", + errorMsg: "authorityMatches.keysignature.signatures: invalid value [{subject:\"PLACEHOLDER\",issuer:\"PLACEHOLDER\"}] (does not satisfy list.MinItems(2))", }, } diff --git a/pkg/cosign/errors_test.go b/pkg/cosign/errors_test.go index c7a6d3cd988..3506a6320f0 100644 --- a/pkg/cosign/errors_test.go +++ b/pkg/cosign/errors_test.go @@ -15,16 +15,15 @@ package cosign import ( + "errors" "fmt" "testing" - - "github.com/pkg/errors" ) func TestErrors(t *testing.T) { for _, want := range []error{ - &VerificationFailure{errors.Errorf("not a constant %d", 3)}, - &VerificationFailure{errors.Errorf("not a string %s", "i am a string")}, + &VerificationFailure{fmt.Errorf("not a constant %d", 3)}, + &VerificationFailure{fmt.Errorf("not a string %s", "i am a string")}, } { t.Run(want.Error(), func(t *testing.T) { verr := &VerificationFailure{} diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go index ff81be227bd..709333ac77f 100644 --- a/pkg/cosign/fetch.go +++ b/pkg/cosign/fetch.go @@ -74,8 +74,15 @@ func FetchSignaturesForReference(_ context.Context, ref name.Reference, opts ... if err != nil { return nil, err } + sigs, err := FetchSignatures(simg) + if err != nil { + return nil, fmt.Errorf("%s: %w", ref, err) + } + return sigs, nil +} - sigs, err := simg.Signatures() +func FetchSignatures(se oci.SignedEntity) ([]SignedPayload, error) { + sigs, err := se.Signatures() if err != nil { return nil, fmt.Errorf("remote image: %w", err) } @@ -84,7 +91,7 @@ func FetchSignaturesForReference(_ context.Context, ref name.Reference, opts ... return nil, fmt.Errorf("fetching signatures: %w", err) } if len(l) == 0 { - return nil, fmt.Errorf("no signatures associated with %s", ref) + return nil, errors.New("no signatures associated") } if len(l) > maxAllowedSigsOrAtts { return nil, fmt.Errorf("maximum number of signatures on an image is %d, found %d", maxAllowedSigsOrAtts, len(l)) diff --git a/pkg/cosign/git/gitlab/gitlab.go b/pkg/cosign/git/gitlab/gitlab.go index 6703635a09f..b1246913218 100644 --- a/pkg/cosign/git/gitlab/gitlab.go +++ b/pkg/cosign/git/gitlab/gitlab.go @@ -24,7 +24,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/env" - "github.com/xanzy/go-gitlab" + gitlab "gitlab.com/gitlab-org/api/client-go" ) const ( diff --git a/pkg/cosign/kubernetes/client.go b/pkg/cosign/kubernetes/client.go index c89a4e0b45e..5c0f59b958d 100644 --- a/pkg/cosign/kubernetes/client.go +++ b/pkg/cosign/kubernetes/client.go @@ -17,9 +17,9 @@ package kubernetes import ( "fmt" + utilversion "k8s.io/apimachinery/pkg/util/version" "k8s.io/client-go/kubernetes" - utilversion "k8s.io/apimachinery/pkg/util/version" // Initialize all known client auth plugins _ "k8s.io/client-go/plugin/pkg/client/auth" "k8s.io/client-go/rest" diff --git a/pkg/cosign/kubernetes/secret.go b/pkg/cosign/kubernetes/secret.go index b05c235e41c..11289888192 100644 --- a/pkg/cosign/kubernetes/secret.go +++ b/pkg/cosign/kubernetes/secret.go @@ -21,12 +21,11 @@ import ( "os" "strings" + "github.com/sigstore/cosign/v2/pkg/cosign" v1 "k8s.io/api/core/v1" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" - - "github.com/sigstore/cosign/v2/pkg/cosign" ) const ( diff --git a/pkg/cosign/kubernetes/secret_test.go b/pkg/cosign/kubernetes/secret_test.go index 74e7cff2e7a..d626d9eada6 100644 --- a/pkg/cosign/kubernetes/secret_test.go +++ b/pkg/cosign/kubernetes/secret_test.go @@ -18,11 +18,10 @@ import ( "reflect" "testing" + "github.com/sigstore/cosign/v2/pkg/cosign" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" - - "github.com/sigstore/cosign/v2/pkg/cosign" ) func TestSecret(t *testing.T) { diff --git a/pkg/cosign/pivkey/pivkey.go b/pkg/cosign/pivkey/pivkey.go index d179e301a6e..4f765bbc51a 100644 --- a/pkg/cosign/pivkey/pivkey.go +++ b/pkg/cosign/pivkey/pivkey.go @@ -31,10 +31,9 @@ import ( "os" "syscall" - "github.com/go-piv/piv-go/piv" - "golang.org/x/term" - + "github.com/go-piv/piv-go/v2/piv" "github.com/sigstore/sigstore/pkg/signature" + "golang.org/x/term" ) var ( @@ -113,7 +112,7 @@ func (k *Key) GetAttestationCertificate() (*x509.Certificate, error) { return k.card.AttestationCertificate() } -func (k *Key) SetManagementKey(old, new [24]byte) error { +func (k *Key) SetManagementKey(old, new []byte) error { if k.card == nil { return KeyNotInitialized } @@ -153,7 +152,7 @@ func (k *Key) Unblock(puk, newPIN string) error { return k.card.Unblock(puk, newPIN) } -func (k *Key) GenerateKey(mgmtKey [24]byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) { +func (k *Key) GenerateKey(mgmtKey []byte, slot piv.Slot, opts piv.Key) (crypto.PublicKey, error) { if k.card == nil { return nil, KeyNotInitialized } diff --git a/pkg/cosign/pivkey/util.go b/pkg/cosign/pivkey/util.go index a323716e6b4..cb5c4b0a079 100644 --- a/pkg/cosign/pivkey/util.go +++ b/pkg/cosign/pivkey/util.go @@ -18,7 +18,7 @@ package pivkey import ( - "github.com/go-piv/piv-go/piv" + "github.com/go-piv/piv-go/v2/piv" ) func SlotForName(slotName string) *piv.Slot { diff --git a/pkg/cosign/rego/rego.go b/pkg/cosign/rego/rego.go index 3d99115fb66..ccc58ec4672 100644 --- a/pkg/cosign/rego/rego.go +++ b/pkg/cosign/rego/rego.go @@ -22,7 +22,8 @@ import ( "errors" "fmt" - "github.com/open-policy-agent/opa/rego" + "github.com/open-policy-agent/opa/v1/ast" + "github.com/open-policy-agent/opa/v1/rego" ) // The query below should meet the following requirements: @@ -48,7 +49,9 @@ func ValidateJSON(jsonBody []byte, entrypoints []string) []error { r := rego.New( rego.Query(QUERY), - rego.Load(entrypoints, nil)) + rego.Load(entrypoints, nil), + rego.SetRegoVersion(ast.RegoV0), + ) query, err := r.PrepareForEval(ctx) if err != nil { @@ -97,7 +100,9 @@ func ValidateJSONWithModuleInput(jsonBody []byte, moduleInput string) (warnings r := rego.New( rego.Query(query), - rego.Module(module, moduleInput)) + rego.Module(module, moduleInput), + rego.SetRegoVersion(ast.RegoV0), + ) evalQuery, err := r.PrepareForEval(ctx) if err != nil { @@ -130,8 +135,8 @@ func ValidateJSONWithModuleInput(jsonBody []byte, moduleInput string) (warnings return nil, fmt.Errorf("policy is not compliant for query '%s'", query) } -func evaluateRegoEvalMapResult(query string, response []interface{}) (warning error, error error) { - error = fmt.Errorf("policy is not compliant for query %q", query) //nolint: revive +func evaluateRegoEvalMapResult(query string, response []interface{}) (warning error, retErr error) { + retErr = fmt.Errorf("policy is not compliant for query %q", query) //nolint: revive for _, r := range response { rMap := r.(map[string]interface{}) mapBytes, err := json.Marshal(rMap) @@ -152,7 +157,7 @@ func evaluateRegoEvalMapResult(query string, response []interface{}) (warning er return fmt.Errorf("warning: %s", resultObject.Warning), nil } warning = errors.New(resultObject.Warning) - error = fmt.Errorf("policy is not compliant for query '%s' with errors: %s", query, resultObject.Error) //nolint: revive + retErr = fmt.Errorf("policy is not compliant for query '%s' with errors: %s", query, resultObject.Error) //nolint: revive } - return warning, error + return warning, retErr } diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index 83d6f61f179..a9379ba9418 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -32,9 +32,6 @@ import ( "github.com/go-openapi/strfmt" "github.com/go-openapi/swag" - "github.com/transparency-dev/merkle/proof" - "github.com/transparency-dev/merkle/rfc6962" - "github.com/sigstore/cosign/v2/internal/ui" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/cosign/env" @@ -49,6 +46,8 @@ import ( intoto_v001 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/tuf" + "github.com/transparency-dev/merkle/proof" + "github.com/transparency-dev/merkle/rfc6962" ) // This is the rekor transparency log public key target name diff --git a/pkg/cosign/tsa.go b/pkg/cosign/tsa.go index 9d1c17a3339..c2032f396e8 100644 --- a/pkg/cosign/tsa.go +++ b/pkg/cosign/tsa.go @@ -74,7 +74,7 @@ func isTufTargetExist(ctx context.Context, name string) (bool, error) { // TUF root. If expired, makes a network call to retrieve the updated targets. // By default, the certificates come from TUF, but you can override this for test // purposes by using an env variable `SIGSTORE_TSA_CERTIFICATE_FILE` or a file path -// specified in `TSACertChainPath`. If using an alternate, the file should be in PEM format. +// specified in `certChainPath`. If using an alternate, the file should be in PEM format. func GetTSACerts(ctx context.Context, certChainPath string, fn GetTargetStub) (*TSACertificates, error) { altTSACert := env.Getenv(env.VariableSigstoreTSACertificateFile) diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 3ab5d76026a..e565052d6b5 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -26,6 +26,7 @@ import ( "encoding/hex" "encoding/json" "encoding/pem" + "errors" "fmt" "io/fs" "net/http" @@ -34,29 +35,24 @@ import ( "strings" "time" - "github.com/pkg/errors" - + "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/digitorus/timestamp" "github.com/go-openapi/runtime" - "github.com/nozzle/throttler" - - "github.com/sigstore/cosign/v2/internal/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/blob" - cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" - "github.com/sigstore/cosign/v2/pkg/oci/static" - "github.com/sigstore/cosign/v2/pkg/types" - - "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer" "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote/transport" - + "github.com/nozzle/throttler" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" + "github.com/sigstore/cosign/v2/internal/pkg/cosign" ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote" "github.com/sigstore/cosign/v2/internal/ui" + "github.com/sigstore/cosign/v2/pkg/blob" + cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/layout" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" + "github.com/sigstore/cosign/v2/pkg/oci/static" + "github.com/sigstore/cosign/v2/pkg/types" "github.com/sigstore/rekor/pkg/generated/client" "github.com/sigstore/rekor/pkg/generated/models" rekor_types "github.com/sigstore/rekor/pkg/types" @@ -65,6 +61,9 @@ import ( intoto_v001 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1" intoto_v002 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.2" rekord_v001 "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1" + "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/verify" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" @@ -152,6 +151,8 @@ type CheckOpts struct { TSARootCertificates []*x509.Certificate // TSAIntermediateCertificates are the set of intermediates for chain building TSAIntermediateCertificates []*x509.Certificate + // UseSignedTimestamps enables timestamp verification using a TSA + UseSignedTimestamps bool // IgnoreTlog skip tlog verification IgnoreTlog bool @@ -163,6 +164,89 @@ type CheckOpts struct { // Should the experimental OCI 1.1 behaviour be enabled or not. // Defaults to false. ExperimentalOCI11 bool + + // NewBundleFormat enables the new bundle format (Cosign Bundle Spec) and the new verifier. + NewBundleFormat bool + + // TrustedMaterial is the trusted material to use for verification. + // Currently, this is only applicable when NewBundleFormat is true. + TrustedMaterial root.TrustedMaterial +} + +type verifyTrustedMaterial struct { + root.TrustedMaterial + keyTrustedMaterial root.TrustedMaterial +} + +func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstrainedVerifier, error) { + return v.keyTrustedMaterial.PublicKeyVerifier(hint) +} + +// verificationOptions returns the verification options for verifying with sigstore-go. +func (co *CheckOpts) verificationOptions() (trustedMaterial root.TrustedMaterial, verifierOptions []verify.VerifierOption, policyOptions []verify.PolicyOption, err error) { + policyOptions = make([]verify.PolicyOption, 0) + + if len(co.Identities) > 0 { + var sanMatcher verify.SubjectAlternativeNameMatcher + var issuerMatcher verify.IssuerMatcher + if len(co.Identities) > 1 { + return nil, nil, nil, fmt.Errorf("unsupported: multiple identities are not supported at this time") + } + sanMatcher, err = verify.NewSANMatcher(co.Identities[0].Subject, co.Identities[0].SubjectRegExp) + if err != nil { + return nil, nil, nil, err + } + + issuerMatcher, err = verify.NewIssuerMatcher(co.Identities[0].Issuer, co.Identities[0].IssuerRegExp) + if err != nil { + return nil, nil, nil, err + } + + extensions := certificate.Extensions{ + GithubWorkflowTrigger: co.CertGithubWorkflowTrigger, + GithubWorkflowSHA: co.CertGithubWorkflowSha, + GithubWorkflowName: co.CertGithubWorkflowName, + GithubWorkflowRepository: co.CertGithubWorkflowRepository, + GithubWorkflowRef: co.CertGithubWorkflowRef, + } + + certificateIdentities, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) + if err != nil { + return nil, nil, nil, err + } + policyOptions = []verify.PolicyOption{verify.WithCertificateIdentity(certificateIdentities)} + } + + // Wrap TrustedMaterial + vTrustedMaterial := &verifyTrustedMaterial{TrustedMaterial: co.TrustedMaterial} + + verifierOptions = make([]verify.VerifierOption, 0) + + if co.SigVerifier != nil { + // We are verifying with a public key + policyOptions = append(policyOptions, verify.WithKey()) + newExpiringKey := root.NewExpiringKey(co.SigVerifier, time.Time{}, time.Time{}) + vTrustedMaterial.keyTrustedMaterial = root.NewTrustedPublicKeyMaterial(func(_ string) (root.TimeConstrainedVerifier, error) { + return newExpiringKey, nil + }) + } else { //nolint:gocritic + // We are verifying with a certificate + if !co.IgnoreSCT { + verifierOptions = append(verifierOptions, verify.WithSignedCertificateTimestamps(1)) + } + } + + if !co.IgnoreTlog { + verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1)) + } + if co.UseSignedTimestamps { + verifierOptions = append(verifierOptions, verify.WithSignedTimestamps(1)) + } + if co.IgnoreTlog && !co.UseSignedTimestamps { + verifierOptions = append(verifierOptions, verify.WithCurrentTime()) + } + + return vTrustedMaterial, verifierOptions, policyOptions, nil } // This is a substitutable signature verification function that can be used for verifying @@ -660,18 +744,21 @@ func verifySignatures(ctx context.Context, sigs oci.Signatures, h v1.Hash, co *C // a. Verifies the Rekor entry in the bundle, if provided. This works offline OR // b. If we don't have a Rekor entry retrieved via cert, do an online lookup (assuming // we are in experimental mode). -// 3. If a certificate is provided, check it's expiration using the transparency log timestamp. +// 3. If a certificate is provided, check its expiration using the transparency log timestamp. func verifyInternal(ctx context.Context, sig oci.Signature, h v1.Hash, verifyFn signatureVerificationFn, co *CheckOpts) ( bundleVerified bool, err error) { var acceptableRFC3161Time, acceptableRekorBundleTime *time.Time // Timestamps for the signature we accept, or nil if not applicable. - acceptableRFC3161Timestamp, err := VerifyRFC3161Timestamp(sig, co) - if err != nil { - return false, fmt.Errorf("unable to verify RFC3161 timestamp bundle: %w", err) - } - if acceptableRFC3161Timestamp != nil { - acceptableRFC3161Time = &acceptableRFC3161Timestamp.Time + var acceptableRFC3161Timestamp *timestamp.Timestamp + if co.UseSignedTimestamps { + acceptableRFC3161Timestamp, err = VerifyRFC3161Timestamp(sig, co) + if err != nil { + return false, fmt.Errorf("unable to verify RFC3161 timestamp bundle: %w", err) + } + if acceptableRFC3161Timestamp != nil { + acceptableRFC3161Time = &acceptableRFC3161Timestamp.Time + } } if !co.IgnoreTlog { diff --git a/pkg/cosign/verify_bundle.go b/pkg/cosign/verify_bundle.go new file mode 100644 index 00000000000..85a9a660283 --- /dev/null +++ b/pkg/cosign/verify_bundle.go @@ -0,0 +1,35 @@ +// +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cosign + +import ( + "context" + + "github.com/sigstore/sigstore-go/pkg/verify" +) + +// VerifyNewBundle verifies a SigstoreBundle with the given parameters +func VerifyNewBundle(_ context.Context, co *CheckOpts, artifactPolicyOption verify.ArtifactPolicyOption, bundle verify.SignedEntity) (*verify.VerificationResult, error) { + trustedMaterial, verifierOptions, policyOptions, err := co.verificationOptions() + if err != nil { + return nil, err + } + verifier, err := verify.NewSignedEntityVerifier(trustedMaterial, verifierOptions...) + if err != nil { + return nil, err + } + return verifier.Verify(bundle, verify.NewPolicy(artifactPolicyOption, policyOptions...)) +} diff --git a/pkg/cosign/verify_bundle_test.go b/pkg/cosign/verify_bundle_test.go new file mode 100644 index 00000000000..a1c705c0362 --- /dev/null +++ b/pkg/cosign/verify_bundle_test.go @@ -0,0 +1,386 @@ +// +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cosign_test + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/sha256" + "encoding/hex" + "fmt" + "testing" + + "github.com/sigstore/cosign/v2/pkg/cosign" + protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" + protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + sgbundle "github.com/sigstore/sigstore-go/pkg/bundle" + "github.com/sigstore/sigstore-go/pkg/testing/ca" + "github.com/sigstore/sigstore-go/pkg/tlog" + "github.com/sigstore/sigstore-go/pkg/verify" + "github.com/sigstore/sigstore/pkg/signature" + "github.com/stretchr/testify/assert" +) + +type bundleMutator struct { + verify.SignedEntity + + eraseTSA bool + eraseTlog bool +} + +func (b *bundleMutator) Timestamps() ([][]byte, error) { + if b.eraseTSA { + return [][]byte{}, nil + } + return b.SignedEntity.Timestamps() +} + +func (b *bundleMutator) TlogEntries() ([]*tlog.Entry, error) { + if b.eraseTlog { + return []*tlog.Entry{}, nil + } + return b.SignedEntity.TlogEntries() +} + +func TestVerifyBundle(t *testing.T) { + virtualSigstore, err := ca.NewVirtualSigstore() + assert.NoError(t, err) + virtualSigstore2, err := ca.NewVirtualSigstore() // for testing invalid trusted material + assert.NoError(t, err) + + artifact := []byte("artifact") + digest := sha256.Sum256(artifact) + digestHex := hex.EncodeToString(digest[:]) + statementFmt := `{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://example.com/predicateType","subject":[{"name":"subject","digest":{"sha256":"%s"}}],"predicate":{}}` + statementCorrect := []byte(fmt.Sprintf(statementFmt, digestHex)) + + identity := "foo@example.com" + issuer := "example issuer" + standardIdentities := []cosign.Identity{ + { + Issuer: issuer, + Subject: identity, + }, + } + + attestation, err := virtualSigstore.Attest(identity, issuer, statementCorrect) + if err != nil { + t.Fatal(err) + } + + blobSig, err := virtualSigstore.Sign(identity, issuer, artifact) + if err != nil { + t.Fatal(err) + } + + for _, tc := range []struct { + name string + checkOpts *cosign.CheckOpts + artifactPolicyOption verify.ArtifactPolicyOption + entity verify.SignedEntity + wantErr bool + }{ + { + name: "valid", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: false, + }, + { + name: "valid blob signature", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: blobSig, + wantErr: false, + }, + { + name: "invalid, wrong artifact", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader([]byte("not the artifact"))), + entity: attestation, + wantErr: true, + }, + { + name: "invalid blob signature, wrong artifact", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader([]byte("not the artifact"))), + entity: blobSig, + wantErr: true, + }, + { + name: "valid, pattern match issuer", + checkOpts: &cosign.CheckOpts{ + Identities: []cosign.Identity{ + { + IssuerRegExp: ".*issuer", + Subject: "foo@example.com", + }, + }, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: false, + }, + { + name: "valid, pattern match subject", + checkOpts: &cosign.CheckOpts{ + Identities: []cosign.Identity{ + { + Issuer: "example issuer", + SubjectRegExp: ".*@example.com", + }, + }, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: false, + }, + { + name: "invalid, pattern match issuer", + checkOpts: &cosign.CheckOpts{ + Identities: []cosign.Identity{ + { + IssuerRegExp: ".* not my issuer", + Subject: "foo@example.com", + }, + }, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: true, + }, + { + name: "invalid, pattern match subject", + checkOpts: &cosign.CheckOpts{ + Identities: []cosign.Identity{ + { + Issuer: "example issuer", + SubjectRegExp: ".*@otherexample.com", + }, + }, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: true, + }, + { + name: "invalid trusted material", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + TrustedMaterial: virtualSigstore2, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: attestation, + wantErr: true, + }, + { + name: "do not require tlog, missing tlog", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + IgnoreTlog: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: &bundleMutator{SignedEntity: attestation, eraseTlog: true}, + wantErr: false, + }, + { + name: "do not require tsa, missing tsa", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + IgnoreTlog: false, + UseSignedTimestamps: false, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: &bundleMutator{SignedEntity: attestation, eraseTSA: true}, + wantErr: false, + }, + { + name: "require tlog, missing tlog", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: &bundleMutator{SignedEntity: attestation, eraseTlog: true}, + wantErr: true, + }, + { + name: "require tsa, missing tsa", + checkOpts: &cosign.CheckOpts{ + Identities: standardIdentities, + IgnoreSCT: true, + UseSignedTimestamps: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: &bundleMutator{SignedEntity: attestation, eraseTSA: true}, + wantErr: true, + }, + } { + t.Run(tc.name, func(t *testing.T) { + _, err = cosign.VerifyNewBundle(context.Background(), tc.checkOpts, tc.artifactPolicyOption, tc.entity) + if tc.wantErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + } + }) + } +} + +func TestVerifyBundleWithSigVerifier(t *testing.T) { + virtualSigstore, err := ca.NewVirtualSigstore() + assert.NoError(t, err) + + artifact := []byte("artifact") + digest := sha256.Sum256(artifact) + + privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + assert.NoError(t, err) + + sv, err := signature.LoadECDSASignerVerifier(privKey, crypto.SHA256) + assert.NoError(t, err) + + sig, err := sv.SignMessage(bytes.NewReader(artifact)) + assert.NoError(t, err) + assert.NotNil(t, sig) + + ts, err := virtualSigstore.TimestampResponse(sig) + assert.NoError(t, err) + + b, err := sgbundle.NewBundle(&protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + VerificationMaterial: &protobundle.VerificationMaterial{ + Content: &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &protocommon.PublicKeyIdentifier{ + Hint: "", + }, + }, + TimestampVerificationData: &protobundle.TimestampVerificationData{ + Rfc3161Timestamps: []*protocommon.RFC3161SignedTimestamp{{SignedTimestamp: ts}}, + }, + }, + Content: &protobundle.Bundle_MessageSignature{ + MessageSignature: &protocommon.MessageSignature{ + MessageDigest: &protocommon.HashOutput{ + Algorithm: protocommon.HashAlgorithm_SHA2_256, + Digest: digest[:], + }, + Signature: sig, + }, + }, + }) + assert.NoError(t, err) + assert.NotNil(t, b) + + for _, tc := range []struct { + name string + checkOpts *cosign.CheckOpts + artifactPolicyOption verify.ArtifactPolicyOption + entity verify.SignedEntity + wantErr bool + }{ + { + name: "valid", + checkOpts: &cosign.CheckOpts{ + UseSignedTimestamps: true, + IgnoreTlog: true, + TrustedMaterial: virtualSigstore, + SigVerifier: sv, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader(artifact)), + entity: b, + wantErr: false, + }, + { + name: "invalid, wrong artifact", + checkOpts: &cosign.CheckOpts{ + UseSignedTimestamps: true, + IgnoreTlog: true, + TrustedMaterial: virtualSigstore, + SigVerifier: sv, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader([]byte("wrong artifact"))), + entity: b, + wantErr: true, + }, + { + name: "invalid, sigverifier not set", + checkOpts: &cosign.CheckOpts{ + UseSignedTimestamps: true, + IgnoreTlog: true, + TrustedMaterial: virtualSigstore, + }, + artifactPolicyOption: verify.WithArtifact(bytes.NewReader([]byte("wrong artifact"))), + entity: b, + wantErr: true, + }, + } { + t.Run(tc.name, func(t *testing.T) { + _, err = cosign.VerifyNewBundle(context.Background(), tc.checkOpts, tc.artifactPolicyOption, tc.entity) + if tc.wantErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + } + }) + } +} diff --git a/pkg/oci/remote/options.go b/pkg/oci/remote/options.go index 0a7f23842b1..6eeaadd0105 100644 --- a/pkg/oci/remote/options.go +++ b/pkg/oci/remote/options.go @@ -113,6 +113,14 @@ func WithRemoteOptions(opts ...remote.Option) Option { } } +// WithMoreRemoteOptions is a functional option for adding to the default +// remote options already specified +func WithMoreRemoteOptions(opts ...remote.Option) Option { + return func(o *options) { + o.ROpt = append(o.ROpt, opts...) + } +} + // WithTargetRepository is a functional option for overriding the default // target repository hosting the signature and attestation tags. func WithTargetRepository(repo name.Repository) Option { diff --git a/pkg/oci/remote/options_test.go b/pkg/oci/remote/options_test.go index cea1b026dc9..e70070584dc 100644 --- a/pkg/oci/remote/options_test.go +++ b/pkg/oci/remote/options_test.go @@ -16,6 +16,7 @@ package remote import ( + "context" "errors" "os" "reflect" @@ -42,6 +43,10 @@ func TestOptions(t *testing.T) { // TODO(mattmoor): Incorporate user agent. } + moreROpt := []remote.Option{ + remote.WithContext(context.Background()), + } + tests := []struct { name string opts []Option @@ -105,6 +110,16 @@ func TestOptions(t *testing.T) { TargetRepository: repo, ROpt: otherROpt, }, + }, { + name: "more remote options option", + opts: []Option{WithRemoteOptions(otherROpt...), WithMoreRemoteOptions(moreROpt...)}, + want: &options{ + SignatureSuffix: SignatureTagSuffix, + AttestationSuffix: AttestationTagSuffix, + SBOMSuffix: SBOMTagSuffix, + TargetRepository: repo, + ROpt: append(append([]remote.Option{}, otherROpt...), moreROpt...), + }, }} for _, test := range tests { @@ -112,7 +127,7 @@ func TestOptions(t *testing.T) { got := makeOptions(repo, test.opts...) test.want.OriginalOptions = test.opts - if !reflect.DeepEqual(got, test.want) { + if !optionsEqual(got, test.want) { t.Errorf("makeOptions() = %#v, wanted %#v", got, test.want) } }) @@ -170,3 +185,54 @@ func TestGetEnvTargetRepository(t *testing.T) { }) } } + +// this is required due to the fact that reflect.DeepEquals reports +// two different slices of function points, with identical length and +// contents at each position as being different +func optionsEqual(o1, o2 *options) bool { + if (o1 == nil) != (o2 == nil) { + return false + } + if o1 == nil { + return true + } + + if o1.AttestationSuffix != o2.AttestationSuffix { + return false + } + if o1.SignatureSuffix != o2.SignatureSuffix { + return false + } + if o1.SBOMSuffix != o2.SBOMSuffix { + return false + } + if o1.TagPrefix != o2.TagPrefix { + return false + } + if !slicesEqual(o1.ROpt, o2.ROpt) { + return false + } + if !slicesEqual(o1.NameOpts, o2.NameOpts) { + return false + } + if !slicesEqual(o1.OriginalOptions, o2.OriginalOptions) { + return false + } + return true +} + +func slicesEqual[T any](o1, o2 []T) bool { + if len(o1) != len(o2) { + return false + } + + for i := range o1 { + v1 := reflect.ValueOf(o1[i]) + v2 := reflect.ValueOf(o2[i]) + if v1 != v2 { + return false + } + } + + return true +} diff --git a/pkg/policy/attestation.go b/pkg/policy/attestation.go index 1fa82bf8a6f..63377d44221 100644 --- a/pkg/policy/attestation.go +++ b/pkg/policy/attestation.go @@ -23,10 +23,9 @@ import ( "fmt" "github.com/in-toto/in-toto-golang/in_toto" - "github.com/sigstore/cosign/v2/pkg/oci" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/pkg/cosign/attestation" + "github.com/sigstore/cosign/v2/pkg/oci" ) // PayloadProvider is a subset of oci.Signature that only provides the diff --git a/pkg/policy/fuzz_test.go b/pkg/policy/fuzz_test.go index d50fdc2c444..611906100bb 100644 --- a/pkg/policy/fuzz_test.go +++ b/pkg/policy/fuzz_test.go @@ -15,16 +15,42 @@ package policy +/* disabling since this effectively just fuzzes rego & cue vs something in cosign import ( "context" + "runtime" "testing" ) var policyTypes = []string{"cue", "rego"} +func catchPanics() { + if r := recover(); r != nil { + var errStr string + switch err := r.(type) { + case string: + errStr = err + case runtime.Error: + errStr = err.Error() + case error: + errStr = err.Error() + } + switch { + case errStr == "freeNode: nodeContext out of sync": + return + case errStr == "unreachable": + return + default: + panic(errStr) + } + } +} + func FuzzEvaluatePolicyAgainstJSON(f *testing.F) { f.Fuzz(func(_ *testing.T, name, policyBody string, jsonBytes []byte, policyType uint8) { + defer catchPanics() choosePolicyType := policyTypes[int(policyType)%len(policyTypes)] EvaluatePolicyAgainstJSON(context.Background(), name, choosePolicyType, policyBody, jsonBytes) }) } +*/ diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 6570cde0809..eff8c8cce3b 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,20 +32,20 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'ghcr.io/sigstore/cosign/cosign:v2.4.0-dev@sha256:a97b592b9f73390edcd6ceb5799a62513a906cbdffcdc63f53585910c71b0708' + - name: 'ghcr.io/sigstore/cosign/cosign:v2.4.2-dev@sha256:b69af124cb744c22eba955ebaf9514b42b1556811211e1cd744331350ccd815a' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.22.7-0@sha256:cb23bfe5773191f1ccc9d60fb73392d5ffc87257e2e019ffe81edb8b352a5284' + - 'ghcr.io/gythialy/golang-cross:v1.23.6-0@sha256:6e8da612570af388b204b833c0925c669d00f7654cf964e5bc3e808013234c05' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.22.7-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.23.6-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.22.7-0@sha256:cb23bfe5773191f1ccc9d60fb73392d5ffc87257e2e019ffe81edb8b352a5284 + - name: ghcr.io/gythialy/golang-cross:v1.23.6-0@sha256:6e8da612570af388b204b833c0925c669d00f7654cf964e5bc3e808013234c05 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.22.7-0@sha256:cb23bfe5773191f1ccc9d60fb73392d5ffc87257e2e019ffe81edb8b352a5284 + - name: ghcr.io/gythialy/golang-cross:v1.23.6-0@sha256:6e8da612570af388b204b833c0925c669d00f7654cf964e5bc3e808013234c05 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: diff --git a/specs/SIGNATURE_SPEC.md b/specs/SIGNATURE_SPEC.md index 20cf5460555..ba83b142f00 100644 --- a/specs/SIGNATURE_SPEC.md +++ b/specs/SIGNATURE_SPEC.md @@ -127,13 +127,15 @@ Gyp4apdU7AXEwysEQIb034aPrTlpmxh90SnTZFs2DHOvCjCPPAmoWfuQUwPhSPRb - The `logIndex` is the index of the log entry in the transparency log - The `logID` is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log -For instructions on using the `bundle` for verification, see [USAGE.md](../USAGE.md#verify-a-signature-was-added-to-the-transparency-log). - * `rfc3161timestamp` string This OPTIONAL property contains a JSON formatted `RFC3161Timestamp` containing the timestamp response from a timestamp authority. +### Verification + +See the [client specification on verification](https://github.com/sigstore/architecture-docs/blob/main/client-spec.md#4-verification). + ## Storage `cosign` image signatures are stored in an OCI registry and are designed to make use of the existing specifications. diff --git a/test/e2e_test.go b/test/e2e_test.go index 598d7faa5c0..48a6d80ae58 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -21,6 +21,7 @@ import ( "bytes" "context" "crypto" + "crypto/ed25519" "crypto/rand" "crypto/sha256" "crypto/x509" @@ -35,12 +36,14 @@ import ( "os" "path" "path/filepath" + "strings" "testing" "time" "github.com/google/go-cmp/cmp" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" + "github.com/theupdateframework/go-tuf/v2/metadata" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" k8s "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" @@ -54,6 +57,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/dockerfile" "github.com/sigstore/cosign/v2/cmd/cosign/cli/download" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" "github.com/sigstore/cosign/v2/cmd/cosign/cli/manifest" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" @@ -69,6 +73,8 @@ import ( "github.com/sigstore/cosign/v2/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/payload" tsaclient "github.com/sigstore/timestamp-authority/pkg/client" "github.com/sigstore/timestamp-authority/pkg/server" @@ -276,6 +282,473 @@ func TestImportSignVerifyClean(t *testing.T) { mustErr(verify(pubKeyPath, imgName, true, nil, "", false), t) } +type targetInfo struct { + name string + source string + usage string +} + +func downloadTargets(td string, targets []targetInfo, targetsMeta *metadata.Metadata[metadata.TargetsType]) error { + targetsDir := filepath.Join(td, "targets") + err := os.RemoveAll(targetsDir) + if err != nil { + return err + } + err = os.Mkdir(targetsDir, 0700) + if err != nil { + return err + } + targetsMeta.Signed.Targets = make(map[string]*metadata.TargetFiles) + for _, target := range targets { + targetLocalPath := filepath.Join(targetsDir, target.name) + if strings.HasPrefix(target.source, "http") { + fp, err := os.Create(targetLocalPath) + if err != nil { + return err + } + defer fp.Close() + err = downloadFile(target.source, fp) + if err != nil { + return err + } + } + if strings.HasPrefix(target.source, "/") { + err = copyFile(target.source, targetLocalPath) + if err != nil { + return err + } + } + targetFileInfo, err := metadata.TargetFile().FromFile(targetLocalPath, "sha256") + if err != nil { + return err + } + if target.usage != "" { + customMsg := fmt.Sprintf(`{"sigstore":{"usage": "%s"}}`, target.usage) + custom := json.RawMessage([]byte(customMsg)) + targetFileInfo.Custom = &custom + } + targetsMeta.Signed.Targets[target.name] = targetFileInfo + } + return nil +} + +type tuf struct { + publicKey *metadata.Key + signer signature.Signer + root *metadata.Metadata[metadata.RootType] + snapshot *metadata.Metadata[metadata.SnapshotType] + timestamp *metadata.Metadata[metadata.TimestampType] + targets *metadata.Metadata[metadata.TargetsType] +} + +func newKey() (*metadata.Key, signature.Signer, error) { + pub, private, err := ed25519.GenerateKey(nil) + if err != nil { + return nil, nil, err + } + public, err := metadata.KeyFromPublicKey(pub) + if err != nil { + return nil, nil, err + } + signer, err := signature.LoadSigner(private, crypto.Hash(0)) + if err != nil { + return nil, nil, err + } + return public, signer, nil +} + +func newTUF(td string, targetList []targetInfo) (*tuf, error) { + // source: https://github.com/theupdateframework/go-tuf/blob/v2.0.2/examples/repository/basic_repository.go + expiration := time.Now().AddDate(0, 0, 1).UTC() + targets := metadata.Targets(expiration) + err := downloadTargets(td, targetList, targets) + if err != nil { + return nil, err + } + snapshot := metadata.Snapshot(expiration) + timestamp := metadata.Timestamp(expiration) + root := metadata.Root(expiration) + root.Signed.ConsistentSnapshot = false + + public, signer, err := newKey() + if err != nil { + return nil, err + } + + tuf := &tuf{ + publicKey: public, + signer: signer, + root: root, + snapshot: snapshot, + timestamp: timestamp, + targets: targets, + } + for _, name := range []string{"targets", "snapshot", "timestamp", "root"} { + err := tuf.root.Signed.AddKey(tuf.publicKey, name) + if err != nil { + return nil, err + } + switch name { + case "targets": + _, err = tuf.targets.Sign(tuf.signer) + case "snapshot": + _, err = tuf.snapshot.Sign(tuf.signer) + case "timestamp": + _, err = tuf.timestamp.Sign(tuf.signer) + case "root": + _, err = tuf.root.Sign(tuf.signer) + } + if err != nil { + return nil, err + } + } + err = tuf.targets.ToFile(filepath.Join(td, "targets.json"), false) + if err != nil { + return nil, err + } + err = tuf.snapshot.ToFile(filepath.Join(td, "snapshot.json"), false) + if err != nil { + return nil, err + } + err = tuf.timestamp.ToFile(filepath.Join(td, "timestamp.json"), false) + if err != nil { + return nil, err + } + err = tuf.root.ToFile(filepath.Join(td, fmt.Sprintf("%d.%s.json", tuf.root.Signed.Version, "root")), false) + if err != nil { + return nil, err + } + + err = tuf.root.VerifyDelegate("root", tuf.root) + if err != nil { + return nil, err + } + err = tuf.root.VerifyDelegate("targets", tuf.targets) + if err != nil { + return nil, err + } + err = tuf.root.VerifyDelegate("snapshot", tuf.snapshot) + if err != nil { + return nil, err + } + err = tuf.root.VerifyDelegate("timestamp", tuf.timestamp) + if err != nil { + return nil, err + } + + return tuf, nil +} + +func (tr *tuf) update(td string, targetList []targetInfo) error { + err := downloadTargets(td, targetList, tr.targets) + if err != nil { + return err + } + tr.targets.Signatures = make([]metadata.Signature, 0) + tr.targets.Signed.Version++ + _, err = tr.targets.Sign(tr.signer) + if err != nil { + return err + } + tr.snapshot.Signatures = make([]metadata.Signature, 0) + tr.snapshot.Signed.Meta["targets.json"].Version++ + tr.snapshot.Signed.Version++ + tr.snapshot.Sign(tr.signer) + tr.timestamp.Signatures = make([]metadata.Signature, 0) + tr.timestamp.Signed.Meta["snapshot.json"].Version++ + tr.timestamp.Signed.Version++ + tr.timestamp.Sign(tr.signer) + err = tr.targets.ToFile(filepath.Join(td, "targets.json"), false) + if err != nil { + return err + } + err = tr.snapshot.ToFile(filepath.Join(td, "snapshot.json"), false) + if err != nil { + return err + } + err = tr.timestamp.ToFile(filepath.Join(td, "timestamp.json"), false) + if err != nil { + return err + } + return nil +} + +func downloadTSACerts(downloadDirectory string, tsaServer string) (string, string, string, error) { + resp, err := http.Get(tsaServer + "/api/v1/timestamp/certchain") + if err != nil { + return "", "", "", err + } + defer resp.Body.Close() + buffer := new(bytes.Buffer) + buffer.ReadFrom(resp.Body) + b := buffer.Bytes() + certs, err := cryptoutils.UnmarshalCertificatesFromPEM(b) + if err != nil { + return "", "", "", err + } + leaves := make([]*x509.Certificate, 0) + intermediates := make([]*x509.Certificate, 0) + roots := make([]*x509.Certificate, 0) + for _, cert := range certs { + if !cert.IsCA { + leaves = append(leaves, cert) + } else { + // root certificates are self-signed + if bytes.Equal(cert.RawSubject, cert.RawIssuer) { + roots = append(roots, cert) + } else { + intermediates = append(intermediates, cert) + } + } + } + if len(leaves) != 1 { + return "", "", "", fmt.Errorf("unexpected number of certificate leaves") + } + if len(roots) != 1 { + return "", "", "", fmt.Errorf("unexpected number of certificate roots") + } + leafPath := filepath.Join(downloadDirectory, "tsa_leaf.crt.pem") + leafFP, err := os.Create(leafPath) + if err != nil { + return "", "", "", err + } + defer leafFP.Close() + err = pem.Encode(leafFP, &pem.Block{ + Type: "CERTIFICATE", + Bytes: leaves[0].Raw, + }) + if err != nil { + return "", "", "", err + } + rootPath := filepath.Join(downloadDirectory, "tsa_root.crt.pem") + rootFP, err := os.Create(rootPath) + if err != nil { + return "", "", "", err + } + defer rootFP.Close() + err = pem.Encode(rootFP, &pem.Block{ + Type: "CERTIFICATE", + Bytes: roots[0].Raw, + }) + if err != nil { + return "", "", "", err + } + intermediatePath := filepath.Join(downloadDirectory, "tsa_intermediate_0.crt.pem") + intermediateFP, err := os.Create(intermediatePath) + if err != nil { + return "", "", "", err + } + defer intermediateFP.Close() + intermediateBuffer := new(bytes.Buffer) + for _, i := range intermediates { + _, err = intermediateBuffer.Write(i.Raw) + if err != nil { + return "", "", "", err + } + } + err = pem.Encode(intermediateFP, &pem.Block{ + Type: "CERTIFICATE", + Bytes: intermediateBuffer.Bytes(), + }) + if err != nil { + return "", "", "", err + } + return leafPath, intermediatePath, rootPath, nil +} + +func TestSignVerifyWithTUFMirror(t *testing.T) { + home, err := os.UserHomeDir() // fulcio repo was downloaded to $HOME in e2e_test.sh + must(err, t) + tufLocalCache := t.TempDir() + t.Setenv("TUF_ROOT", tufLocalCache) + tufMirror := t.TempDir() + viper.Set("timestamp-signer", "memory") + viper.Set("timestamp-signer-hash", "sha256") + tsaAPIServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second) + tsaServer := httptest.NewServer(tsaAPIServer.GetHandler()) + t.Cleanup(tsaServer.Close) + tufServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.FileServer(http.Dir(tufMirror)).ServeHTTP(w, r) + })) + mirror := tufServer.URL + tsaLeaf, tsaInter, tsaRoot, err := downloadTSACerts(t.TempDir(), tsaServer.URL) + must(err, t) + tests := []struct { + name string + targets []targetInfo + wantSignErr bool + wantVerifyErr bool + }{ + { + name: "invalid CT key name with no usage", + targets: []targetInfo{ + { + name: "ct.pub", + source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), + }, + }, + wantSignErr: true, + }, + { + name: "standard key names", + targets: []targetInfo{ + { + name: "rekor.pub", + source: rekorURL + "/api/v1/log/publicKey", + }, + { + name: "fulcio.crt.pem", + source: fulcioURL + "/api/v1/rootCert", + }, + { + name: "ctfe.pub", + source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), + }, + { + name: "tsa_leaf.crt.pem", + source: tsaLeaf, + }, + { + name: "tsa_root.crt.pem", + source: tsaRoot, + }, + { + name: "tsa_intermediate_0.crt.pem", + source: tsaInter, + }, + }, + }, + { + name: "invalid verifier key names with no usage", + targets: []targetInfo{ + { + name: "tlog.pubkey", + source: rekorURL + "/api/v1/log/publicKey", + }, + { + name: "ca.cert", + source: fulcioURL + "/api/v1/rootCert", + }, + { + name: "ctfe.pub", + source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), + }, + { + name: "tsaleaf.pem", + source: tsaLeaf, + }, + { + name: "tsaca.pem", + source: tsaRoot, + }, + { + name: "tsachain.pem", + source: tsaInter, + }, + }, + wantVerifyErr: true, + }, + { + name: "nonstandard key names with valid usage", + targets: []targetInfo{ + { + name: "tlog.pubkey", + usage: "Rekor", + source: rekorURL + "/api/v1/log/publicKey", + }, + { + name: "ca.cert", + usage: "Fulcio", + source: fulcioURL + "/api/v1/rootCert", + }, + { + name: "intermediate.cert", + usage: "Fulcio", + source: fulcioURL + "/api/v1/rootCert", + }, + { + name: "cert-transparency.pem", + usage: "CTFE", + source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), + }, + { + name: "tsaleaf.pem", + source: tsaLeaf, + usage: "TSA", + }, + { + name: "tsaca.pem", + source: tsaRoot, + usage: "TSA", + }, + { + name: "tsachain.pem", + source: tsaInter, + usage: "TSA", + }, + }, + }, + } + tuf, err := newTUF(tufMirror, tests[0].targets) + must(err, t) + for i, test := range tests { + t.Run(test.name, func(t *testing.T) { + ctx := context.Background() + if i > 0 { + must(tuf.update(tufMirror, test.targets), t) + } + rootPath := filepath.Join(tufMirror, "1.root.json") + must(initialize.DoInitialize(ctx, rootPath, mirror), t) + + identityToken, err := getOIDCToken() + if err != nil { + t.Fatal(err) + } + + repo, stop := reg(t) + defer stop() + imgName := path.Join(repo, "cosign-e2e-tuf") + _, _, cleanup := mkimage(t, imgName) + defer cleanup() + + ko := options.KeyOpts{ + FulcioURL: fulcioURL, + RekorURL: rekorURL, + IDToken: identityToken, + SkipConfirmation: true, + TSAServerURL: tsaServer.URL + "/api/v1/timestamp", + } + so := options.SignOptions{ + Upload: true, + TlogUpload: true, + SkipConfirmation: true, + } + gotErr := sign.SignCmd(ro, ko, so, []string{imgName}) + if test.wantSignErr { + mustErr(gotErr, t) + return + } + must(gotErr, t) + issuer := os.Getenv("OIDC_URL") + verifyCmd := cliverify.VerifyCommand{ + CertVerifyOptions: options.CertVerifyOptions{ + CertOidcIssuer: issuer, + CertIdentity: certID, + }, + Offline: true, + CheckClaims: true, + UseSignedTimestamps: true, + } + gotErr = verifyCmd.Exec(ctx, []string{imgName}) + if test.wantVerifyErr { + mustErr(gotErr, t) + } else { + must(gotErr, t) + } + }) + } +} + func TestAttestVerify(t *testing.T) { attestVerify(t, "slsaprovenance", @@ -932,12 +1405,12 @@ func TestAttestationBlobRFC3161Timestamp(t *testing.T) { } } - tsaCA := root.CertificateAuthority{ + tsaCA := &root.SigstoreTimestampingAuthority{ Root: certs[len(certs)-1], Intermediates: certs[:len(certs)-1], } - trustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01, nil, nil, []root.CertificateAuthority{tsaCA}, nil) + trustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01, nil, nil, []root.TimestampingAuthority{tsaCA}, nil) if err != nil { t.Error(err) } diff --git a/test/fakeoidc/go.mod b/test/fakeoidc/go.mod index bd611b23cf6..81cd9a78967 100644 --- a/test/fakeoidc/go.mod +++ b/test/fakeoidc/go.mod @@ -1,11 +1,7 @@ module github.com/sigstore/cosign/test/fakeoidc -go 1.21.7 +go 1.23.4 -require gopkg.in/square/go-jose.v2 v2.6.0 +require github.com/go-jose/go-jose/v4 v4.0.4 -require ( - github.com/google/go-cmp v0.6.0 // indirect - github.com/stretchr/testify v1.8.4 // indirect - golang.org/x/crypto v0.18.0 // indirect -) +require golang.org/x/crypto v0.31.0 // indirect diff --git a/test/fakeoidc/go.sum b/test/fakeoidc/go.sum index f3ea650903c..a578b86df40 100644 --- a/test/fakeoidc/go.sum +++ b/test/fakeoidc/go.sum @@ -1,14 +1,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E= +github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/fakeoidc/main.go b/test/fakeoidc/main.go index 3220afb839c..95dc357e7f8 100644 --- a/test/fakeoidc/main.go +++ b/test/fakeoidc/main.go @@ -13,7 +13,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -// Mock OIDC server, based on https://github.com/sigstore/fulcio/blob/4a80ee645c69bac2128b03197e04b4d285c0b81e/pkg/server/grpc_server_test.go#L1626 +// Mock OIDC server, based on https://github.com/sigstore/fulcio/blob/efec18aaed12d1f91eeaaba96e90f86170c2ada4/pkg/server/grpc_server_test.go#L2235 package main import ( @@ -25,8 +25,8 @@ import ( "net/http" "time" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" ) var ( @@ -73,7 +73,7 @@ func token(w http.ResponseWriter, r *http.Request) { }).Claims(customClaims{ Email: "foo@bar.com", EmailVerified: true, - }).CompactSerialize() + }).Serialize() if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } diff --git a/test/helpers.go b/test/helpers.go index 2db7092674f..a53f8c15025 100644 --- a/test/helpers.go +++ b/test/helpers.go @@ -519,21 +519,48 @@ func setLocalEnv(t *testing.T, dir string) error { return nil } -// downloadAndSetEnv fetches a URL and sets the given environment variable to point to the downloaded file path. -func downloadAndSetEnv(t *testing.T, url, envVar, dir string) error { +// copyFile copies a file from a source to a destination. +func copyFile(src, dst string) error { + f, err := os.Open(src) + if err != nil { + return fmt.Errorf("error opening source file: %w", err) + } + defer f.Close() + cp, err := os.Create(dst) + if err != nil { + return fmt.Errorf("error creating destination file: %w", err) + } + defer cp.Close() + _, err = io.Copy(cp, f) + if err != nil { + return fmt.Errorf("error copying file: %w", err) + } + return nil +} + +// downloadFile fetches a URL and stores it at the given file path. +func downloadFile(url string, fp *os.File) error { resp, err := http.Get(url) //nolint: gosec if err != nil { return fmt.Errorf("error downloading file: %w", err) } defer resp.Body.Close() + _, err = io.Copy(fp, resp.Body) + if err != nil { + return fmt.Errorf("error writing to file: %w", err) + } + return nil +} + +// downloadAndSetEnv fetches a URL and sets the given environment variable to point to the downloaded file path. +func downloadAndSetEnv(t *testing.T, url, envVar, dir string) error { f, err := os.CreateTemp(dir, "") if err != nil { return fmt.Errorf("error creating temp file: %w", err) } - defer f.Close() - _, err = io.Copy(f, resp.Body) + err = downloadFile(url, f) if err != nil { - return fmt.Errorf("error writing to file: %w", err) + return fmt.Errorf("error downloading file: %w", err) } t.Setenv(envVar, f.Name()) return nil