Upgrade to TUF v2 client with trusted root

Use sigstore-go's TUF client to fetch the trusted_root.json from the TUF mirror, if available. Where possible, use sigstore-go's verifiers which natively accept the trusted root as its trusted material. Where there is no trusted root available in TUF or sigstore-go doesn't support a use case, fall back to the sigstore/sigstore TUF v1 client and the existing verifiers in cosign. Signed-off-by: Colleen Murphy <colleenmurphy@google.com>
sigstore · Jan 10, 2025 · 64afe2a · 64afe2a
1 parent 87c08b0
commit 64afe2a
Show file tree

Hide file tree

Showing 24 changed files with 1,190 additions and 101 deletions.
diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
@@ -124,11 +124,16 @@ func main() {
 	args = append(args, os.Args[len(os.Args)-1])
 
 	dir := filepath.Dir(os.Args[0])
+	initCmd := exec.Command(filepath.Join(dir, "cosign"), "initialize") // #nosec G204
+	err := initCmd.Run()
+	if err != nil {
+		log.Fatal(err)
+	}
 	cmd := exec.Command(filepath.Join(dir, "cosign"), args...) // #nosec G204
 	var out strings.Builder
 	cmd.Stdout = &out
 	cmd.Stderr = &out
-	err := cmd.Run()
+	err = cmd.Run()
 
 	fmt.Println(out.String())
 

diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go
@@ -17,12 +17,15 @@ package fulcioverifier
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/sigstore-go/pkg/verify"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 )
 
@@ -32,12 +35,31 @@ func NewSigner(ctx context.Context, ko options.KeyOpts, signer signature.SignerV
 		return nil, err
 	}
 
-	// Grab the PublicKeys for the CTFE, either from tuf or env.
+	if ko.TrustedMaterial != nil && len(fs.SCT) == 0 {
+		// Detached SCTs cannot be verified with this function.
+		chain, err := cryptoutils.UnmarshalCertificatesFromPEM(fs.Chain)
+		if err != nil {
+			return nil, fmt.Errorf("unmarshalling cert chain from PEM for SCT verification: %w", err)
+		}
+		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(fs.Cert)
+		if err != nil || len(certs) < 1 {
+			return nil, fmt.Errorf("unmarshalling cert from PEM for SCT verification: %w", err)
+		}
+		chain = append(chain, certs...)
+		chains := make([][]*x509.Certificate, 1)
+		chains[0] = chain
+		if err := verify.VerifySignedCertificateTimestamp(chains, 1, ko.TrustedMaterial); err != nil {
+			return nil, fmt.Errorf("verifying SCT using trusted root: %w", err)
+		}
+		ui.Infof(ctx, "Successfully verified SCT...")
+		return fs, nil
+	}
+
+	// There was no trusted_root.json or we need to verify a detached SCT, so grab the PublicKeys for the CTFE, either from tuf or env.
 	pubKeys, err := cosign.GetCTLogPubs(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("getting CTFE public keys: %w", err)
 	}
-
 	// verify the sct
 	if err := cosign.VerifySCT(ctx, fs.Cert, fs.Chain, fs.SCT, pubKeys); err != nil {
 		return nil, fmt.Errorf("verifying SCT: %w", err)