0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2025-01-20 22:52:51 -05:00
zot/pkg/meta/signatures
Andreea Lupu 41b05c60dd
feat: upload certificates and public keys for verifying signatures (#1485)
In order to verify signatures, users could upload their certificates and public keys using these routes:
	-> for public keys:
		/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
	-> for certificates:
		/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-07-06 14:57:59 +03:00
..
cosign.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
notation.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
README.md feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
signatures.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
signatures_test.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00

Verifying signatures

How to configure zot for verifying signatures

In order to configure zot for verifying signatures, the user should provide:

  1. public keys (which correspond to the private keys used to sign images with cosign)

or

  1. certificates (used to sign images with notation)

These files could be uploaded using one of these requests:

  1. upload a public key

    Example of request

    curl --data-binary @file.pub -X POST "http://localhost:8080/v2/_zot/ext/mgmt?resource=signatures&tool=cosign"
    
  2. upload a certificate

    Example of request

    curl --data-binary @filet.crt -X POST "http://localhost:8080/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=upload-cert"
    

Besides the requested files, the user should also specify the tool which should be :

  • cosign for uploading public keys
  • notation for uploading certificates

Also, if the uploaded file is a certificate then the user should also specify the type of the truststore through truststoreType param and also its name through truststoreName param.

Based on the uploaded files, signatures verification will be performed for all the signed images. Then the information known about the signatures will be:

  • the tool used to generate the signature (cosign or notation)

  • info about the trustworthiness of the signature (if there is a certificate or a public key which can successfully verify the signature)

  • the author of the signature which will be:

    • the public key -> for signatures generated using cosign
    • the subject of the certificate -> for signatures generated using notation

Example of GraphQL output

{
    "data": {
        "Image": {
            "Manifests": [
                {
                    "Digest":"sha256:6c19fba547b87bde9a45df2f8563e0c61826d098dd30192a2c8b86da1e1a6360"
                }
            ],
            "IsSigned": true,
            "Tag": "latest",
            "SignatureInfo":[
                {
                    "Tool":"cosign",
                    "IsTrusted":false,
                    "Author":""
                },
                {
                    "Tool":"cosign",
                    "IsTrusted":false,
                    "Author":""
                },
                {
                    "Tool":"cosign",
                    "IsTrusted": true,
                    "Author":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9pN+/hGcFlh4YYaNvZxNvuh8Qyhl\npURz77qScOHe3DqdmiWiuqIseyhEdjEDwpL6fHRwu3a2Nd9wbKqm0la76w==\n-----END PUBLIC KEY-----\n"
                },
                {
                    "Tool":"notation",
                    "IsTrusted": false,
                    "Author":"CN=v4-test,O=Notary,L=Seattle,ST=WA,C=US"
                },
                {
                    "Tool":"notation",
                    "IsTrusted": true,
                    "Author":"CN=multipleSig,O=Notary,L=Seattle,ST=WA,C=US"
                }
            ]
        }
    }
}

Notes

  • The files (public keys and certificates) uploaded using the exposed routes will be stored in some specific directories called _cosign and _notation under $rootDir.

    • _cosign directory will contain the uploaded public keys

      _cosign
      ├── $publicKey1
      └── $publicKey2
      
    • _notation directory will have this structure:

      _notation
      ├── trustpolicy.json
      └── truststore
          └── x509
              └── $truststoreType
                  └── $truststoreName
                      └── $certificate
      

      where trustpolicy.json file has this default content which can not be modified by the user and which is updated each time a new certificate is added to a new truststore:

      {
          "version": "1.0",
          "trustPolicies": [
              {
                  "name": "default-config",
                  "registryScopes": [ "*" ],
                  "signatureVerification": {
                      "level" : "strict" 
                  },
                  "trustStores": [],
                  "trustedIdentities": [
                      "*"
                  ]
              }
          ]
      }