mirror of
https://github.com/project-zot/zot.git
synced 2025-01-06 22:40:28 -05:00
113 lines
2.2 KiB
Go
113 lines
2.2 KiB
Go
package signatures
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto"
|
|
"encoding/base64"
|
|
"io"
|
|
"os"
|
|
"path"
|
|
|
|
godigest "github.com/opencontainers/go-digest"
|
|
"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
|
|
sigs "github.com/sigstore/cosign/v2/pkg/signature"
|
|
"github.com/sigstore/sigstore/pkg/signature/options"
|
|
|
|
zerr "zotregistry.io/zot/errors"
|
|
)
|
|
|
|
const (
|
|
CosignSigKey = "dev.cosignproject.cosign/signature"
|
|
cosignDirRelativePath = "_cosign"
|
|
)
|
|
|
|
var cosignDir = "" //nolint:gochecknoglobals
|
|
|
|
func InitCosignDir(rootDir string) error {
|
|
dir := path.Join(rootDir, cosignDirRelativePath)
|
|
|
|
_, err := os.Stat(dir)
|
|
if os.IsNotExist(err) {
|
|
err = os.MkdirAll(dir, defaultDirPerms)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err == nil {
|
|
cosignDir = dir
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
func GetCosignDirPath() (string, error) {
|
|
if cosignDir != "" {
|
|
return cosignDir, nil
|
|
}
|
|
|
|
return "", zerr.ErrSignConfigDirNotSet
|
|
}
|
|
|
|
func VerifyCosignSignature(
|
|
repo string, digest godigest.Digest, signatureKey string, layerContent []byte,
|
|
) (string, bool, error) {
|
|
cosignDir, err := GetCosignDirPath()
|
|
if err != nil {
|
|
return "", false, err
|
|
}
|
|
|
|
files, err := os.ReadDir(cosignDir)
|
|
if err != nil {
|
|
return "", false, err
|
|
}
|
|
|
|
for _, file := range files {
|
|
if !file.IsDir() {
|
|
// cosign verify the image
|
|
ctx := context.Background()
|
|
keyRef := path.Join(cosignDir, file.Name())
|
|
hashAlgorithm := crypto.SHA256
|
|
|
|
pubKey, err := sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, hashAlgorithm)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
pkcs11Key, ok := pubKey.(*pkcs11key.Key)
|
|
if ok {
|
|
defer pkcs11Key.Close()
|
|
}
|
|
|
|
verifier := pubKey
|
|
|
|
b64sig := signatureKey
|
|
|
|
signature, err := base64.StdEncoding.DecodeString(b64sig)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
compressed := io.NopCloser(bytes.NewReader(layerContent))
|
|
|
|
payload, err := io.ReadAll(compressed)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
err = verifier.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx))
|
|
|
|
if err == nil {
|
|
publicKey, err := os.ReadFile(keyRef)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
|
|
return string(publicKey), true, nil
|
|
}
|
|
}
|
|
}
|
|
|
|
return "", false, nil
|
|
}
|