update cosign to v1.0.0 (#2221)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

go.mod

@@ -18,7 +18,6 @@ require (
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20210216200643-d81088d9983e
 	github.com/googleapis/gnostic v0.5.4
 	github.com/jmespath/go-jmespath v0.4.0
-	github.com/json-iterator/go v1.1.11 // indirect
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
 	github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7
@@ -28,22 +27,23 @@ require (
 	github.com/onsi/ginkgo v1.15.0
 	github.com/onsi/gomega v1.11.0
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
-	github.com/ory/go-acc v0.2.6 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.10.0
-	github.com/sigstore/cosign v0.5.0
-	github.com/sigstore/sigstore v0.0.0-20210530211317-99216b8b86a6
-	github.com/spf13/cobra v1.1.3
+	github.com/prometheus/client_golang v1.11.0
+	github.com/sigstore/cosign v1.0.0
+	github.com/sigstore/rekor v0.3.0 // indirect
+	github.com/sigstore/sigstore v0.0.0-20210726180807-7e34e36ecda1
+	github.com/sigstore/fulcio v0.1.1
+	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.21.1
+	k8s.io/api v0.21.3
 	k8s.io/apiextensions-apiserver v0.21.1
-	k8s.io/apimachinery v0.21.1
+	k8s.io/apimachinery v0.21.3
 	k8s.io/cli-runtime v0.21.1
-	k8s.io/client-go v0.21.1
+	k8s.io/client-go v0.21.3
 	k8s.io/klog/v2 v2.9.0
 	k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
 	sigs.k8s.io/controller-runtime v0.8.1

pkg/cosign/cosign.go

@@ -5,16 +5,18 @@ import (
 	"crypto"
 	"encoding/json"
 	"fmt"
+	"strings"
+
 	"github.com/gardener/controller-manager-library/pkg/logger"
 	"github.com/go-logr/logr"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/authn/k8schain"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"k8s.io/client-go/kubernetes"
-	"strings"
 )
 
 // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
@@ -43,10 +45,10 @@ func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err er
 
 	cosignOpts := &cosign.CheckOpts{
 		Annotations: map[string]interface{}{},
-		Claims:      false,
-		Tlog:        false,
-		Roots:       nil,
-		PubKey:      pubKey,
+		SigVerifier: pubKey,
+		RegistryClientOpts: []remote.Option{
+			remote.WithAuthFromKeychain(authn.DefaultKeychain),
+		},
 	}
 
 	ref, err := name.ParseReference(imageRef)
@@ -54,7 +56,7 @@ func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err er
 		return "", errors.Wrap(err, "failed to parse image")
 	}
 
-	verified, err := cosign.Verify(context.Background(), ref, cosignOpts, "https://rekor.sigstore.dev")
+	verified, err := cosign.Verify(context.Background(), ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
 		logger.Info("image verification failed", "error", msg)
@@ -75,14 +77,14 @@ func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err er
 	return digest, nil
 }
 
-func decodePEM(raw []byte) (pub cosign.PublicKey, err error) {
+func decodePEM(raw []byte) (signature.Verifier, error) {
 	// PEM encoded file.
 	ed, err := cosign.PemToECDSAKey(raw)
 	if err != nil {
 		return nil, errors.Wrap(err, "pem to ecdsa")
 	}
 
-	return signature.ECDSAVerifier{Key: ed, HashAlg: crypto.SHA256}, nil
+	return signature.LoadECDSAVerifier(ed, crypto.SHA256)
 }
 
 func extractDigest(imgRef string, verified []cosign.SignedPayload, log logr.Logger) (string, error) {