package cosign import ( "context" "fmt" "github.com/go-logr/logr" policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1" "github.com/kyverno/kyverno/pkg/imagedataloader" "github.com/kyverno/kyverno/pkg/logging" "github.com/pkg/errors" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/policy" k8scorev1 "k8s.io/client-go/kubernetes/typed/core/v1" ) type cosignVerifier struct { secretInterface k8scorev1.SecretInterface log logr.Logger } func NewVerifier(secretInterface k8scorev1.SecretInterface) *cosignVerifier { return &cosignVerifier{ log: logging.WithName("Notary"), secretInterface: secretInterface, } } func (v *cosignVerifier) VerifyImageSignature(ctx context.Context, image *imagedataloader.ImageData, attestor *policiesv1alpha1.Attestor) error { if attestor.Cosign == nil { return fmt.Errorf("cosign verifier only supports cosign attestor") } logger := v.log.WithValues("image", image.Image, "digest", image.Digest, "attestor", attestor.Name) logger.V(2).Info("verifying cosign image signature", "image", image.Image) cOpts, err := checkOptions(ctx, attestor.Cosign, image.RemoteOpts, image.NameOpts, v.secretInterface) if err != nil { err := errors.Wrapf(err, "failed to build cosign verification opts") logger.Error(err, "image verification failed") return err } cOpts.ClaimVerifier = cosign.SimpleClaimVerifier sigs, verified, err := cosign.VerifyImageSignatures(ctx, image.NameRef, cOpts) if err != nil { err := errors.Wrapf(err, "failed to verify cosign signatures") logger.Error(err, "image verification failed") return err } else if !verified { err := fmt.Errorf("cosign bundle verification failed") logger.Error(err, "image verification failed") return err } // TODO: Check keyless data? if len(attestor.Cosign.Annotations) != 0 { for _, sig := range sigs { if err := checkSignatureAnnotations(sig, attestor.Cosign.Annotations); err != nil { logger.Error(err, "image verification failed") return err } } } return nil } func (v *cosignVerifier) VerifyAttestationSignature(ctx context.Context, image *imagedataloader.ImageData, attestation *policiesv1alpha1.Attestation, attestor *policiesv1alpha1.Attestor) error { if attestation.InToto == nil { return fmt.Errorf("cosgin verifier only supports intoto referrers as attestations") } if attestor.Cosign == nil { return fmt.Errorf("cosign verifier only supports cosign attestor") } logger := v.log.WithValues("image", image.Image, "digest", image.Digest, "attestation", attestation.Name, "attestor", attestor.Name) logger.V(2).Info("verifying cosign attestation signature", "image", image.Image) cOpts, err := checkOptions(ctx, attestor.Cosign, image.RemoteOpts, image.NameOpts, v.secretInterface) if err != nil { err := errors.Wrapf(err, "failed to build cosign verification opts") logger.Error(err, "image verification failed") return err } cOpts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier sigs, verified, err := cosign.VerifyImageAttestations(ctx, image.NameRef, cOpts) if err != nil { err := errors.Wrapf(err, "failed to verify cosign signatures") logger.Error(err, "image verification failed") return err } else if !verified { err := fmt.Errorf("cosign bundle verification failed") logger.Error(err, "image verification failed") return err } checkedTypes := []string{} found := false for _, s := range sigs { payload, gotType, err := policy.AttestationToPayloadJSON(ctx, attestation.InToto.Type, s) if err != nil { return fmt.Errorf("converting to consumable policy validation: %w", err) } checkedTypes = append(checkedTypes, gotType) if len(payload) == 0 { // This is not the predicate type we're looking for. continue } if err := checkSignatureAnnotations(s, attestor.Cosign.Annotations); err != nil { logger.Error(err, "image verification failed") return err } found = true image.AddVerifiedIntotoPayloads(gotType, payload) } if !found { err := fmt.Errorf("required predicate type %s not found, found %v", attestation.InToto.Type, checkedTypes) logger.Error(err, "image verification failed") return err } return nil }