Update slsa-provenance predicate to v0.2 (#1054)

* Update slsa-provenance to v0.2 This dep update also required updating the go-tuf dependency, so there are some bug fixes in the go-tuf code in this PR as well. Signed-off-by: Priya Wadhwa <[email protected]> * Remove newlines from targets so that they match expected targets Signed-off-by: Priya Wadhwa <[email protected]>
sigstore · Nov 23, 2021 · 98cf544 · 98cf544
1 parent 7ec91a4
commit 98cf544
Show file tree

Hide file tree

Showing 11 changed files with 102 additions and 74 deletions.
diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml
@@ -72,11 +72,12 @@ jobs:
           #  - nothing in vendor/
           #  - nothing in third_party
           #  - nothing in .git/
+          #  - nothing in pkg/cosign/tuf/repository
           #  - no *.ai (Adobe Illustrator) files.
           LINT_FILES=$(git ls-files |
           git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 |
           git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 |
-          grep -Ev '^(vendor/|third_party/|.git|pkg/cosign/tuf/repository/targets/)' |
+          grep -Ev '^(vendor/|third_party/|.git|pkg/cosign/tuf/repository/)' |
           grep -v '\.ai$')
           for x in $LINT_FILES; do
             # Based on https://stackoverflow.com/questions/34943632/linux-check-if-there-is-an-empty-line-at-the-end-of-a-file

diff --git a/cmd/cosign/cli/initialize/init.go b/cmd/cosign/cli/initialize/init.go
@@ -32,11 +32,6 @@ func DoInitialize(ctx context.Context, root, mirror string, threshold int) error
 		if err != nil {
 			return err
 		}
-	} else {
-		rootFileBytes, err = tuf.GetEmbeddedRoot()
-		if err != nil {
-			return err
-		}
 	}
 
 	// Initialize the remote repository.

diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go
@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"net/url"
 
+	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/spf13/cobra"
 
@@ -35,7 +37,7 @@ const (
 // PredicateTypeMap is the mapping between the predicate `type` option to predicate URI.
 var PredicateTypeMap = map[string]string{
 	PredicateCustom: attestation.CosignCustomProvenanceV01,
-	PredicateSLSA:   in_toto.PredicateSLSAProvenanceV01,
+	PredicateSLSA:   slsa.PredicateSLSAProvenance,
 	PredicateSPDX:   in_toto.PredicateSPDX,
 	PredicateLink:   in_toto.PredicateLinkV1,
 }

diff --git a/go.mod b/go.mod
@@ -17,19 +17,19 @@ require (
 	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211102215614-dd49079bb93d
 	github.com/google/go-github/v39 v39.2.0
 	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c
-	github.com/in-toto/in-toto-golang v0.3.3
+	github.com/in-toto/in-toto-golang v0.3.4-0.20211115151443-952a6cf50fc9
 	github.com/manifoldco/promptui v0.9.0
 	github.com/miekg/pkcs11 v1.0.3
 	github.com/open-policy-agent/opa v0.34.2
 	github.com/pkg/errors v0.9.1
 	github.com/secure-systems-lab/go-securesystemslib v0.1.0
 	github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb
-	github.com/sigstore/rekor v0.3.0
+	github.com/sigstore/rekor v0.3.1-0.20211117161348-09070aa96aef
 	github.com/sigstore/sigstore v1.0.2-0.20211115214857-534e133ebf9d
 	github.com/spf13/cobra v1.2.1
 	github.com/stretchr/testify v1.7.0
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613
-	github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396
+	github.com/theupdateframework/go-tuf v0.0.0-20211006142131-1dc15a86c64d
 	github.com/xanzy/go-gitlab v0.52.0
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
@@ -42,16 +42,18 @@ require (
 
 require (
 	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
+	github.com/fatih/color v1.12.0 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/onsi/gomega v1.16.0 // indirect
+	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/spf13/viper v1.9.0
 	github.com/urfave/cli v1.22.5 // indirect
 	go.opentelemetry.io/contrib v1.1.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.10.0 // indirect
-	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	k8s.io/klog/v2 v2.20.0 // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/pkg/cosign/attestation/attestation.go b/pkg/cosign/attestation/attestation.go
@@ -23,6 +23,8 @@ import (
 	"strings"
 	"time"
 
+	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/pkg/errors"
 )
@@ -135,7 +137,7 @@ func generateCustomPredicate(rawPayload []byte, customType, timestamp string) (i
 }
 
 func generateSLSAProvenanceStatement(rawPayload []byte, digest string, repo string) (interface{}, error) {
-	var predicate in_toto.ProvenancePredicate
+	var predicate slsa.ProvenancePredicate
 	err := checkRequiredJSONFields(rawPayload, reflect.TypeOf(predicate))
 	if err != nil {
 		return nil, fmt.Errorf("provenance predicate: %w", err)
@@ -145,7 +147,7 @@ func generateSLSAProvenanceStatement(rawPayload []byte, digest string, repo stri
 		return "", errors.Wrap(err, "unmarshal Provenance predicate")
 	}
 	return in_toto.ProvenanceStatement{
-		StatementHeader: generateStatementHeader(digest, repo, in_toto.PredicateSLSAProvenanceV01),
+		StatementHeader: generateStatementHeader(digest, repo, slsa.PredicateSLSAProvenance),
 		Predicate:       predicate,
 	}, nil
 }

diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go
@@ -251,7 +251,7 @@ func GetTarget(ctx context.Context, name string, out client.Destination) error {
 	return getTargetHelper(name, out, c)
 }
 
-func getRootKeys(rootFileBytes []byte) ([]*data.Key, int, error) {
+func getRootKeys(rootFileBytes []byte) ([]*data.PublicKey, int, error) {
 	store := tuf.MemoryStore(map[string]json.RawMessage{"root.json": rootFileBytes}, nil)
 	repo, err := tuf.NewRepo(store)
 	if err != nil {
@@ -302,12 +302,18 @@ func downloadRemoteTarget(name string, c *client.Client, out client.Destination)
 
 // Instantiates the global TUF client. Uses the embedded (by default trusted) root in cosign
 // unless a custom root is provided. This will always perform a remote call to update.
-func Init(ctx context.Context, rootBytes []byte, remote client.RemoteStore, threshold int) error {
-	rootClient, err := RootClient(ctx, remote, rootBytes)
+func Init(ctx context.Context, altRootBytes []byte, remote client.RemoteStore, threshold int) error {
+	rootClient, err := RootClient(ctx, remote, altRootBytes)
 	if err != nil {
 		return errors.Wrap(err, "initializing root client")
 	}
-	rootKeys, rootThreshold, err := getRootKeys(rootBytes)
+	if altRootBytes == nil {
+		altRootBytes, err = GetEmbeddedRoot()
+		if err != nil {
+			return err
+		}
+	}
+	rootKeys, rootThreshold, err := getRootKeys(altRootBytes)
 	if err != nil {
 		return errors.Wrap(err, "retrieving root keys")
 	}

diff --git a/pkg/cosign/tuf/client_test.go b/pkg/cosign/tuf/client_test.go
@@ -49,7 +49,7 @@ func generateTestRepo(t *testing.T, files map[string][]byte) (*fakeRemoteStore,
 	for file := range files {
 		repo.AddTarget(file, nil)
 	}
-	repo.Snapshot(tuf.CompressionTypeNone)
+	repo.Snapshot()
 	repo.Timestamp()
 	repo.Commit()
 

diff --git a/pkg/cosign/tuf/repository/targets.json b/pkg/cosign/tuf/repository/targets.json
@@ -53,4 +53,4 @@
 		},
 		"version": 1
 	}
-}
+}
diff --git a/pkg/cosign/tuf/repository/timestamp.json b/pkg/cosign/tuf/repository/timestamp.json
@@ -36,4 +36,4 @@
 		"spec_version": "1.0",
 		"version": 1
 	}
-}
+}
diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go
@@ -68,7 +68,7 @@ func (h *gcsRemoteStore) get(s string) (io.ReadCloser, int64, error) {
 	obj := h.client.Bucket(h.bucket).Object(s)
 	attrs, err := obj.Attrs(h.ctx)
 	if err != nil {
-		return nil, 0, err
+		return nil, 0, client.ErrNotFound{File: s}
 	}
 	rc, err := obj.NewReader(h.ctx)
 	if err != nil {