added keyless

Author: hackeramitkumar

cosign

@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"crypto"
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -15,21 +17,6 @@ import (
 	"github.com/sigstore/sigstore/pkg/signature"
 )
 
-/*
-// Will be used for fetching extra information
-func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, error) {
-	var sigPayloads []payload.SimpleContainerImage
-	for _, sig := range verified {
-		if sig != nil {
-			fmt.Println(sig)
-			sci := payload.SimpleContainerImage{}
-			sigPayloads = append(sigPayloads, sci)
-		}
-	}
-	return sigPayloads, nil
-}
-*/
-
 func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {
 	// PEM encoded file.
 	pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)
@@ -71,95 +58,25 @@ func fetchArtifacts(ref name.Reference) error {
 	return nil
 }
 
-func cosign2() {
-	// regstry := os.Getenv("REGISTRY")
-	// repo := os.Getenv("REPOSITORY")
-	// identity := os.Getenv("DIGEST")
-	// image := regstry + "/" + repo + "@" + identity
-	// image := os.Getenv("IMAGE_URI")
-	// fmt.Println(image)
-	image := "ghcr.io/hackeramitkumar/kubeji2:latest"
-	ref, err := name.ParseReference(image)
-	if err != nil {
-		panic(err)
-	}
-
-	fmt.Println("--------------------------------  Image refrence information : ------------------------------")
-	fmt.Println("Registry : ", ref.Context().RegistryStr())
-	fmt.Println("Repository : ", ref.Context().RepositoryStr())
-	fmt.Println("Identifier : ", ref.Identifier())
-
-	fmt.Println("")
-	fmt.Println("")
-	fmt.Println("------------------------------------------Artifacts--------------------------------------------")
-	fetchArtifacts(ref)
-	fmt.Println()
-
-	fmt.Print("-----------------  Fetching the signedPayload for : ", image)
-	fmt.Println("-------------------")
-	fmt.Println("")
-	fmt.Println("")
-
-	ctx := context.Background()
-	signedPayloads, err := cosign.FetchSignaturesForReference(ctx, ref)
+func loadCert(pem []byte) (*x509.Certificate, error) {
+	var out []byte
+	out, err := base64.StdEncoding.DecodeString(string(pem))
 	if err != nil {
-		fmt.Println("Error During signedPayloads Fetcheing ")
-		panic(err)
-	}
-
-	fmt.Println("------------------------------------  Fetched all the signedPayloads ----------------------------")
-	fmt.Println()
-
-	for _, Payload := range signedPayloads {
-		fmt.Println("------------------------------------- Signed Payload Content --------------------------------")
-		fmt.Println("")
-		fmt.Println("--------------------------------------Signed Payload Bundle  ----------------------------------")
-
-		byteStream, err := json.Marshal(Payload.Bundle)
-		if err != nil {
-			fmt.Println("Error marshaling JSON:", err)
-			return
-		}
-		jsonString := string(byteStream)
-		fmt.Println(jsonString)
-		fmt.Println("")
-
-		fmt.Println("--------------------------------------Signature for Payload -----------------------------------")
-		fmt.Println(Payload.Base64Signature)
-		fmt.Println("")
-
-		fmt.Println("-----------------------------------Certificate for the Payload---------------------------------")
-		byteStream2, err := json.Marshal(Payload.Cert)
-
-		if err != nil {
-			fmt.Println("Error marshaling JSON:", err)
-			return
-		}
-		jsonString2 := string(byteStream2)
-		fmt.Println(jsonString2)
+		// not a base64
+		out = pem
 	}
 
-	fmt.Println("")
-	fmt.Println("")
-	fmt.Println("-------------------------------------Signature verification --------------------------------------")
-	fmt.Println("")
-
-	verified_signatures, err := verifyImageSignatures_util(ctx, ref)
+	certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out)
 	if err != nil {
-		panic(err)
+		return nil, fmt.Errorf("failed to unmarshal certificate from PEM format: %w", err)
 	}
-	fmt.Println("")
-	fmt.Println("--------------------------------List of the verified signatures ----------------------------------")
-	for _, sig := range verified_signatures {
-		fmt.Println(sig.Base64Signature())
+	if len(certs) == 0 {
+		return nil, fmt.Errorf("no certs found in pem file")
 	}
+	return certs[0], nil
 }
 
-func main() {
-	cosign2()
-}
-
-func verifyImageSignatures_util(ctx context.Context, ref name.Reference) ([]oci.Signature, error) {
+func keyed_signatureVerification(ctx context.Context, ref name.Reference) ([]oci.Signature, error) {
 	filePath := "cosign.pub"
 	data, err := ioutil.ReadFile(filePath)
 	if err != nil {
@@ -224,12 +141,34 @@ func keyless_sigantureVerification(ctx context.Context, ref name.Reference) ([]o
 	}
 	fmt.Println("Rekor keys are : ", trustedTransparencyLogPubKeys.Keys)
 
+	filePath := "demo.txt"
+	data, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		fmt.Println("Error reading file:", err)
+		panic(err)
+	}
+
+	// Convert the data to a byte slice ([]byte)
+	byteData := []byte(data)
+	cert, err := loadCert(byteData)
+	if err != nil {
+		fmt.Println(err)
+	}
+	fmt.Println(string(byteData))
+
+	verifier2, err := signature.LoadVerifier(cert.PublicKey, crypto.SHA256)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load signature from certificate: %w", err)
+	}
+
 	cosignVeriOptions := cosign.CheckOpts{
-		Identities: identities,
-		// RekorClient: rekor_client,
+		Identities:   identities,
 		RekorPubKeys: trustedTransparencyLogPubKeys,
+		SigVerifier:  verifier2,
 	}
 
+	fmt.Println("Started the verification")
+
 	verified_signatures, isVerified, err := cosign.VerifyImageSignatures(ctx, ref, &cosignVeriOptions)
 	fmt.Println("-----------------------------Signature verification in Progress -------------------------------")
 	if err != nil {
@@ -239,9 +178,111 @@ func keyless_sigantureVerification(ctx context.Context, ref name.Reference) ([]o
 	if !isVerified {
 		fmt.Println("---------------------------------Verification failed ----------------------------------------")
 	}
-	fmt.Println("")
 
+	fmt.Println("")
 	fmt.Println("---------------------------- Signature verification completed  ----------------------------------")
 	return verified_signatures, err
 
 }
+
+func cosign2() {
+	// regstry := os.Getenv("REGISTRY")
+	// repo := os.Getenv("REPOSITORY")
+	// identity := os.Getenv("DIGEST")
+	// image := regstry + "/" + repo + "@" + identity
+	// image := os.Getenv("IMAGE_URI")
+	// fmt.Println(image)
+	image := "ghcr.io/hackeramitkumar/client:unverified"
+	ref, err := name.ParseReference(image)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println("--------------------------------  Image refrence information : ------------------------------")
+	fmt.Println("Registry : ", ref.Context().RegistryStr())
+	fmt.Println("Repository : ", ref.Context().RepositoryStr())
+	fmt.Println("Identifier : ", ref.Identifier())
+
+	fmt.Println("")
+	fmt.Println("")
+	fmt.Println("------------------------------------------Artifacts--------------------------------------------")
+	fetchArtifacts(ref)
+	fmt.Println()
+
+	fmt.Print("-----------------  Fetching the signedPayload for : ", image)
+	fmt.Println("-------------------")
+	fmt.Println("")
+	fmt.Println("")
+
+	ctx := context.Background()
+	signedPayloads, err := cosign.FetchSignaturesForReference(ctx, ref)
+	if err != nil {
+		fmt.Println("Error During signedPayloads Fetcheing ")
+		panic(err)
+	}
+
+	fmt.Println("------------------------------------  Fetched all the signedPayloads ----------------------------")
+	fmt.Println()
+
+	for _, Payload := range signedPayloads {
+		fmt.Println("------------------------------------- Signed Payload Content --------------------------------")
+		fmt.Println("")
+		fmt.Println("--------------------------------------Signed Payload Bundle  ----------------------------------")
+
+		byteStream, err := json.Marshal(Payload.Bundle)
+		if err != nil {
+			fmt.Println("Error marshaling JSON:", err)
+			return
+		}
+		jsonString := string(byteStream)
+		fmt.Println(jsonString)
+		fmt.Println("")
+
+		fmt.Println("--------------------------------------Signature for Payload -----------------------------------")
+		fmt.Println(Payload.Base64Signature)
+		fmt.Println("")
+
+		fmt.Println("-----------------------------------Certificate for the Payload---------------------------------")
+		byteStream2, err := json.Marshal(Payload.Cert)
+
+		if err != nil {
+			fmt.Println("Error marshaling JSON:", err)
+			return
+		}
+		jsonString2 := string(byteStream2)
+		fmt.Println(jsonString2)
+	}
+
+	fmt.Println("")
+	fmt.Println("")
+	fmt.Println("-------------------------------------Keyed Signature verification --------------------------------------")
+	fmt.Println("")
+
+	keyed_verified_signatures, err := keyed_signatureVerification(ctx, ref)
+	if err != nil {
+		fmt.Println("no signature matched:")
+	}
+	fmt.Println("")
+	fmt.Println("--------------------------------List of the verified signatures ----------------------------------")
+	for _, sig := range keyed_verified_signatures {
+		fmt.Println(sig.Base64Signature())
+	}
+
+	fmt.Println("-------------------------------------Keyless Signature verification --------------------------------------")
+	fmt.Println("")
+
+	keyless_verified_signatures, err := keyless_sigantureVerification(ctx, ref)
+	if err != nil {
+		fmt.Println("no signature matched...")
+	}
+
+	fmt.Println("")
+	fmt.Println("--------------------------------List of the verified signatures ----------------------------------")
+	for _, sig := range keyless_verified_signatures {
+		fmt.Println(sig.Base64Signature())
+	}
+}
+
+func main() {
+	cosign2()
+}

cosign.go

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAligAwIBAgIUYcde+9uiVxa8DtmQJUzet2xB+uswCgYIKoZIzj0EAwMw
+NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
+cm1lZGlhdGUwHhcNMjMwNjE3MTAzNDM0WhcNMjMwNjE3MTA0NDM0WjAAMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEVVGQL8mdMH6P/UZ/X1AqiPp+DEki79YMMaa8
+c6lh3/BFSt46Y4uffbbjYrphhhEt6DwGAnEAxNSLBCH0e8k8PKOCAXcwggFzMA4G
+A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUOI2H
+atfhqN5wTdUbdPE/NmwAwtQwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
+ZD8wJgYDVR0RAQH/BBwwGoEYYW1pdDkxMTYyNjAxOTJAZ21haWwuY29tMCkGCisG
+AQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEEAYO/
+MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBiwYKKwYBBAHWeQIE
+AgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABiMjr
+xFsAAAQDAEgwRgIhAKLJUlXry9VyTnjTTPzsTCqvSQ3i/35RnN4PmxcFgYwAAiEA
+1eUBczXVO72rDz0kv9jWPv+G+3JTT+rMWTaxlO+n3fYwCgYIKoZIzj0EAwMDaAAw
+ZQIwRx/tftmBaASRRA0LsdRTPeBd3N4vvAoy6rka+I/uLRz26kYCLv6ynaVwFDrX
+GCrBAjEAzt+aQPv0fcHvPWV/vKWCBYpMfAHVbuSvsVEEOAkwkD0KlRlPCraXdjaB
+HFom7xGY
+-----END CERTIFICATE-----

demo.txt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzzCCAlagAwIBAgIUUTU8hk4lfKJwOG0XFhxpyLMfwhMwCgYIKoZIzj0EAwMw
+NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl
+cm1lZGlhdGUwHhcNMjMwNjE3MTEzMDAyWhcNMjMwNjE3MTE0MDAyWjAAMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAE08YM8/NKB5BslMC06fq01O6IWTW541w1TYxJ
+lsQ7WQu+oPJ9YTlKeBCoOn3KcEaLlf5NZroBG2XX4dBSrOkd4qOCAXUwggFxMA4G
+A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUH7tG
+pTHPAqgYs1bG8e9Tcsgv7xkwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y
+ZD8wJgYDVR0RAQH/BBwwGoEYYW1pdDkxMTYyNjAxOTJAZ21haWwuY29tMCkGCisG
+AQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEEAYO/
+MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBiQYKKwYBBAHWeQIE
+AgR7BHkAdwB1AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABiMke
+iyQAAAQDAEYwRAIgFCnil/mF85ZR6tYu1CAsFM//4966pzbBCOjTWZKen+sCIHL4
+Rbn0E+tLp0IxrvQYUR4uR35MmtS7lWihGvfra+8BMAoGCCqGSM49BAMDA2cAMGQC
+MAyAqcswsyukLVvZG7wZJrBN4SoN0CcEe6STG/xYpHMaN0q/U77IpbtM/8zi86Oc
+zgIwHu0cA3b3hPY3NxKypm6r4zNeRf/8/LqD8fHFzYuE01cLVzvuu5DAXzyhKAan
+uE2n
+-----END CERTIFICATE-----