Add support for attesting with complete statement

Signed-off-by: Cody Soyland <codysoyland@github.com>

Author: codysoyland

cmd/cosign/cli/attest.go

@@ -63,9 +63,11 @@ func Attest() *cobra.Command {
   # attach an attestation to a container image and honor the creation timestamp of the signature
   cosign attest --predicate <FILE> --type <TYPE> --key cosign.key --record-creation-timestamp <IMAGE>`,
 
-		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.Predicate.Statement == "" && len(args) != 1 {
+				return cobra.ExactArgs(1)(cmd, args)
+			}
 			oidcClientSecret, err := o.OIDC.ClientSecret()
 			if err != nil {
 				return err
@@ -94,6 +96,7 @@ func Attest() *cobra.Command {
 				CertPath:                o.Cert,
 				CertChainPath:           o.CertChain,
 				NoUpload:                o.NoUpload,
+				StatementPath:           o.Predicate.Statement,
 				PredicatePath:           o.Predicate.Path,
 				PredicateType:           o.Predicate.Type,
 				Replace:                 o.Replace,

cmd/cosign/cli/attest/attest.go

@@ -21,6 +21,7 @@ import (
 	_ "crypto/sha256" // for `crypto.SHA256`
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"time"
 
@@ -74,6 +75,7 @@ type AttestCommand struct {
 	CertPath                string
 	CertChainPath           string
 	NoUpload                bool
+	StatementPath           string
 	PredicatePath           string
 	PredicateType           string
 	Replace                 bool
@@ -91,18 +93,14 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 		return &options.KeyParseError{}
 	}
 
-	if c.PredicatePath == "" {
-		return fmt.Errorf("predicate cannot be empty")
+	if options.NOf(c.PredicatePath, c.StatementPath) != 1 {
+		return fmt.Errorf("one of --predicate or --statement must be set")
 	}
 
 	if c.RekorEntryType != "dsse" && c.RekorEntryType != "intoto" {
 		return fmt.Errorf("unknown value for rekor-entry-type")
 	}
 
-	predicateURI, err := options.ParsePredicateType(c.PredicateType)
-	if err != nil {
-		return err
-	}
 	ref, err := name.ParseReference(imageRef, c.NameOptions()...)
 	if err != nil {
 		return fmt.Errorf("parsing reference: %w", err)
@@ -140,26 +138,52 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 	wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
 	dd := cremote.NewDupeDetector(sv)
 
-	predicate, err := predicateReader(c.PredicatePath)
-	if err != nil {
-		return fmt.Errorf("getting predicate reader: %w", err)
-	}
-	defer predicate.Close()
+	var payload []byte
+	var predicateType string
 
-	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
-		Predicate: predicate,
-		Type:      c.PredicateType,
-		Digest:    h.Hex,
-		Repo:      digest.Repository.String(),
-	})
-	if err != nil {
-		return err
-	}
+	if c.StatementPath != "" {
+		fmt.Fprintln(os.Stderr, "Using statement from:", c.StatementPath)
+		statement, err := predicateReader(c.StatementPath)
+		if err != nil {
+			return fmt.Errorf("getting statement reader: %w", err)
+		}
+		defer statement.Close()
+		payload, err = io.ReadAll(statement)
+		if err != nil {
+			return fmt.Errorf("could not read statement: %w", err)
+		}
+		predicateType, err = validateStatement(payload)
+		if err != nil {
+			return fmt.Errorf("invalid statement: %w", err)
+		}
+	} else {
+		predicateType, err = options.ParsePredicateType(c.PredicateType)
+		if err != nil {
+			return err
+		}
 
-	payload, err := json.Marshal(sh)
-	if err != nil {
-		return err
+		predicate, err := predicateReader(c.PredicatePath)
+		if err != nil {
+			return fmt.Errorf("getting predicate reader: %w", err)
+		}
+		defer predicate.Close()
+
+		sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
+			Predicate: predicate,
+			Type:      c.PredicateType,
+			Digest:    h.Hex,
+			Repo:      digest.Repository.String(),
+		})
+		if err != nil {
+			return err
+		}
+
+		payload, err = json.Marshal(sh)
+		if err != nil {
+			return err
+		}
 	}
+
 	signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
 	if err != nil {
 		return fmt.Errorf("signing: %w", err)
@@ -192,11 +216,6 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 		opts = append(opts, static.WithRFC3161Timestamp(bundle))
 	}
 
-	predicateType, err := options.ParsePredicateType(c.PredicateType)
-	if err != nil {
-		return err
-	}
-
 	predicateTypeAnnotation := map[string]string{
 		"predicateType": predicateType,
 	}
@@ -238,7 +257,7 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 	}
 
 	if c.Replace {
-		ro := cremote.NewReplaceOp(predicateURI)
+		ro := cremote.NewReplaceOp(predicateType)
 		signOpts = append(signOpts, mutate.WithReplaceOp(ro))
 	}
 

cmd/cosign/cli/attest/attest_blob.go

@@ -33,6 +33,7 @@ import (
 
 	"errors"
 
+	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"google.golang.org/protobuf/encoding/protojson"
 
@@ -62,6 +63,7 @@ type AttestBlobCommand struct {
 
 	ArtifactHash string
 
+	StatementPath string
 	PredicatePath string
 	PredicateType string
 
@@ -82,8 +84,8 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 		return &options.KeyParseError{}
 	}
 
-	if c.PredicatePath == "" {
-		return fmt.Errorf("predicate cannot be empty")
+	if options.NOf(c.PredicatePath, c.StatementPath) != 1 {
+		return fmt.Errorf("one of --predicate or --statement must be set")
 	}
 
 	if c.RekorEntryType != "dsse" && c.RekorEntryType != "intoto" {
@@ -100,38 +102,6 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 		return errors.New("expected either new bundle or an rfc3161-timestamp path when using a TSA server")
 	}
 
-	var artifact []byte
-	var hexDigest string
-	var err error
-
-	if c.ArtifactHash == "" {
-		if artifactPath == "-" {
-			artifact, err = io.ReadAll(os.Stdin)
-		} else {
-			fmt.Fprintln(os.Stderr, "Using payload from:", artifactPath)
-			artifact, err = os.ReadFile(filepath.Clean(artifactPath))
-		}
-		if err != nil {
-			return err
-		}
-	}
-
-	if c.ArtifactHash == "" {
-		digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
-		if err != nil {
-			return err
-		}
-		hexDigest = strings.ToLower(hex.EncodeToString(digest))
-	} else {
-		hexDigest = c.ArtifactHash
-	}
-
-	predicate, err := predicateReader(c.PredicatePath)
-	if err != nil {
-		return fmt.Errorf("getting predicate reader: %w", err)
-	}
-	defer predicate.Close()
-
 	sv, err := sign.SignerFromKeyOpts(ctx, c.CertPath, c.CertChainPath, c.KeyOpts)
 	if err != nil {
 		return fmt.Errorf("getting signer: %w", err)
@@ -141,19 +111,67 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 
 	base := path.Base(artifactPath)
 
-	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
-		Predicate: predicate,
-		Type:      c.PredicateType,
-		Digest:    hexDigest,
-		Repo:      base,
-	})
-	if err != nil {
-		return err
-	}
+	var payload []byte
 
-	payload, err := json.Marshal(sh)
-	if err != nil {
-		return err
+	fmt.Println("Using statement from:", c.StatementPath)
+
+	if c.StatementPath != "" {
+		fmt.Fprintln(os.Stderr, "Using statement from:", c.StatementPath)
+		statement, err := predicateReader(c.StatementPath)
+		if err != nil {
+			return fmt.Errorf("getting statement reader: %w", err)
+		}
+		defer statement.Close()
+		payload, err = io.ReadAll(statement)
+		if err != nil {
+			return fmt.Errorf("could not read statement: %w", err)
+		}
+		if _, err := validateStatement(payload); err != nil {
+			return fmt.Errorf("invalid statement: %w", err)
+		}
+
+	} else {
+		var artifact []byte
+		var hexDigest string
+		if c.ArtifactHash == "" {
+			if artifactPath == "-" {
+				artifact, err = io.ReadAll(os.Stdin)
+			} else {
+				fmt.Fprintln(os.Stderr, "Using payload from:", artifactPath)
+				artifact, err = os.ReadFile(filepath.Clean(artifactPath))
+			}
+			if err != nil {
+				return err
+			}
+		}
+
+		if c.ArtifactHash == "" {
+			digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
+			if err != nil {
+				return err
+			}
+			hexDigest = strings.ToLower(hex.EncodeToString(digest))
+		} else {
+			hexDigest = c.ArtifactHash
+		}
+		predicate, err := predicateReader(c.PredicatePath)
+		if err != nil {
+			return fmt.Errorf("getting predicate reader: %w", err)
+		}
+		defer predicate.Close()
+		sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
+			Predicate: predicate,
+			Type:      c.PredicateType,
+			Digest:    hexDigest,
+			Repo:      base,
+		})
+		if err != nil {
+			return err
+		}
+		payload, err = json.Marshal(sh)
+		if err != nil {
+			return err
+		}
 	}
 
 	sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
@@ -367,3 +385,11 @@ func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, pay
 
 	return contents, nil
 }
+
+func validateStatement(payload []byte) (string, error) {
+	var statement *in_toto.Statement
+	if err := json.Unmarshal(payload, &statement); err != nil {
+		return "", fmt.Errorf("invalid statement: %w", err)
+	}
+	return statement.PredicateType, nil
+}

cmd/cosign/cli/attest/attest_blob_test.go

@@ -39,6 +39,7 @@ import (
 	"github.com/sigstore/cosign/v2/test"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
+	"github.com/stretchr/testify/assert"
 )
 
 // TestAttestBlobCmdLocalKeyAndSk verifies the AttestBlobCmd returns an error
@@ -307,3 +308,36 @@ func TestBadRekorEntryType(t *testing.T) {
 		})
 	}
 }
+
+func TestStatementPath(t *testing.T) {
+	ctx := context.Background()
+	td := t.TempDir()
+
+	keys, _ := cosign.GenerateKeyPair(nil)
+	keyRef := writeFile(t, td, string(keys.PrivateBytes), "key.pem")
+
+	statement := `{
+		"_type": "https://in-toto.io/Statement/v1",
+		"subject": [
+			{
+				"name": "foo",
+				"digest": {
+					"sha256": "deadbeef"
+				}
+			}
+		],
+		"predicateType": "https://example.com/CustomPredicate/v1",
+		"predicate": {
+			"foo": "bar"
+		}
+	}`
+	statementPath := writeFile(t, td, statement, "statement.json")
+
+	at := AttestBlobCommand{
+		KeyOpts:        options.KeyOpts{KeyRef: keyRef},
+		StatementPath:  statementPath,
+		RekorEntryType: "dsse",
+	}
+	err := at.Exec(ctx, "")
+	assert.NoError(t, err)
+}

cmd/cosign/cli/attest_blob.go

@@ -47,9 +47,11 @@ func AttestBlob() *cobra.Command {
   # supply attestation via stdin
   echo <PAYLOAD> | cosign attest-blob --predicate - --yes`,
 
-		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.Predicate.Statement == "" && len(args) != 1 {
+				return cobra.ExactArgs(1)(cmd, args)
+			}
 			oidcClientSecret, err := o.OIDC.ClientSecret()
 			if err != nil {
 				return err
@@ -83,13 +85,18 @@ func AttestBlob() *cobra.Command {
 				TlogUpload:        o.TlogUpload,
 				PredicateType:     o.Predicate.Type,
 				PredicatePath:     o.Predicate.Path,
+				StatementPath:     o.Predicate.Statement,
 				OutputSignature:   o.OutputSignature,
 				OutputAttestation: o.OutputAttestation,
 				OutputCertificate: o.OutputCertificate,
 				Timeout:           ro.Timeout,
 				RekorEntryType:    o.RekorEntryType,
 			}
-			return v.Exec(cmd.Context(), args[0])
+			var artifactPath string
+			if len(args) == 1 {
+				artifactPath = args[0]
+			}
+			return v.Exec(cmd.Context(), artifactPath)
 		},
 	}
 	o.AddFlags(cmd)

cmd/cosign/cli/options/predicate.go

@@ -83,7 +83,8 @@ func ParsePredicateType(t string) (string, error) {
 // PredicateLocalOptions is the wrapper for predicate related options.
 type PredicateLocalOptions struct {
 	PredicateOptions
-	Path string
+	Path      string
+	Statement string
 }
 
 var _ Interface = (*PredicateLocalOptions)(nil)
@@ -94,7 +95,11 @@ func (o *PredicateLocalOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Path, "predicate", "",
 		"path to the predicate file.")
-	_ = cmd.MarkFlagRequired("predicate")
+
+	cmd.Flags().StringVar(&o.Statement, "statement", "",
+		"path to the statement file.")
+
+	cmd.MarkFlagsOneRequired("predicate", "statement")
 }
 
 // PredicateRemoteOptions is the wrapper for remote predicate related options.