feat: add support for oci1.1 cosign signatures(using referrers)

- Cosign supports 2 types of signature formats: 1. Using tag -> each new signature of the same manifest is added as a new layer of the signature manifest having that specific tag("{alghoritm}-{digest_of_signed_manifest}.sig") 2. Using referrers -> each new signature of the same manifest is added as a new manifest - For adding these cosign signature to metadb, we reserved index 0 of the list of cosign signatures for tag-based signatures. When a new tag-based signature is added for the same manifest, the element on first position in its list of cosign signatures(in metadb) will be updated/overwritten. When a new cosign signature(using referrers) will be added for the same manifest this new signature will be appended to the list of cosign signatures. Signed-off-by: Andreea-Lupu <[email protected]>
project-zot · Oct 30, 2023 · 704ac00 · 704ac00
1 parent f34af3c
commit 704ac00
Show file tree

Hide file tree

Showing 17 changed files with 325 additions and 54 deletions.
diff --git a/pkg/common/common.go b/pkg/common/common.go
@@ -27,6 +27,7 @@ const (
 	// same value as github.com/notaryproject/notation-go/registry.ArtifactTypeNotation (assert by internal test).
 	// reason used: to reduce zot minimal binary size (otherwise adds oras.land/oras-go/v2 deps).
 	ArtifactTypeNotation = "application/vnd.cncf.notary.signature"
+	ArtifactTypeCosign   = "application/vnd.dev.cosign.artifact.sig.v1+json"
 )
 
 func Contains[T comparable](elems []T, v T) bool {

diff --git a/pkg/extensions/search/search_test.go b/pkg/extensions/search/search_test.go
@@ -1364,7 +1364,7 @@ func TestExpandedRepoInfo(t *testing.T) {
 		}
 		So(found, ShouldEqual, true)
 
-		err = signature.SignImageUsingCosign("zot-cve-test:0.0.1", port)
+		err = signature.SignImageUsingCosign("zot-cve-test:0.0.1", port, false)
 		So(err, ShouldBeNil)
 
 		resp, err = resty.R().Get(baseURL + graphqlQueryPrefix + "?query=" + url.QueryEscape(query))
@@ -1436,7 +1436,7 @@ func TestExpandedRepoInfo(t *testing.T) {
 		}
 		So(found, ShouldEqual, true)
 
-		err = signature.SignImageUsingCosign("zot-test@"+testManifestDigest.String(), port)
+		err = signature.SignImageUsingCosign("zot-test@"+testManifestDigest.String(), port, false)
 		So(err, ShouldBeNil)
 
 		resp, err = resty.R().Get(baseURL + graphqlQueryPrefix + "/query?query=" + url.QueryEscape(query))
@@ -3772,7 +3772,7 @@ func TestGlobalSearchFiltering(t *testing.T) {
 		)
 		So(err, ShouldBeNil)
 
-		err = signature.SignImageUsingCosign("signed-repo:test", port)
+		err = signature.SignImageUsingCosign("signed-repo:test", port, false)
 		So(err, ShouldBeNil)
 
 		query := `{
@@ -4336,7 +4336,7 @@ func TestMetaDBWhenSigningImages(t *testing.T) {
 		`
 
 		Convey("Sign with cosign", func() {
-			err = signature.SignImageUsingCosign("repo1:1.0.1", port)
+			err = signature.SignImageUsingCosign("repo1:1.0.1", port, false)
 			So(err, ShouldBeNil)
 
 			resp, err := resty.R().Get(baseURL + graphqlQueryPrefix + "?query=" + url.QueryEscape(queryImage1))
@@ -4416,7 +4416,7 @@ func TestMetaDBWhenSigningImages(t *testing.T) {
 					},
 				}
 
-				err := signature.SignImageUsingCosign("repo1:1.0.1", port)
+				err := signature.SignImageUsingCosign("repo1:1.0.1", port, false)
 				So(err, ShouldNotBeNil)
 			})
 		})
@@ -4456,7 +4456,7 @@ func TestMetaDBWhenSigningImages(t *testing.T) {
 		})
 
 		Convey("Sign with cosign index", func() {
-			err = signature.SignImageUsingCosign("repo1:index", port)
+			err = signature.SignImageUsingCosign("repo1:index", port, false)
 			So(err, ShouldBeNil)
 
 			resp, err := resty.R().Get(baseURL + graphqlQueryPrefix + "?query=" + url.QueryEscape(queryIndex))
@@ -4634,7 +4634,7 @@ func RunMetaDBIndexTests(baseURL, port string) {
 		responseImage := responseImages[0]
 		So(len(responseImage.Manifests), ShouldEqual, 3)
 
-		err = signature.SignImageUsingCosign(fmt.Sprintf("repo@%s", indexDigest), port)
+		err = signature.SignImageUsingCosign(fmt.Sprintf("repo@%s", indexDigest), port, false)
 		So(err, ShouldBeNil)
 
 		resp, err = resty.R().Get(baseURL + graphqlQueryPrefix + "?query=" + url.QueryEscape(query))
@@ -5363,7 +5363,7 @@ func TestMetaDBWhenDeletingImages(t *testing.T) {
 
 		Convey("Delete a cosign signature", func() {
 			repo := "repo1"
-			err := signature.SignImageUsingCosign("repo1:1.0.1", port)
+			err := signature.SignImageUsingCosign("repo1:1.0.1", port, false)
 			So(err, ShouldBeNil)
 
 			query := `

diff --git a/pkg/extensions/sync/references/oci.go b/pkg/extensions/sync/references/oci.go
@@ -53,7 +53,7 @@ func (ref OciReferences) IsSigned(ctx context.Context, remoteRepo, subjectDigest
 		return false
 	}
 
-	if len(getNotationManifestsFromOCIRefs(index)) > 0 {
+	if len(getNotationManifestsFromOCIRefs(index)) > 0 || len(getCosignManifestsFromOCIRefs(index)) > 0 {
 		return true
 	}
 

diff --git a/pkg/extensions/sync/references/references.go b/pkg/extensions/sync/references/references.go
@@ -218,6 +218,18 @@ func getNotationManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor {
 	return notaryManifests
 }
 
+func getCosignManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor {
+	cosignManifests := []ispec.Descriptor{}
+
+	for _, ref := range ociRefs.Manifests {
+		if ref.ArtifactType == common.ArtifactTypeCosign {
+			cosignManifests = append(cosignManifests, ref)
+		}
+	}
+
+	return cosignManifests
+}
+
 func addSigToMeta(
 	metaDB mTypes.MetaDB, repo, sigType, tag string, signedManifestDig, referenceDigest godigest.Digest,
 	referenceBuf []byte, imageStore storageTypes.ImageStore, log log.Logger,
@@ -232,6 +244,7 @@ func addSigToMeta(
 	return metaDB.AddManifestSignature(repo, signedManifestDig, mTypes.SignatureMetadata{
 		SignatureType:   sigType,
 		SignatureDigest: referenceDigest.String(),
+		SignatureTag:    tag,
 		LayersInfo:      layersInfo,
 	})
 }
diff --git a/pkg/extensions/sync/sync_test.go b/pkg/extensions/sync/sync_test.go
@@ -746,7 +746,7 @@ func TestOnDemand(t *testing.T) {
 			So(err, ShouldBeNil)
 
 			// sign using cosign
-			err = signature.SignImageUsingCosign(fmt.Sprintf("remote-repo@%s", manifestDigest.String()), port)
+			err = signature.SignImageUsingCosign(fmt.Sprintf("remote-repo@%s", manifestDigest.String()), port, false)
 			So(err, ShouldBeNil)
 
 			// add cosign sbom
@@ -4595,6 +4595,100 @@ func TestSignatures(t *testing.T) {
 		So(err, ShouldBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
 	})
+
+	Convey("Verify sync oci1.1 cosign signatures", t, func() {
+		updateDuration, _ := time.ParseDuration("30m")
+
+		sctlr, srcBaseURL, _, _, _ := makeUpstreamServer(t, false, false)
+
+		scm := test.NewControllerManager(sctlr)
+		scm.StartAndWait(sctlr.Config.HTTP.Port)
+		defer scm.StopServer()
+
+		// create repo, push and sign it
+		repoName := testSignedImage
+		var digest godigest.Digest
+		So(func() { digest = pushRepo(srcBaseURL, repoName) }, ShouldNotPanic)
+
+		splittedURL := strings.SplitAfter(srcBaseURL, ":")
+		srcPort := splittedURL[len(splittedURL)-1]
+		t.Logf(srcPort)
+
+		err := signature.SignImageUsingCosign(fmt.Sprintf("%s@%s", repoName, digest.String()), srcPort, true)
+		So(err, ShouldBeNil)
+
+		regex := ".*"
+		var semver bool
+		var tlsVerify bool
+		onlySigned := true
+
+		syncRegistryConfig := syncconf.RegistryConfig{
+			Content: []syncconf.Content{
+				{
+					Prefix: "**",
+					Tags: &syncconf.Tags{
+						Regex:  &regex,
+						Semver: &semver,
+					},
+				},
+			},
+			URLs:         []string{srcBaseURL},
+			PollInterval: updateDuration,
+			TLSVerify:    &tlsVerify,
+			CertDir:      "",
+			OnlySigned:   &onlySigned,
+			OnDemand:     true,
+		}
+
+		defaultVal := true
+		syncConfig := &syncconf.Config{
+			Enable:     &defaultVal,
+			Registries: []syncconf.RegistryConfig{syncRegistryConfig},
+		}
+
+		dctlr, destBaseURL, _, destClient := makeDownstreamServer(t, false, syncConfig)
+
+		dcm := test.NewControllerManager(dctlr)
+		dcm.StartAndWait(dctlr.Config.HTTP.Port)
+		defer dcm.StopServer()
+
+		// wait for sync
+		var destTagsList TagsList
+
+		for {
+			resp, err := destClient.R().Get(destBaseURL + "/v2/" + repoName + "/tags/list")
+			if err != nil {
+				panic(err)
+			}
+
+			err = json.Unmarshal(resp.Body(), &destTagsList)
+			if err != nil {
+				panic(err)
+			}
+
+			if len(destTagsList.Tags) > 0 {
+				break
+			}
+
+			time.Sleep(500 * time.Millisecond)
+		}
+
+		time.Sleep(1 * time.Second)
+
+		// get oci references from downstream, should be synced
+		getOCIReferrersURL := destBaseURL + path.Join("/v2", repoName, "referrers", digest.String())
+		resp, err := resty.R().Get(getOCIReferrersURL)
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeEmpty)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		var index ispec.Index
+
+		err = json.Unmarshal(resp.Body(), &index)
+		So(err, ShouldBeNil)
+
+		So(len(index.Manifests), ShouldEqual, 3)
+	})
 }
 
 func getPortFromBaseURL(baseURL string) string {
@@ -4628,7 +4722,10 @@ func TestSyncedSignaturesMetaDB(t *testing.T) {
 		err = signature.SignImageUsingNotary(repoName+":"+tag, srcPort, true)
 		So(err, ShouldBeNil)
 
-		err = signature.SignImageUsingCosign(repoName+":"+tag, srcPort)
+		err = signature.SignImageUsingCosign(repoName+":"+tag, srcPort, true)
+		So(err, ShouldBeNil)
+
+		err = signature.SignImageUsingCosign(repoName+":"+tag, srcPort, false)
 		So(err, ShouldBeNil)
 
 		// Create destination registry
@@ -4678,7 +4775,7 @@ func TestSyncedSignaturesMetaDB(t *testing.T) {
 
 		imageSignatures := repoMeta.Signatures[signedImage.DigestStr()]
 		So(imageSignatures, ShouldContainKey, zcommon.CosignSignature)
-		So(len(imageSignatures[zcommon.CosignSignature]), ShouldEqual, 1)
+		So(len(imageSignatures[zcommon.CosignSignature]), ShouldEqual, 2)
 		So(imageSignatures, ShouldContainKey, zcommon.NotationSignature)
 		So(len(imageSignatures[zcommon.NotationSignature]), ShouldEqual, 1)
 	})

diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go
@@ -899,7 +899,7 @@ func (bdw *BoltDB) UpdateSignaturesValidity(repo string, manifestDigest godigest
 }
 
 func (bdw *BoltDB) AddManifestSignature(repo string, signedManifestDigest godigest.Digest,
-	sygMeta mTypes.SignatureMetadata,
+	sigMeta mTypes.SignatureMetadata,
 ) error {
 	err := bdw.DB.Update(func(tx *bbolt.Tx) error {
 		buck := tx.Bucket([]byte(RepoMetadataBucket))
@@ -914,10 +914,10 @@ func (bdw *BoltDB) AddManifestSignature(repo string, signedManifestDigest godige
 				Tags: map[string]mTypes.Descriptor{},
 				Signatures: map[string]mTypes.ManifestSignatures{
 					signedManifestDigest.String(): {
-						sygMeta.SignatureType: []mTypes.SignatureInfo{
+						sigMeta.SignatureType: []mTypes.SignatureInfo{
 							{
-								SignatureManifestDigest: sygMeta.SignatureDigest,
-								LayersInfo:              sygMeta.LayersInfo,
+								SignatureManifestDigest: sigMeta.SignatureDigest,
+								LayersInfo:              sigMeta.LayersInfo,
 							},
 						},
 					},
@@ -950,22 +950,42 @@ func (bdw *BoltDB) AddManifestSignature(repo string, signedManifestDigest godige
 			manifestSignatures = mTypes.ManifestSignatures{}
 		}
 
-		signatureSlice := manifestSignatures[sygMeta.SignatureType]
-		if !common.SignatureAlreadyExists(signatureSlice, sygMeta) {
-			if sygMeta.SignatureType == zcommon.NotationSignature {
+		signatureSlice := manifestSignatures[sigMeta.SignatureType]
+		if !common.SignatureAlreadyExists(signatureSlice, sigMeta) {
+			if sigMeta.SignatureType == zcommon.NotationSignature {
 				signatureSlice = append(signatureSlice, mTypes.SignatureInfo{
-					SignatureManifestDigest: sygMeta.SignatureDigest,
-					LayersInfo:              sygMeta.LayersInfo,
+					SignatureManifestDigest: sigMeta.SignatureDigest,
+					LayersInfo:              sigMeta.LayersInfo,
 				})
-			} else if sygMeta.SignatureType == zcommon.CosignSignature {
-				signatureSlice = []mTypes.SignatureInfo{{
-					SignatureManifestDigest: sygMeta.SignatureDigest,
-					LayersInfo:              sygMeta.LayersInfo,
-				}}
+			} else if sigMeta.SignatureType == zcommon.CosignSignature {
+				newCosignSig := mTypes.SignatureInfo{
+					SignatureManifestDigest: sigMeta.SignatureDigest,
+					LayersInfo:              sigMeta.LayersInfo,
+				}
+
+				if common.IsCosignTag(sigMeta.SignatureTag) {
+					// the entry for "sha256-{digest}.sig" signatures should be overwritten if
+					// it exists or added on the first position if it doesn't exists
+					if len(signatureSlice) == 0 {
+						signatureSlice = []mTypes.SignatureInfo{newCosignSig}
+					} else {
+						signatureSlice[0] = newCosignSig
+					}
+				} else {
+					// the first position should be reserved for "sha256-{digest}.sig" signatures
+					if len(signatureSlice) == 0 {
+						signatureSlice = []mTypes.SignatureInfo{{
+							SignatureManifestDigest: "",
+							LayersInfo:              []mTypes.LayerInfo{},
+						}}
+					}
+
+					signatureSlice = append(signatureSlice, newCosignSig)
+				}
 			}
 		}
 
-		manifestSignatures[sygMeta.SignatureType] = signatureSlice
+		manifestSignatures[sigMeta.SignatureType] = signatureSlice
 
 		repoMeta.Signatures[signedManifestDigest.String()] = manifestSignatures
 

diff --git a/pkg/meta/boltdb/boltdb_test.go b/pkg/meta/boltdb/boltdb_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"math"
 	"testing"
 	"time"
@@ -506,28 +507,33 @@ func TestWrapperErrors(t *testing.T) {
 			})
 			So(err, ShouldBeNil)
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			signedManifestDigest := digest.FromString("dig")
+			signatureTag := fmt.Sprintf("sha256-%s.sig", signedManifestDigest.Encoded())
+
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "cosign",
+					SignatureTag:    signatureTag,
 					SignatureDigest: "digest1",
 				})
 			So(err, ShouldBeNil)
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "cosign",
+					SignatureTag:    signatureTag,
 					SignatureDigest: "digest2",
 				})
 			So(err, ShouldBeNil)
 
 			repoData, err := boltdbWrapper.GetRepoMeta("repo1")
 			So(err, ShouldBeNil)
-			So(len(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature]),
+			So(len(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature]),
 				ShouldEqual, 1)
-			So(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature][0].SignatureManifestDigest,
+			So(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature][0].SignatureManifestDigest,
 				ShouldEqual, "digest2")
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "notation",
 					SignatureDigest: "digest2",

diff --git a/pkg/meta/common/common.go b/pkg/meta/common/common.go
@@ -3,6 +3,7 @@ package common
 import (
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -344,3 +345,9 @@ func InitializeImageConfig(blob []byte) ispec.Image {
 
 	return configContent
 }
+
+func IsCosignTag(tag string) bool {
+	cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`)
+
+	return cosignTagRule.MatchString(tag)
+}