adds some comments

Signed-off-by: ChrisJBurns <[email protected]>
concourse · Jun 3, 2023 · 747a958 · 747a958
1 parent ab51c44
commit 747a958
Showing 1 changed file with 53 additions and 32 deletions.
diff --git a/commands/out.go b/commands/out.go
@@ -227,17 +227,12 @@ func put(req resource.OutRequest, img partial.WithRawManifest, tags []name.Tag,
 	logrus.Info("pushed")
 
 	if req.Source.Cosign != nil {
-
 		switch t := img.(type) {
 		case v1.Image:
-			err = signImagesCosign(req, t, tags)
-			if err != nil {
-				return fmt.Errorf("signing image(s): %w", err)
-			}
+			signImagesCosign(req, t, tags)
 		default:
 			return fmt.Errorf("cannot sign type (%T)", img)
 		}
-
 	}
 
 	if req.Source.ContentTrust != nil {
@@ -255,26 +250,31 @@ func put(req resource.OutRequest, img partial.WithRawManifest, tags []name.Tag,
 	return nil
 }
 
-func signImagesCosign(req resource.OutRequest, img v1.Image, tags []name.Tag) error {
-	digest, _ := img.Digest()
+func signImagesCosign(req resource.OutRequest, img v1.Image, tags []name.Tag) {
+	digest, err := img.Digest()
+	if err != nil {
+		logrus.Fatalf("Error getting digest for image: %v", err)
+	}
 
+	// here we build the img digest url so that we can sign it with cosign.
+	// we sign the digest URL and not just the tag URL because tags can point
+	// to difference digests over time. whereas a digest is supposed to represent
+	// and specific image build and won't change (although technically Docker cannot produce
+	// image digests that stay the same all the time, this is where tools like `apko`
+	// are a great tool for building OCI images)
 	imgDigestUrl := tags[0].String() + "@" + digest.String()
+
+	// over time this won't be needed. the Cosign library will evolve to expect
+	// less object parameters to be configured. this is only needed for now due to
+	// the fact that primarily cosign is a cli tool. And part of the CLI framework
+	// that cosign uses, sets the majority of the below objects variables by default.
+	// this comment concerns the below `ro`, `o` and `ko` data objects.
 	ro := &options.RootOptions{
 		OutputFile: "",
-		Verbose:    true,
+		Verbose:    false,
 		Timeout:    options.DefaultTimeout,
 	}
 
-	err := os.Setenv("COSIGN_KEY", req.Source.Cosign.Key)
-	if err != nil {
-		logrus.Fatalf("err %v", err)
-	}
-
-	err = os.Setenv("COSIGN_PASSWORD", req.Source.Cosign.Password)
-	if err != nil {
-		logrus.Fatalf("err %v", err)
-	}
-
 	o := options.SignOptions{
 		Key:               "env://COSIGN_KEY",
 		Cert:              "",
@@ -296,7 +296,7 @@ func signImagesCosign(req resource.OutRequest, img v1.Image, tags []name.Tag) er
 		OIDC: options.OIDCOptions{
 			Issuer:      options.DefaultOIDCIssuerURL,
 			ClientID:    "sigstore",
-			RedirectURL: "http://localhost:0/auth/callback",
+			RedirectURL: "",
 		},
 		Rekor: options.RekorOptions{
 			URL: options.DefaultRekorURL,
@@ -312,11 +312,11 @@ func signImagesCosign(req resource.OutRequest, img v1.Image, tags []name.Tag) er
 		PassFunc:                       generate.GetPass,
 		Sk:                             false,
 		Slot:                           "",
-		FulcioURL:                      "https://fulcio.sigstore.dev",
+		FulcioURL:                      options.DefaultFulcioURL,
 		IDToken:                        "",
 		InsecureSkipFulcioVerify:       false,
-		RekorURL:                       "https://rekor.sigstore.dev",
-		OIDCIssuer:                     "https://oauth2.sigstore.dev/auth",
+		RekorURL:                       options.DefaultRekorURL,
+		OIDCIssuer:                     options.DefaultOIDCIssuerURL,
 		OIDCClientID:                   "sigstore",
 		OIDCClientSecret:               "",
 		OIDCRedirectURL:                "",
@@ -327,15 +327,36 @@ func signImagesCosign(req resource.OutRequest, img v1.Image, tags []name.Tag) er
 		IssueCertificateForExistingKey: false,
 	}
 
-	logrus.Infof("calling cosign with key")
-	sign.SignCmd(
-		ro,
-		ko,
-		o,
-		[]string{imgDigestUrl},
-	)
-	logrus.Infof("called cosign")
-	return nil
+	// because cosign is a CLI tool primiarly (until it has matured as a library)
+	// we have to set the COSIGN_KEY environment variable and tell cosign to use it.
+	// as it is less tricky than having to create files that contain the cosign.key
+	// which actually becomes less secure because anyone who gains access to the container
+	// can easily easily see the file. whereas the `os.Setenv` function does not permanently
+	// set environment variables for the parent process that runs it, only for child processes.
+	// however, it is still not perfect, we would rather pass the key directly to cosign but
+	// untill that functionality is offered this is the best option without making decisions on
+	// tooling (Vault, Azure KeyVault etc)
+	err = os.Setenv("COSIGN_KEY", req.Source.Cosign.Key)
+	if err != nil {
+		logrus.Fatalf("err %v", err)
+	}
+
+	// similiar to the COSIGN_KEY variable we set the password that was used to create the
+	// keypair (if there was one). there are less ways to set the password currently outside
+	// of an environment variable or user input via a terminal prompt, as the Cosign library
+	// evolves over time, we can reasonably expect this to change, but as we cannot rely on user
+	// input, we have to use the environment variable.
+	err = os.Setenv("COSIGN_PASSWORD", req.Source.Cosign.Password)
+	if err != nil {
+		logrus.Fatalf("err %v", err)
+	}
+
+	logrus.Infof("Signing image with Cosign")
+	err = sign.SignCmd(ro, ko, o, []string{imgDigestUrl})
+	if err != nil {
+		logrus.Fatalf("There was an error signing the image with Cosign %w", err)
+	}
+	logrus.Infof("Image signed with Cosign")
 }
 
 func loadImage(path string) (partial.WithRawManifest, error) {