Skip to content

Commit

Permalink
feat: Add cosign registry opts for provenance registry (#729)
Browse files Browse the repository at this point in the history
triggered on specification of COSIGN_REPOSITORY env

---------

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
  • Loading branch information
saisatishkarra and laurentsimon authored Jan 4, 2024
1 parent e77e085 commit f09d99f
Showing 1 changed file with 22 additions and 4 deletions.
26 changes: 22 additions & 4 deletions verifiers/internal/gha/verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (
"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils/container"

ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
)

const VerifierName = "GHA"
Expand Down Expand Up @@ -252,11 +254,27 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
if err != nil {
return nil, nil, err
}

// Parse any provenance target repository set using environment variable COSIGN_REPOSITORY
provenanceTargetRepository, err := ociremote.GetEnvTargetRepository()
if err != nil {
return nil, nil, err
}

registryClientOpts := []ociremote.Option{}

// Append target repository to OCI Registry opts
// Must be authenticated against the specified target repository externally
if provenanceTargetRepository.Name() != "" {
registryClientOpts = append(registryClientOpts, ociremote.WithTargetRepository(provenanceTargetRepository))
}

opts := &cosign.CheckOpts{
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
RegistryClientOpts: registryClientOpts,
RootCerts: trustedRoot.FulcioRoot,
IntermediateCerts: trustedRoot.FulcioIntermediates,
RekorPubKeys: trustedRoot.RekorPubKeys,
CTLogPubKeys: trustedRoot.CTPubKeys,
}
atts, _, err := container.RunCosignImageVerification(ctx,
artifactImage, opts)
Expand Down

0 comments on commit f09d99f

Please sign in to comment.