Merge pull request #135 from rancherfederal/cosign-verify

Add cosign verify functionality.

cmd/hauler/cli/store/sync.go

@@ -10,6 +10,7 @@ import (
 	"github.com/spf13/cobra"
 	"helm.sh/helm/v3/pkg/action"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	"github.com/mitchellh/go-homedir"
 
 	"github.com/rancherfederal/hauler/pkg/store"
 
@@ -32,7 +33,7 @@ func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
 	f := cmd.Flags()
 
 	f.StringSliceVarP(&o.ContentFiles, "files", "f", []string{}, "Path to content files")
-	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for digital signature verification")
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Path to the key for image signature verification")
 }
 
 func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
@@ -99,15 +100,22 @@ func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Layout) error {
 				for _, i := range cfg.Spec.Images {
 
 					// Check if the user provided a key.
-					if o.Key != "" {
+					if o.Key != "" || i.Key != "" {
+						key := o.Key
+						if i.Key != "" {
+							key, err = homedir.Expand(i.Key)
+						}
+						l.Debugf("key for image [%s]", key)
+
 						// verify signature using the provided key.
-						err := cosign.VerifySignature(ctx, s, o.Key, i.Name)
+						err := cosign.VerifySignature(ctx, s, key, i.Name)
 						if err != nil {
-							return err
+							l.Errorf("signature verification failed for image [%s]. ** hauler will skip adding this image to the store **:\n%v", i.Name, err)
+							continue
 						}
 						l.Infof("signature verified for image [%s]", i.Name)
 					}
-
+					
 					err = storeImage(ctx, s, i)
 					if err != nil {
 						return err

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
 	github.com/mholt/archiver/v3 v3.5.1
+	github.com/mitchellh/go-homedir v1.1.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/pkg/errors v0.9.1
@@ -100,7 +101,6 @@ require (
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect

pkg/apis/hauler.cattle.io/v1alpha1/image.go

@@ -20,4 +20,8 @@ type ImageSpec struct {
 type Image struct {
 	// Name is the full location for the image, can be referenced by tags or digests
 	Name string `json:"name"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Key string `json:"key,omitempty"`
+	Key string `json:"key"`
 }

pkg/cosign/cosign.go

@@ -54,7 +54,7 @@ func SaveImage(ctx context.Context, s *store.Layout, ref string) error {
 		return err
 	}
 
-	// Command to verify the signature using Cosign.
+	// Command to save/download an image using Cosign.
 	cmd := exec.Command(cosignBinaryPath, "save", ref, "--dir", s.Root)
 
 	// Run the command and capture its output.
@@ -75,7 +75,7 @@ func LoadImage(ctx context.Context, s *store.Layout, registry string, ropts cont
 		return err
 	}
 
-	// Command to verify the signature using Cosign.
+	// Command to upload index to a remote registry using Cosign.
 	cmd := exec.Command(cosignBinaryPath, "load", "--registry", registry, "--dir", s.Root)
 
 	// Conditionally add extra registry flags.