modularize the fulcio and rekor URLs

Signed-off-by: Ramon Petgrave <[email protected]>
slsa-framework · Aug 12, 2024 · 0c7d87b · 0c7d87b
1 parent fa01e80
commit 0c7d87b
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 10 deletions.
diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go
@@ -76,7 +76,8 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
 }
 
 func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
-	s := sigstore.NewDefaultBundleSigner()
+	s := sigstore.NewBundleSigner(sigstore.DefaultFulcioAddr, rekor)
+
 	attBytes, err := pkg.GenerateProvenance(subject, digest,
 		commands, envs, workingDir, s, nil)
 	if err != nil {

diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go
@@ -26,7 +26,10 @@ import (
 )
 
 // BundleSigner is used to produce Sigstore Bundles from provenance statements.
-type BundleSigner struct{}
+type BundleSigner struct {
+	fulcioAddr string
+	rekorAddr  string
+}
 
 type sigstoreBundleAtt struct {
 	cert []byte
@@ -45,7 +48,14 @@ func (s *sigstoreBundleAtt) Bytes() []byte {
 
 // NewDefaultBundleSigner creates a new BundleSigner instance.
 func NewDefaultBundleSigner() *BundleSigner {
-	return &BundleSigner{}
+	return NewBundleSigner(DefaultFulcioAddr, DefaultRekorAddr)
+}
+
+func NewBundleSigner(fulcioAddr string, rekorAddr string) *BundleSigner {
+	return &BundleSigner{
+		fulcioAddr: fulcioAddr,
+		rekorAddr:  rekorAddr,
+	}
 }
 
 // Sign signs the given provenance statement and returns the signed Sigstore Bundle.
@@ -78,7 +88,11 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
 	rawToken := TokenStruct.RawToken
 
 	// signing opts.
-	bundleOpts, err := getDefaultBundleOptsWithIdentityToken(&rawToken)
+	bundleOpts, err := getBundleOpts(
+		&s.fulcioAddr,
+		&s.rekorAddr,
+		&rawToken,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -104,20 +118,24 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
 	return bundleAtt, nil
 }
 
-// getDefaultBundleOptsWithIdentityToken provides the default opts for sigstoreSign.Bundle().
-func getDefaultBundleOptsWithIdentityToken(identityToken *string) (*sigstoreSign.BundleOptions, error) {
+// getBundleOpts provides the opts for sigstoreSign.Bundle().
+func getBundleOpts(
+	fulcioAddr *string,
+	rekorAddr *string,
+	identityToken *string,
+) (*sigstoreSign.BundleOptions, error) {
 	bundleOpts := &sigstoreSign.BundleOptions{}
 
 	fulcioOpts := &sigstoreSign.FulcioOptions{
-		BaseURL: "https://fulcio.sigstore.dev",
+		BaseURL: *fulcioAddr,
 	}
 	bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts)
 	bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{
 		IDToken: *identityToken,
 	}
 
 	rekorOpts := &sigstoreSign.RekorOptions{
-		BaseURL: "https://rekor.sigstore.dev",
+		BaseURL: *rekorAddr,
 	}
 	bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts))
 	return bundleOpts, nil

diff --git a/signing/sigstore/fulcio.go b/signing/sigstore/fulcio.go
@@ -32,7 +32,7 @@ import (
 )
 
 const (
-	defaultFulcioAddr   = options.DefaultFulcioURL
+	DefaultFulcioAddr   = options.DefaultFulcioURL
 	defaultOIDCIssuer   = options.DefaultOIDCIssuerURL
 	defaultOIDCClientID = "sigstore"
 )
@@ -63,7 +63,7 @@ func (a *attestation) Cert() []byte {
 // NewDefaultFulcio creates a new Fulcio instance using the public Fulcio
 // server and public sigstore OIDC issuer.
 func NewDefaultFulcio() *Fulcio {
-	return NewFulcio(defaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID)
+	return NewFulcio(DefaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID)
 }
 
 // NewFulcio creates a new Fulcio instance.