From 0c7d87bde75fb7789668370a037363416cd6b743 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Mon, 12 Aug 2024 21:35:52 +0000 Subject: [PATCH] modularize the fulcio and rekor URLs Signed-off-by: Ramon Petgrave --- internal/builders/go/main.go | 3 ++- signing/sigstore/bundle.go | 32 +++++++++++++++++++++++++------- signing/sigstore/fulcio.go | 4 ++-- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index 21371f37e9..69c939f141 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -76,7 +76,8 @@ func runBuild(dry bool, configFile, evalEnvs string) error { } func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error { - s := sigstore.NewDefaultBundleSigner() + s := sigstore.NewBundleSigner(sigstore.DefaultFulcioAddr, rekor) + attBytes, err := pkg.GenerateProvenance(subject, digest, commands, envs, workingDir, s, nil) if err != nil { diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go index 9e61f2b99a..6679028f91 100644 --- a/signing/sigstore/bundle.go +++ b/signing/sigstore/bundle.go @@ -26,7 +26,10 @@ import ( ) // BundleSigner is used to produce Sigstore Bundles from provenance statements. -type BundleSigner struct{} +type BundleSigner struct { + fulcioAddr string + rekorAddr string +} type sigstoreBundleAtt struct { cert []byte @@ -45,7 +48,14 @@ func (s *sigstoreBundleAtt) Bytes() []byte { // NewDefaultBundleSigner creates a new BundleSigner instance. func NewDefaultBundleSigner() *BundleSigner { - return &BundleSigner{} + return NewBundleSigner(DefaultFulcioAddr, DefaultRekorAddr) +} + +func NewBundleSigner(fulcioAddr string, rekorAddr string) *BundleSigner { + return &BundleSigner{ + fulcioAddr: fulcioAddr, + rekorAddr: rekorAddr, + } } // Sign signs the given provenance statement and returns the signed Sigstore Bundle. @@ -78,7 +88,11 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s rawToken := TokenStruct.RawToken // signing opts. - bundleOpts, err := getDefaultBundleOptsWithIdentityToken(&rawToken) + bundleOpts, err := getBundleOpts( + &s.fulcioAddr, + &s.rekorAddr, + &rawToken, + ) if err != nil { return nil, err } @@ -104,12 +118,16 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s return bundleAtt, nil } -// getDefaultBundleOptsWithIdentityToken provides the default opts for sigstoreSign.Bundle(). -func getDefaultBundleOptsWithIdentityToken(identityToken *string) (*sigstoreSign.BundleOptions, error) { +// getBundleOpts provides the opts for sigstoreSign.Bundle(). +func getBundleOpts( + fulcioAddr *string, + rekorAddr *string, + identityToken *string, +) (*sigstoreSign.BundleOptions, error) { bundleOpts := &sigstoreSign.BundleOptions{} fulcioOpts := &sigstoreSign.FulcioOptions{ - BaseURL: "https://fulcio.sigstore.dev", + BaseURL: *fulcioAddr, } bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts) bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{ @@ -117,7 +135,7 @@ func getDefaultBundleOptsWithIdentityToken(identityToken *string) (*sigstoreSign } rekorOpts := &sigstoreSign.RekorOptions{ - BaseURL: "https://rekor.sigstore.dev", + BaseURL: *rekorAddr, } bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts)) return bundleOpts, nil diff --git a/signing/sigstore/fulcio.go b/signing/sigstore/fulcio.go index 1ba6ab099c..c23a7b0749 100644 --- a/signing/sigstore/fulcio.go +++ b/signing/sigstore/fulcio.go @@ -32,7 +32,7 @@ import ( ) const ( - defaultFulcioAddr = options.DefaultFulcioURL + DefaultFulcioAddr = options.DefaultFulcioURL defaultOIDCIssuer = options.DefaultOIDCIssuerURL defaultOIDCClientID = "sigstore" ) @@ -63,7 +63,7 @@ func (a *attestation) Cert() []byte { // NewDefaultFulcio creates a new Fulcio instance using the public Fulcio // server and public sigstore OIDC issuer. func NewDefaultFulcio() *Fulcio { - return NewFulcio(defaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID) + return NewFulcio(DefaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID) } // NewFulcio creates a new Fulcio instance.