Merge pull request #1586 from kubescape/fix-cosign

fetch Rekor before cosign validation

core/pkg/opaprocessor/cosign_verify.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto"
 	"fmt"
-
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
@@ -67,6 +66,11 @@ func verify(img string, key string) (bool, error) {
 		return false, fmt.Errorf("resolving attachment type %s for image %s: %w", attachment, img, err)
 	}
 
+	co.RekorPubKeys, err = cosign.GetRekorPubs(context.Background())
+	if err != nil {
+		return false, fmt.Errorf("getting Rekor public keys: %w", err)
+	}
+
 	_, _, err = cosign.VerifyImageSignatures(context.TODO(), ref, co)
 	if err != nil {
 		return false, fmt.Errorf("verifying signature: %w", err)

core/pkg/opaprocessor/cosign_verify_test.go

@@ -1,42 +1,57 @@
 package opaprocessor
 
-// func Test_verify(t *testing.T) {
-// 	type args struct {
-// 		img string
-// 		key string
-// 	}
-// 	tests := []struct {
-// 		name    string
-// 		args    args
-// 		want    bool
-// 		wantErr assert.ErrorAssertionFunc
-// 	}{
-// 		{
-// 			"valid signature",
-// 			args{
-// 				img: "hisu/cosign-tests:signed",
-// 				key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGnMCUU0jGe6r4mPsPuyTXf61PE4e\nNwB/31SvUMmnoyd/1UxSqd+MRPXPU6pcub4k6E9G9SprVCuf6Sydcbyiqw==\n-----END PUBLIC KEY-----",
-// 			},
-// 			true,
-// 			assert.NoError,
-// 		},
-// 		{
-// 			"no signature",
-// 			args{
-// 				img: "hisu/cosign-tests:unsigned",
-// 				key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGnMCUU0jGe6r4mPsPuyTXf61PE4e\nNwB/31SvUMmnoyd/1UxSqd+MRPXPU6pcub4k6E9G9SprVCuf6Sydcbyiqw==\n-----END PUBLIC KEY-----",
-// 			},
-// 			false,
-// 			assert.Error,
-// 		},
-// 	}
-// 	for _, tt := range tests {
-// 		t.Run(tt.name, func(t *testing.T) {
-// 			got, err := verify(tt.args.img, tt.args.key)
-// 			if !tt.wantErr(t, err, fmt.Sprintf("verify(%v, %v)", tt.args.img, tt.args.key)) {
-// 				return
-// 			}
-// 			assert.Equalf(t, tt.want, got, "verify(%v, %v)", tt.args.img, tt.args.key)
-// 		})
-// 	}
-// }
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func Test_verify(t *testing.T) {
+	type args struct {
+		img string
+		key string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    bool
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{
+			"valid signature",
+			args{
+				img: "quay.io/kubescape/kubescape:v3.0.3",
+				key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbgIMZrMTTlEFDLEeZXz+4R/908BG\nEeO70x6oMN7E4JQgzgbCB5rinqhK5t7dB61saVKQTb4P2NGtjPjXVbSTwQ==\n-----END PUBLIC KEY-----\n",
+			},
+			true,
+			assert.NoError,
+		},
+		{
+			"wrong signature",
+			args{
+				img: "quay.io/kubescape/kubescape:v2.9.2",
+				key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbgIMZrMTTlEFDLEeZXz+4R/908BG\nEeO70x6oMN7E4JQgzgbCB5rinqhK5t7dB61saVKQTb4P2NGtjPjXVbSTwQ==\n-----END PUBLIC KEY-----\n",
+			},
+			false,
+			assert.Error,
+		},
+		{
+			"no matching signature",
+			args{
+				img: "quay.io/kubescape/kubescape:v2.0.171",
+				key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbgIMZrMTTlEFDLEeZXz+4R/908BG\nEeO70x6oMN7E4JQgzgbCB5rinqhK5t7dB61saVKQTb4P2NGtjPjXVbSTwQ==\n-----END PUBLIC KEY-----\n",
+			},
+			false,
+			assert.Error,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := verify(tt.args.img, tt.args.key)
+			if !tt.wantErr(t, err, fmt.Sprintf("verify(%v, %v)", tt.args.img, tt.args.key)) {
+				return
+			}
+			assert.Equalf(t, tt.want, got, "verify(%v, %v)", tt.args.img, tt.args.key)
+		})
+	}
+}

core/pkg/opaprocessor/utils.go

@@ -2,6 +2,7 @@ package opaprocessor
 
 import (
 	"fmt"
+	"strings"
 
 	logger "github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
@@ -75,7 +76,9 @@ var cosignVerifySignatureDefinition = func(bctx rego.BuiltinContext, a, b *ast.T
 	if err != nil {
 		return nil, fmt.Errorf("invalid parameter type: %v", err)
 	}
-	result, err := verify(string(aStr), string(bStr))
+	// Replace double backslashes with single backslashes
+	bbStr := strings.Replace(string(bStr), "\\n", "\n", -1)
+	result, err := verify(string(aStr), bbStr)
 	if err != nil {
 		// Do not change this log from debug level. We might find a lot of images without signature
 		logger.L().Debug("failed to verify signature", helpers.String("image", string(aStr)), helpers.String("key", string(bStr)), helpers.Error(err))