feature/security: Implement image signature verification (#1143)

Author: willdollman

CHANGELOG.md

@@ -11,6 +11,10 @@ All notable changes to `src-cli` are documented in this file.
 
 ## Unreleased
 
+## 6.0.1
+
+- Container signature verification support: Container signatures can now be verified for Sourcegraph releases after 5.11.4013 using `src signature verify -v <release>` [#1143](https://github.com/sourcegraph/src-cli/pull/1143)
+
 ## 5.11.1
 
 - Update x/net to fix CVE-2024-45338

cmd/src/sbom.go

@@ -8,7 +8,7 @@ import (
 var sbomCommands commander
 
 func init() {
-	usage := `'src sbom' fetches and verified SBOM (Software Bill of Materials) data for Sourcegraph containers.
+	usage := `'src sbom' fetches and verifies SBOM (Software Bill of Materials) data for Sourcegraph containers.
 
 Usage:
 

cmd/src/sbom_fetch.go

@@ -1,37 +1,23 @@
 package main
 
 import (
-	"bufio"
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
 	"fmt"
-	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"unicode"
 
-	"github.com/grafana/regexp"
-	"github.com/sourcegraph/sourcegraph/lib/errors"
 	"github.com/sourcegraph/sourcegraph/lib/output"
 
 	"github.com/sourcegraph/src-cli/internal/cmderrors"
 )
 
-type sbomConfig struct {
-	publicKey                     string
-	outputDir                     string
-	version                       string
-	internalRelease               bool
-	insecureIgnoreTransparencyLog bool
-}
-
-const publicKey = "https://storage.googleapis.com/sourcegraph-release-sboms/keys/cosign_keyring-cosign-1.pub"
-const imageListBaseURL = "https://storage.googleapis.com/sourcegraph-release-sboms"
-const imageListFilename = "release-image-list.txt"
+const sbomPublicKey = "https://storage.googleapis.com/sourcegraph-release-sboms/keys/cosign_keyring-cosign-1.pub"
 
 func init() {
 	usage := `
@@ -55,8 +41,8 @@ Examples:
 	insecureIgnoreTransparencyLogFlag := flagSet.Bool("insecure-ignore-tlog", false, "Disable transparency log verification. Defaults to false.")
 
 	handler := func(args []string) error {
-		c := sbomConfig{
-			publicKey: publicKey,
+		c := cosignConfig{
+			publicKey: sbomPublicKey,
 		}
 
 		if err := flagSet.Parse(args); err != nil {
@@ -155,7 +141,7 @@ Examples:
 	})
 }
 
-func (c sbomConfig) getSBOMForImageVersion(image string, version string) (string, error) {
+func (c cosignConfig) getSBOMForImageVersion(image string, version string) (string, error) {
 	hash, err := getImageDigest(image, version)
 	if err != nil {
 		return "", err
@@ -169,51 +155,7 @@ func (c sbomConfig) getSBOMForImageVersion(image string, version string) (string
 	return sbom, nil
 }
 
-func verifyCosign() error {
-	_, err := exec.LookPath("cosign")
-	if err != nil {
-		return errors.New("SBOM verification requires 'cosign' to be installed and available in $PATH. See https://docs.sigstore.dev/cosign/system_config/installation/")
-	}
-	return nil
-}
-
-func (c sbomConfig) getImageList() ([]string, error) {
-	imageReleaseListURL := c.getImageReleaseListURL()
-
-	resp, err := http.Get(imageReleaseListURL)
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch image list: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		// Compare version number against a regex that matches versions up to and including 5.8.0
-		versionRegex := regexp.MustCompile(`^v?[0-5]\.([0-7]\.[0-9]+|8\.0)$`)
-		if versionRegex.MatchString(c.version) {
-			return nil, fmt.Errorf("unsupported version %s: SBOMs are only available for Sourcegraph releases after 5.8.0", c.version)
-		}
-		return nil, fmt.Errorf("failed to fetch list of images - check that %s is a valid Sourcegraph release: HTTP status %d", c.version, resp.StatusCode)
-	}
-
-	scanner := bufio.NewScanner(resp.Body)
-	var images []string
-	for scanner.Scan() {
-		image := strings.TrimSpace(scanner.Text())
-		if image != "" {
-			// Strip off a version suffix if present
-			parts := strings.SplitN(image, ":", 2)
-			images = append(images, parts[0])
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		return nil, fmt.Errorf("error reading image list: %w", err)
-	}
-
-	return images, nil
-}
-
-func (c sbomConfig) getSBOMForImageHash(image string, hash string) (string, error) {
+func (c cosignConfig) getSBOMForImageHash(image string, hash string) (string, error) {
 	tempDir, err := os.MkdirTemp("", "sbom-")
 	if err != nil {
 		return "", fmt.Errorf("failed to create temporary directory: %w", err)
@@ -224,7 +166,7 @@ func (c sbomConfig) getSBOMForImageHash(image string, hash string) (string, erro
 
 	cosignArgs := []string{
 		"verify-attestation",
-		"--key", publicKey,
+		"--key", c.publicKey,
 		"--type", "cyclonedx",
 		fmt.Sprintf("%s@%s", image, hash),
 		"--output-file", outputFile,
@@ -297,7 +239,7 @@ func extractSBOM(attestationBytes []byte) (string, error) {
 	return string(predicate), nil
 }
 
-func (c sbomConfig) storeSBOM(sbom string, image string) error {
+func (c cosignConfig) storeSBOM(sbom string, image string) error {
 	// Make the image name safe for use as a filename
 	safeImageName := strings.Map(func(r rune) rune {
 		if unicode.IsLetter(r) || unicode.IsDigit(r) || r == '-' || r == '_' {
@@ -321,12 +263,3 @@ func (c sbomConfig) storeSBOM(sbom string, image string) error {
 
 	return nil
 }
-
-// getImageReleaseListURL returns the URL for the list of images in a release, based on the version and whether it's an internal release.
-func (c *sbomConfig) getImageReleaseListURL() string {
-	if c.internalRelease {
-		return fmt.Sprintf("%s/release-internal/%s/%s", imageListBaseURL, c.version, imageListFilename)
-	} else {
-		return fmt.Sprintf("%s/release/%s/%s", imageListBaseURL, c.version, imageListFilename)
-	}
-}

cmd/src/sbom_utils.go

@@ -1,16 +1,33 @@
 package main
 
+// Utility functions used by the SBOM and Signature commands.
+
 import (
+	"bufio"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"os/exec"
 	"path"
+	"regexp"
 	"strings"
 	"time"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
 )
 
+const imageListBaseURL = "https://storage.googleapis.com/sourcegraph-release-sboms"
+const imageListFilename = "release-image-list.txt"
+
+type cosignConfig struct {
+	publicKey                     string
+	outputDir                     string
+	version                       string
+	internalRelease               bool
+	insecureIgnoreTransparencyLog bool
+}
+
 // TokenResponse represents the JSON response from dockerHub's token service
 type dockerHubTokenResponse struct {
 	Token string `json:"token"`
@@ -200,3 +217,56 @@ func getOutputDir(parentDir, version string) string {
 func sanitizeVersion(version string) string {
 	return strings.TrimPrefix(version, "v")
 }
+
+func verifyCosign() error {
+	_, err := exec.LookPath("cosign")
+	if err != nil {
+		return errors.New("SBOM verification requires 'cosign' to be installed and available in $PATH. See https://docs.sigstore.dev/cosign/system_config/installation/")
+	}
+	return nil
+}
+
+func (c cosignConfig) getImageList() ([]string, error) {
+	imageReleaseListURL := c.getImageReleaseListURL()
+
+	resp, err := http.Get(imageReleaseListURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch image list: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		// Compare version number against a regex that matches versions up to and including 5.8.0
+		versionRegex := regexp.MustCompile(`^v?[0-5]\.([0-7]\.[0-9]+|8\.0)$`)
+		if versionRegex.MatchString(c.version) {
+			return nil, fmt.Errorf("unsupported version %s: SBOMs are only available for Sourcegraph releases after 5.8.0", c.version)
+		}
+		return nil, fmt.Errorf("failed to fetch list of images - check that %s is a valid Sourcegraph release: HTTP status %d", c.version, resp.StatusCode)
+	}
+
+	scanner := bufio.NewScanner(resp.Body)
+	var images []string
+	for scanner.Scan() {
+		image := strings.TrimSpace(scanner.Text())
+		if image != "" {
+			// Strip off a version suffix if present
+			parts := strings.SplitN(image, ":", 2)
+			images = append(images, parts[0])
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("error reading image list: %w", err)
+	}
+
+	return images, nil
+}
+
+// getImageReleaseListURL returns the URL for the list of images in a release, based on the version and whether it's an internal release.
+func (c *cosignConfig) getImageReleaseListURL() string {
+	if c.internalRelease {
+		return fmt.Sprintf("%s/release-internal/%s/%s", imageListBaseURL, c.version, imageListFilename)
+	} else {
+		return fmt.Sprintf("%s/release/%s/%s", imageListBaseURL, c.version, imageListFilename)
+	}
+}

cmd/src/signature.go

@@ -0,0 +1,36 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+)
+
+var signatureCommands commander
+
+func init() {
+	usage := `'src signature' verifies published signatures for Sourcegraph containers.
+
+Usage:
+
+	src signature command [command options]
+
+The commands are:
+
+	verify                 verify signatures for a Sourcegraph release
+`
+	flagSet := flag.NewFlagSet("signature", flag.ExitOnError)
+	handler := func(args []string) error {
+		signatureCommands.run(flagSet, "src signature", usage, args)
+		return nil
+	}
+
+	// Register the command.
+	commands = append(commands, &command{
+		flagSet: flagSet,
+		aliases: []string{"signature", "sig"},
+		handler: handler,
+		usageFunc: func() {
+			fmt.Println(usage)
+		},
+	})
+}