search

cnabio / signy

Go implementation for CNAB content trust verification using TUF, Notary, and in-toto
MIT License
31 stars 11 forks source link

Disallow pushing trust collection to a repository without a tag #70

Open radu-matei opened 4 years ago

radu-matei commented 4 years ago

ref https://github.com/cnabio/cnab-to-oci/issues/101

$ signy --tlscacert=$NOTARY_CA --server https://localhost:4443 sign testdata/cnab/bundle.json localhost:5000/test-no-tag 
INFO[0000] Starting to copy image cnab/helloworld:0.1.1 
INFO[0001] Completed image cnab/helloworld:0.1.1 copy   
INFO[0001] Generated relocation map: relocation.ImageRelocationMap{"cnab/helloworld:0.1.1":"localhost:5000/test-no-tag@sha256:a59a4e74d9cc89e4e75dfb2cc7ea5c108e4236ba6231b53081a9e2506d1197b6"} 
INFO[0002] Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268" 
INFO[0002] Pushed trust data for localhost:5000/test-no-tag: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5

This generates the following targets file - notice the empty key for the target:

{
  "signed": {
    "_type": "Targets",
    "delegations": {
      "keys": {},
      "roles": []
    },
    "expires": "2023-03-12T11:59:53.535554-07:00",
    "targets": {
      "": {
        "hashes": {
          "sha256": "x+kr1R8FnWCxWtRW7fGUZImX1zn2B5mzfgjtr9iKgbU=",
          "sha512": "VgQ/Bcy/5IGpguFN65K5hUPM324iFO3jyDLEfFO5RcVzdSilkHhDIJemRxADrWDSX2AVM8qrjTqZg7BRbxt61g=="
        },
        "length": 501
      }
    },
    "version": 4
  },
  "signatures": [
    {
      "keyid": "afed30445b655dc441c973959a740a4bb7f7154f077a8464ba717ab4d28477b3",
      "method": "ecdsa",
      "sig": "f5hGpvJpGFzZn0/34HrfcZaUGZET+q37x708EwrrQRNK+K0/9TGL2aPv5MIeYCR37Qpch5My+B1NFCA2dzJ9Ng=="
    }
  ]
}

Listing the repository:

$ signy --tlscacert=$NOTARY_CA --server https://localhost:4443 list localhost:5000/test-no-tag
    c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5

Trying to verify:

$ signy --tlscacert=$NOTARY_CA --server https://localhost:4443 verify localhost:5000/test-no-tag
INFO[0000] Pulled trust data for localhost:5000/test-no-tag, with role targets - SHA256: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5 
INFO[0000] Pulling bundle from registry: localhost:5000/test-no-tag 
Error: cannot pull bundle: failed to resolve bundle manifest "localhost:5000/test-no-tag": object require

The underlying error here is coming from cnab-to-oci, but the decision to disallow pushing without a tag can must also be taken here as well.

Trying to verify using the full SHA256:

$ signy --tlscacert=$NOTARY_CA --server https://localhost:4443 verify localhost:5000/test-no-tag@sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268
INFO[0000] Pulled trust data for localhost:5000/test-no-tag@sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268, with role targets - SHA256: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5 
INFO[0000] Pulling bundle from registry: localhost:5000/test-no-tag@sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268 
INFO[0000] Computed SHA: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5 
INFO[0000] The SHA sums are equal: c7e92bd51f059d60b15ad456edf194648997d739f60799b37e08edafd88a81b5
radu-matei commented 4 years ago

For reference, the Docker CLI behaviour here is to also disallow signing an image without tag:

https://github.com/docker/cli/blob/ef2f64abbd37edfa148f745fa0013731b5074d1b/cli/command/trust/sign.go#L131-L140

trishankatdatadog commented 4 years ago

Sounds like a good idea to me!