Discover cosign v3 NewBundleFormat for verification

internal/controller/helmchart_controller.go

@@ -31,7 +31,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	"github.com/opencontainers/go-digest"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	helmgetter "helm.sh/helm/v4/pkg/getter"
 	helmreg "helm.sh/helm/v4/pkg/registry"
 	helmrepo "helm.sh/helm/v4/pkg/repo/v1"

internal/controller/helmchart_controller_test.go

@@ -43,9 +43,9 @@ import (
 	"github.com/notaryproject/notation-go/signer"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	. "github.com/onsi/gomega"
-	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	coptions "github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	hchart "helm.sh/helm/v4/pkg/chart/v2"
 	"helm.sh/helm/v4/pkg/chart/v2/loader"
 	helmreg "helm.sh/helm/v4/pkg/registry"
@@ -3468,7 +3468,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 					Timeout: timeout,
 				}
 
-				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+				err = sign.SignCmd(ctx, ro, ko, coptions.SignOptions{
 					Upload:           true,
 					SkipConfirmation: true,
 					TlogUpload:       false,

internal/controller/ocirepository_controller.go

@@ -39,7 +39,7 @@ import (
 	gcrv1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"

internal/controller/ocirepository_controller_test.go

@@ -44,9 +44,9 @@ import (
 	"github.com/notaryproject/notation-go/verifier/trustpolicy"
 	. "github.com/onsi/gomega"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	coptions "github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -2211,7 +2211,7 @@ func TestOCIRepository_reconcileSource_verifyOCISourceSignatureCosign(t *testing
 				ro := &coptions.RootOptions{
 					Timeout: timeout,
 				}
-				err = sign.SignCmd(ro, ko, coptions.SignOptions{
+				err = sign.SignCmd(ctx, ro, ko, coptions.SignOptions{
 					Upload:           true,
 					SkipConfirmation: true,
 					TlogUpload:       false,

internal/oci/cosign/cosign.go

@@ -23,11 +23,13 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
-	coptions "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
-	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/fulcio"
+	coptions "github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/oci"
+
+	ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 
@@ -80,6 +82,7 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 	}
 
 	checkOpts := &cosign.CheckOpts{}
+	checkOpts.NewBundleFormat = true
 
 	ro := coptions.RegistryOptions{}
 	co, err := ro.ClientOpts(ctx)
@@ -146,10 +149,25 @@ func NewCosignVerifier(ctx context.Context, opts ...Options) (*CosignVerifier, e
 }
 
 // Verify verifies the authenticity of the given ref OCI image.
+// Both cosign v2 signatures and cosign v3 bundles are supported by
+// attempting to discover bundles before verification.
+// Bundles can be located either via the OCI 1.1 referrer API or an
+// OCI 1.0 referrer tag.
 // It returns a boolean indicating if the verification was successful.
 // It returns an error if the verification fails, nil otherwise.
 func (v *CosignVerifier) Verify(ctx context.Context, ref name.Reference) (soci.VerificationResult, error) {
-	signatures, _, err := cosign.VerifyImageSignatures(ctx, ref, v.opts)
+	var signatures []oci.Signature
+	// copy options since we'll need to change them based on bundle discovery on the ref
+	opts := *v.opts
+	newBundles, _, err := cosign.GetBundles(ctx, ref, opts.RegistryClientOpts)
+	if len(newBundles) == 0 || err != nil {
+		opts.NewBundleFormat = false
+		signatures, _, err = cosign.VerifyImageSignatures(ctx, ref, &opts)
+	} else {
+		opts.NewBundleFormat = true
+		signatures, _, err = cosign.VerifyImageAttestations(ctx, ref, &opts)
+	}
+	fmt.Println(opts.NewBundleFormat, v.opts.NewBundleFormat)
 	if err != nil {
 		return soci.VerificationResultFailed, err
 	}

internal/oci/cosign/cosign_test.go

@@ -21,14 +21,15 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"reflect"
 	"testing"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	. "github.com/onsi/gomega"
-	"github.com/sigstore/cosign/v2/pkg/cosign"
+	"github.com/sigstore/cosign/v3/pkg/cosign"
 
 	testproxy "github.com/fluxcd/source-controller/tests/proxy"
 	testregistry "github.com/fluxcd/source-controller/tests/registry"
@@ -191,3 +192,69 @@ func TestPrivateKeyVerificationWithProxy(t *testing.T) {
 		})
 	}
 }
+
+func TestPKBundleAttestations(t *testing.T) {
+	g := NewWithT(t)
+
+	// registryAddr := testregistry.New(t)
+
+	// proxyAddr, proxyPort := testproxy.New(t)
+
+	pubKey, err := os.ReadFile("/Users/stealthybox/hack/cosign/cosign.pub")
+	g.Expect(err).NotTo(HaveOccurred())
+
+	tests := []struct {
+		name   string
+		tagURL string
+	}{
+		{
+			name:   "v2",
+			tagURL: "localhost:5558/v2-zot",
+		},
+		{
+			name:   "v2",
+			tagURL: "localhost:5559/v2-reg",
+		},
+		{
+			name:   "v3 bundle oci 1.1 referrers",
+			tagURL: "localhost:5558/v3-bundle-zot",
+		},
+		{
+			name:   "v3 bundle oci 1.0 fallback",
+			tagURL: "localhost:5559/v3-bundle-reg",
+		},
+		{
+			name:   "v2-v3 bundle oci 1.1 referrers",
+			tagURL: "localhost:5558/v2-v3-bundle-zot",
+		},
+		{
+			name:   "v2-v3 bundle oci 1.0 fallback",
+			tagURL: "localhost:5559/v2-v3-bundle-reg",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			ctx := context.Background()
+
+			// tagURL := fmt.Sprintf(tag, registryAddr)
+			ref, err := name.ParseReference(tt.tagURL)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			transport := http.DefaultTransport.(*http.Transport).Clone()
+			// transport.Proxy = http.ProxyURL(tt.proxyURL)
+
+			var opts []Options
+			opts = append(opts, WithRemoteOptions(remote.WithTransport(transport)))
+			opts = append(opts, WithPublicKey(pubKey))
+
+			verifier, err := NewCosignVerifier(ctx, opts...)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			_, err = verifier.Verify(ctx, ref)
+			g.Expect(err).NotTo(HaveOccurred())
+		})
+	}
+}