From df6f1ca5eb488e3c26072c4e073e0cf1c4e0d522 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Mon, 3 Jun 2024 14:52:58 -0400 Subject: [PATCH] Add support for Sigstore Bundles using sigstore-go verifier (#151) * Remove dependabot for this fork (#159) * Add Actions release and attest job (#147) * update release workflow Signed-off-by: Meredith Lancaster * Grab image digest for attestation step Signed-off-by: Meredith Lancaster * comment Signed-off-by: Meredith Lancaster * update workflow name Signed-off-by: Meredith Lancaster * add release directions Signed-off-by: Meredith Lancaster * undo ko config changes Signed-off-by: Meredith Lancaster * add fork specific options to ko build call Signed-off-by: Meredith Lancaster * Change version format --------- Signed-off-by: Meredith Lancaster Co-authored-by: Cody Soyland * set release as target branch (#161) Signed-off-by: Meredith Lancaster * Add support for Sigstore Bundles using sigstore-go verifier Signed-off-by: Cody Soyland * Update docs Signed-off-by: Cody Soyland * Rename func Signed-off-by: Cody Soyland * Comment on observe timestamp setting Signed-off-by: Cody Soyland * Refactor trusted material, add support for default TUF repo in bundle verifier Signed-off-by: Cody Soyland * Remove accidental code Signed-off-by: Cody Soyland * Fix tlog verification options Signed-off-by: Cody Soyland --------- Signed-off-by: Meredith Lancaster Signed-off-by: Cody Soyland Co-authored-by: Meredith Lancaster --- config/300-clusterimagepolicy.yaml | 6 + docs/api-types/index-v1alpha1.md | 1 + docs/api-types/index.md | 1 + go.mod | 15 +- go.sum | 52 +++-- .../v1alpha1/clusterimagepolicy_types.go | 4 + .../v1beta1/clusterimagepolicy_types.go | 4 + pkg/tuf/repo.go | 31 +++ pkg/webhook/bundle.go | 140 ++++++++++++ .../clusterimagepolicy_types.go | 3 + pkg/webhook/validation.go | 19 +- pkg/webhook/validator.go | 114 +++++++++- .../sigstore/sigstore-go/pkg/LICENSE | 201 ++++++++++++++++++ .../go-tuf/v2/metadata/LICENSE | 201 ++++++++++++++++++ .../go-tuf/v2/metadata/NOTICE | 9 + .../golang.org/x/mod/{sumdb/note => }/LICENSE | 0 16 files changed, 763 insertions(+), 38 deletions(-) create mode 100644 pkg/webhook/bundle.go create mode 100644 third_party/VENDOR-LICENSE/github.com/sigstore/sigstore-go/pkg/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/LICENSE create mode 100644 third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/NOTICE rename third_party/VENDOR-LICENSE/golang.org/x/mod/{sumdb/note => }/LICENSE (100%) diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml index c5c3c28e..eafbb94b 100644 --- a/config/300-clusterimagepolicy.yaml +++ b/config/300-clusterimagepolicy.yaml @@ -209,6 +209,9 @@ spec: trustRootRef: description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities type: string + signatureFormat: + description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default). + type: string source: description: Sources sets the configuration to specify the sources from where to consume the signatures. type: array @@ -545,6 +548,9 @@ spec: trustRootRef: description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities type: string + signatureFormat: + description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default). + type: string source: description: Sources sets the configuration to specify the sources from where to consume the signatures. type: array diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md index a55f6810..ebe67945 100644 --- a/docs/api-types/index-v1alpha1.md +++ b/docs/api-types/index-v1alpha1.md @@ -172,6 +172,7 @@ Attestation defines the type of attestation to validate and optionally apply a p | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false | | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false | | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false | +| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"simplesigning\" and \"bundle\". If not specified, the default is \"simplesigning\" (cosign's default). | string | false | [Back to TOC](#table-of-contents) diff --git a/docs/api-types/index.md b/docs/api-types/index.md index c3cdbb51..6498e433 100644 --- a/docs/api-types/index.md +++ b/docs/api-types/index.md @@ -49,6 +49,7 @@ The authorities block defines the rules for discovering and validating signature | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false | | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false | | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false | +| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"simplesigning\" and \"bundle\". If not specified, the default is \"simplesigning\" (cosign's default). | string | false | [Back to TOC](#table-of-contents) diff --git a/go.mod b/go.mod index 8f7cddde..5c9ce1e2 100644 --- a/go.mod +++ b/go.mod @@ -63,11 +63,12 @@ require ( github.com/docker/go-connections v0.5.0 github.com/go-jose/go-jose/v4 v4.0.4 github.com/sigstore/protobuf-specs v0.3.2 - github.com/sigstore/scaffolding v0.7.18 - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.11 - github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.11 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.11 - github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.11 + github.com/sigstore/scaffolding v0.7.11 + github.com/sigstore/sigstore-go v0.6.2 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 + github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 github.com/spf13/viper v1.19.0 knative.dev/hack/schema v0.0.0-20240607132042-09143140a254 knative.dev/pkg v0.0.0-20230612155445-74c4be5e935e @@ -192,6 +193,7 @@ require ( github.com/gorilla/mux v1.8.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect github.com/hashicorp/vault/api v1.15.0 // indirect + github.com/in-toto/attestation v1.1.0 // indirect github.com/in-toto/in-toto-golang v0.9.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect @@ -230,8 +232,7 @@ require ( github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - github.com/sigstore/sigstore-go v0.6.2 // indirect - github.com/sigstore/timestamp-authority v1.2.3 // indirect + github.com/sigstore/timestamp-authority v1.2.2 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect diff --git a/go.sum b/go.sum index b2ad553d..47453f2e 100644 --- a/go.sum +++ b/go.sum @@ -384,6 +384,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= @@ -534,6 +536,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I= github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA= @@ -549,6 +553,16 @@ github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438 h1:Dj0L5fhJ9F82ZJyVOmBx6msDp/kfd1t9GRfny/mfJA0= +github.com/jackc/pgerrcode v0.0.0-20240316143900-6e2875d9b438/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs= +github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jdolitsky/glog v0.0.0-20220729172235-78744e90d087 h1:3yec2Rfyr8SpXbK1fcsclj+z/V28HfRHcgIHXbk5pLk= github.com/jdolitsky/glog v0.0.0-20220729172235-78744e90d087/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= @@ -745,32 +759,34 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU= github.com/sigstore/cosign/v2 v2.4.1/go.mod h1:GvzjBeUKigI+XYnsoVQDmMAsMMc6engxztRSuxE+x9I= -github.com/sigstore/fulcio v1.6.5 h1:A9DtV2hmeJ835mtqqxgvV0Sie0HOPKaLPgvFVF4FU7c= -github.com/sigstore/fulcio v1.6.5/go.mod h1:wUei0BMnlz5iY10keKAx5FXFGnMX0N25ZSe4jGRA65M= +github.com/sigstore/fulcio v1.6.4 h1:d86obfxUAG3Y6CYwOx1pdwCZwKmROB6w6927pKOVIRY= +github.com/sigstore/fulcio v1.6.4/go.mod h1:Y6bn3i3KGhXpaHsAtYP3Z4Np0+VzCo1fLv8Ci6mbPDs= github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo= github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA= github.com/sigstore/rekor v1.3.7 h1:Z5UW5TmqbTZnyOFkMRfi32q/CWcxK6VuzIkx+33mbq8= github.com/sigstore/rekor v1.3.7/go.mod h1:TihqJscZ6L6398x68EHY82t0AOnGYfrQ0siXe3WgbR4= -github.com/sigstore/scaffolding v0.7.18 h1:0Uko31b+BHSfoh2v0k61V3H7KwAvOA2gffda3mKfTGk= -github.com/sigstore/scaffolding v0.7.18/go.mod h1:uvV0f2ky//WDhCkOLm3McxuxbUmDG+UwsmylPWdYOB8= +github.com/sigstore/scaffolding v0.7.11 h1:wiqw0coSfpADwdNDvqgMgGKn1JFiqc5xtsxYrVD0pDU= +github.com/sigstore/scaffolding v0.7.11/go.mod h1:pXyQNJjQkkm9urV6S61Gx+9B8yyXGHOgp8LJJz6Do3w= github.com/sigstore/sigstore v1.8.11 h1:tEqeQqbT+awtM87ec9KEeSUxT/AFvJNawneYJyAkFrQ= github.com/sigstore/sigstore v1.8.11/go.mod h1:fdrFQosxCQ4wTL5H1NrZcQkqQ72AQbPjtpcL2QOGKV0= github.com/sigstore/sigstore-go v0.6.2 h1:8uiywjt73vzfrGfWYVwVsiB1E1Qmwmpgr1kVpl4fs6A= github.com/sigstore/sigstore-go v0.6.2/go.mod h1:pOIUH7Jx+ctwMICo+2zNrViOJJN5sGaQgwX4yAVJkA0= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.11 h1:4jIEBOtqDZHyQNQSw/guGmIY0y3CVdOGQu3l2FNlqpY= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.11/go.mod h1:rzfk1r8p6Mgjp5tidjzNC+/Kh1h6Eh/ON7xI7ApqBSM= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.11 h1:GXL/OitAMBbLg61nbbk0bXOgOIgDgyFE+9T2Ng3P3o8= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.11/go.mod h1:a9KhG9LZJFcGJB2PtFga1jUIUB0gr0Ix44TDMMXUjJU= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.11 h1:jxKeAMOzaxjwEfmpMMYxF5Vf35tEhQOUXURaUx0ctgo= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.11/go.mod h1:fIAOBcL2s+Vq2Fp9WZByUDdWAmhNuZkJGLCUVUjkdtI= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.11 h1:nH6Cpsz9c7v8jpGiJcH+3+zijfdJha+9mK07MAzZjbc= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.11/go.mod h1:bTBdhPvdaDsHccD9zsSHe/q4ah2OXkdfL/qK7JCuRno= -github.com/sigstore/timestamp-authority v1.2.3 h1:/4YXCKF/+ZQsad89D0Lj2QIz78s5/aRgLa8Nwq2/Kd4= -github.com/sigstore/timestamp-authority v1.2.3/go.mod h1:q2tJKJzP34hLIbVu3Y1A9bBZTBuZ/gEmMN7MtAoGQKI= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 h1:e5GfVngPjGap/N3ODefayt7vKIPS1/v3hWLZ9+4MrN4= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10/go.mod h1:HOr3AdFPKdND2FNl/sUD5ZifPl1OMJvrbf9xIaaWcus= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10 h1:9tZEpfIL/ewAG9G87AHe3aVoy8Ujos2F1qLfCckX6jQ= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10/go.mod h1:VnIAcitund62R45ezK/dtUeEhuRtB3LsAgJ8m0H34zc= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 h1:Xre51HdjIIaVo5ox5zyL+6h0tkrx7Ke9Neh7fLmmZK0= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10/go.mod h1:VNfdklQDbyGJog8S7apdxiEfmYmCkKyxrsCL9xprkTY= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 h1:HjfjL3x3dP2kaGqQHVog974cTcKfzFaGjfZyLQ9KXrg= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10/go.mod h1:jaeEjkTW1p3gUyPjz9lTcT4TydCs208FoyAwIs6bIT4= +github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= +github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= @@ -793,8 +809,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= -github.com/spiffe/go-spiffe/v2 v2.4.0 h1:j/FynG7hi2azrBG5cvjRcnQ4sux/VNj8FAVc99Fl66c= -github.com/spiffe/go-spiffe/v2 v2.4.0/go.mod h1:m5qJ1hGzjxjtrkGHZupoXHo/FDWwCB1MdSyBzfHugx0= +github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= +github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= @@ -890,8 +906,8 @@ go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HY go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.step.sm/crypto v0.56.0 h1:KcFfV76cI9Xaw8bdSc9x55skyuSdcHcTdL37vvVZnvY= -go.step.sm/crypto v0.56.0/go.mod h1:snWNloxY9s1W+HsFqcviq55nvzbqqX6LxVt0Vktv5mw= +go.step.sm/crypto v0.54.2 h1:3LSA5nYDQvcd484OSx7xsS3XDqQ7/WZjVqvq0+a0fWc= +go.step.sm/crypto v0.54.2/go.mod h1:1+OjUozd5aA3TkBJfr5Aobd6vNt9F70n1DagcoBh3Pc= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go index 32cf7978..8e3bd900 100644 --- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go +++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go @@ -144,6 +144,10 @@ type Authority struct { // RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. // +optional RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"` + // SignatureFormat specifies the format the authority expects. Supported + // formats are "simplesigning" and "bundle". If not specified, the default + // is "simplesigning" (cosign's default). + SignatureFormat string `json:"signatureFormat,omitempty"` } // This references a public verification key stored in diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go index 8e1b1b8b..8934b3e0 100644 --- a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go +++ b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go @@ -143,6 +143,10 @@ type Authority struct { // RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. // +optional RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"` + // SignatureFormat specifies the format the authority expects. Supported + // formats are "simplesigning" and "bundle". If not specified, the default + // is "simplesigning" (cosign's default). + SignatureFormat string `json:"signatureFormat,omitempty"` } // This references a public verification key stored in diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go index 0b31c49d..fb70c864 100644 --- a/pkg/tuf/repo.go +++ b/pkg/tuf/repo.go @@ -28,9 +28,12 @@ import ( "path/filepath" "runtime" "strings" + "sync" "testing/fstest" "time" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore/pkg/tuf" "github.com/theupdateframework/go-tuf/client" "sigs.k8s.io/release-utils/version" ) @@ -294,3 +297,31 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets } return tufClient, nil } + +var ( + once sync.Once + trustedRoot *root.TrustedRoot + singletonRootError error +) + +// GetTrustedRoot returns the trusted root for the TUF repository. +func GetTrustedRoot() (*root.TrustedRoot, error) { + once.Do(func() { + tufClient, err := tuf.NewFromEnv(context.Background()) + if err != nil { + singletonRootError = fmt.Errorf("initializing tuf: %w", err) + return + } + // TODO: add support for custom trusted root path + targetBytes, err := tufClient.GetTarget("trusted_root.json") + if err != nil { + singletonRootError = fmt.Errorf("error getting targets: %w", err) + return + } + trustedRoot, singletonRootError = root.NewTrustedRootFromJSON(targetBytes) + }) + if singletonRootError != nil { + return nil, singletonRootError + } + return trustedRoot, nil +} diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go new file mode 100644 index 00000000..40e08de4 --- /dev/null +++ b/pkg/webhook/bundle.go @@ -0,0 +1,140 @@ +package webhook + +import ( + "crypto/x509" + "encoding/hex" + "encoding/json" + "errors" + "fmt" + "io" + "strings" + + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + + "github.com/sigstore/sigstore-go/pkg/bundle" + "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/verify" +) + +type VerifiedBundle struct { + SGBundle *bundle.Bundle + Result *verify.VerificationResult + Hash v1.Hash +} + +// VerifiedBundle implements Signature +var _ Signature = &VerifiedBundle{} + +func (vb *VerifiedBundle) Digest() (v1.Hash, error) { + return vb.Hash, nil +} + +func (vb *VerifiedBundle) Payload() ([]byte, error) { + // todo: this should return the json-serialized dsse envelope + envelope := vb.SGBundle.GetDsseEnvelope() + if envelope == nil { + return nil, fmt.Errorf("no dsse envelope found") + } + return json.Marshal(envelope) +} + +func (vb *VerifiedBundle) Signature() ([]byte, error) { + // TODO: implement this + return []byte{}, nil +} + +func (vb *VerifiedBundle) Cert() (*x509.Certificate, error) { + vc, err := vb.SGBundle.VerificationContent() + if err != nil { + return nil, err + } + cert := vc.GetCertificate() + if cert != nil { + return cert, nil + } + return nil, errors.New("bundle does not contain a certificate") +} + +func VerifiedBundles(ref name.Reference, trustedMaterial root.TrustedMaterial, remoteOpts []remote.Option, policyOptions []verify.PolicyOption, verifierOptions []verify.VerifierOption) ([]Signature, error) { + sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verifierOptions...) + if err != nil { + return nil, err + } + + bundles, hash, err := getBundles(ref, remoteOpts) + if err != nil { + return nil, err + } + + digestBytes, err := hex.DecodeString(hash.Hex) + if err != nil { + return nil, err + } + artifactPolicy := verify.WithArtifactDigest(hash.Algorithm, digestBytes) + policy := verify.NewPolicy(artifactPolicy, policyOptions...) + + verifiedBundles := make([]Signature, 0) + for _, b := range bundles { + // TODO: should these be done in parallel? (as is done in cosign?) + result, err := sev.Verify(b, policy) + if err == nil { + verifiedBundles = append(verifiedBundles, &VerifiedBundle{SGBundle: b, Result: result, Hash: *hash}) + } + } + return verifiedBundles, nil +} + +func getBundles(ref name.Reference, remoteOpts []remote.Option) ([]*bundle.Bundle, *v1.Hash, error) { + desc, err := remote.Get(ref, remoteOpts...) + if err != nil { + return nil, nil, fmt.Errorf("error getting image descriptor: %w", err) + } + + digest := ref.Context().Digest(desc.Digest.String()) + + referrers, err := remote.Referrers(digest, remoteOpts...) + if err != nil { + return nil, nil, fmt.Errorf("error getting referrers: %w", err) + } + refManifest, err := referrers.IndexManifest() + if err != nil { + return nil, nil, fmt.Errorf("error getting referrers manifest: %w", err) + } + + bundles := make([]*bundle.Bundle, 0) + + for _, refDesc := range refManifest.Manifests { + if !strings.HasPrefix(refDesc.ArtifactType, "application/vnd.dev.sigstore.bundle") { + continue + } + + refImg, err := remote.Image(ref.Context().Digest(refDesc.Digest.String()), remoteOpts...) + if err != nil { + return nil, nil, fmt.Errorf("error getting referrer image: %w", err) + } + layers, err := refImg.Layers() + if err != nil { + return nil, nil, fmt.Errorf("error getting referrer image: %w", err) + } + layer0, err := layers[0].Uncompressed() + if err != nil { + return nil, nil, fmt.Errorf("error getting referrer image: %w", err) + } + bundleBytes, err := io.ReadAll(layer0) + if err != nil { + return nil, nil, fmt.Errorf("error getting referrer image: %w", err) + } + b := &bundle.Bundle{} + err = b.UnmarshalJSON(bundleBytes) + if err != nil { + return nil, nil, fmt.Errorf("error unmarshalling bundle: %w", err) + } + bundles = append(bundles, b) + } + if len(bundles) == 0 { + return nil, nil, fmt.Errorf("no bundle found in referrers") + } + return bundles, &desc.Digest, nil +} diff --git a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go index a01235eb..e022d5d6 100644 --- a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go +++ b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go @@ -86,6 +86,8 @@ type Authority struct { Attestations []AttestationPolicy `json:"attestations,omitempty"` // +optional RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"` + // +optional + SignatureFormat string `json:"signatureFormat,omitempty"` } // This references a public verification key stored in @@ -325,6 +327,7 @@ func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority { CTLog: in.CTLog, RFC3161Timestamp: rfc3161Timestamp, Attestations: attestations, + SignatureFormat: in.SignatureFormat, } } diff --git a/pkg/webhook/validation.go b/pkg/webhook/validation.go index 91621116..a13ad196 100644 --- a/pkg/webhook/validation.go +++ b/pkg/webhook/validation.go @@ -24,11 +24,10 @@ import ( "knative.dev/pkg/logging" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/sigstore/pkg/signature" ) -func valid(ctx context.Context, ref name.Reference, keys []crypto.PublicKey, hashAlgo crypto.Hash, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) { +func valid(ctx context.Context, ref name.Reference, keys []crypto.PublicKey, hashAlgo crypto.Hash, checkOpts *cosign.CheckOpts) ([]Signature, error) { if len(keys) == 0 { return validSignatures(ctx, ref, checkOpts) } @@ -58,16 +57,24 @@ func valid(ctx context.Context, ref name.Reference, keys []crypto.PublicKey, has var cosignVerifySignatures = cosign.VerifyImageSignatures var cosignVerifyAttestations = cosign.VerifyImageAttestations -func validSignatures(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) { +func validSignatures(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]Signature, error) { checkOpts.ClaimVerifier = cosign.SimpleClaimVerifier sigs, _, err := cosignVerifySignatures(ctx, ref, checkOpts) - return sigs, err + sigList := make([]Signature, len(sigs)) + for i, s := range sigs { + sigList[i] = s + } + return sigList, err } -func validAttestations(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]oci.Signature, error) { +func validAttestations(ctx context.Context, ref name.Reference, checkOpts *cosign.CheckOpts) ([]Signature, error) { checkOpts.ClaimVerifier = cosign.IntotoSubjectClaimVerifier attestations, _, err := cosignVerifyAttestations(ctx, ref, checkOpts) - return attestations, err + sigList := make([]Signature, len(attestations)) + for i, s := range attestations { + sigList[i] = s + } + return sigList, err } func parsePems(b []byte) []*pem.Block { diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go index 73cd6999..27dd8025 100644 --- a/pkg/webhook/validator.go +++ b/pkg/webhook/validator.go @@ -35,12 +35,12 @@ import ( "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/google/go-containerregistry/pkg/v1/types" "github.com/sigstore/cosign/v2/pkg/cosign" - "github.com/sigstore/cosign/v2/pkg/oci" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" "github.com/sigstore/cosign/v2/pkg/policy" "github.com/sigstore/policy-controller/pkg/apis/config" policyduckv1beta1 "github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1" policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config" + pctuf "github.com/sigstore/policy-controller/pkg/tuf" webhookcip "github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy" "github.com/sigstore/policy-controller/pkg/webhook/registryauth" rekor "github.com/sigstore/rekor/pkg/client" @@ -57,8 +57,22 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" "knative.dev/pkg/logging" + + sgroot "github.com/sigstore/sigstore-go/pkg/root" + "github.com/sigstore/sigstore-go/pkg/verify" ) +type Signature interface { + Digest() (v1.Hash, error) + Payload() ([]byte, error) + Signature() ([]byte, error) + Cert() (*x509.Certificate, error) +} + +// Assert that Signature implements policy.PayloadProvider (used by +// policy.AttestationToPayloadJSON) +var _ policy.PayloadProvider = (Signature)(nil) + type Validator struct{} func NewValidator(_ context.Context) *Validator { @@ -524,8 +538,12 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c result.static = true case len(authority.Attestations) > 0: - // We're doing the verify-attestations path, so validate (.att) - result.attestations, result.err = ValidatePolicyAttestationsForAuthority(ctx, ref, authority, authorityRemoteOpts...) + if authority.SignatureFormat == "bundle" { + result.attestations, result.err = ValidatePolicyAttestationsForAuthorityWithBundle(ctx, ref, authority, kc) + } else { + // We're doing the verify-attestations path, so validate (.att) + result.attestations, result.err = ValidatePolicyAttestationsForAuthority(ctx, ref, authority, authorityRemoteOpts...) + } default: result.signatures, result.err = ValidatePolicySignaturesForAuthority(ctx, ref, authority, authorityRemoteOpts...) @@ -639,7 +657,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c return policyResult, authorityErrors } -func ociSignatureToPolicySignature(ctx context.Context, sigs []oci.Signature) []PolicySignature { +func ociSignatureToPolicySignature(ctx context.Context, sigs []Signature) []PolicySignature { ret := make([]PolicySignature, 0, len(sigs)) for _, ociSig := range sigs { logging.FromContext(ctx).Debugf("Converting signature %+v", ociSig) @@ -681,7 +699,7 @@ func ociSignatureToPolicySignature(ctx context.Context, sigs []oci.Signature) [] } // signatureID creates a unique hash for the Signature, using both the signature itself + the cert. -func signatureID(sig oci.Signature) (string, error) { +func signatureID(sig Signature) (string, error) { h := sha256.New() s, err := sig.Signature() if err != nil { @@ -713,7 +731,7 @@ func signatureID(sig oci.Signature) (string, error) { // PolicyAttestations upon completion without needing to refetch any of the // parts. type attestation struct { - oci.Signature + Signature PredicateType string Payload []byte @@ -833,7 +851,7 @@ func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Refere return nil, fmt.Errorf("creating CheckOpts: %w", err) } - verifiedAttestations := []oci.Signature{} + verifiedAttestations := []Signature{} switch { case authority.Key != nil && len(authority.Key.PublicKeys) > 0: for _, k := range authority.Key.PublicKeys { @@ -878,6 +896,10 @@ func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Refere } logging.FromContext(ctx).Debugf("Found %d valid attestations, validating policies for them", len(verifiedAttestations)) + return checkPredicates(ctx, authority, verifiedAttestations) +} + +func checkPredicates(ctx context.Context, authority webhookcip.Authority, verifiedAttestations []Signature) (map[string][]PolicyAttestation, error) { // Now spin through the Attestations that the user specified and validate // them. // TODO(vaikas): Pretty inefficient here, figure out a better way if @@ -965,6 +987,84 @@ func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Refere return ret, nil } +func ValidatePolicyAttestationsForAuthorityWithBundle(ctx context.Context, ref name.Reference, authority webhookcip.Authority, kc authn.Keychain) (map[string][]PolicyAttestation, error) { + // TODO: Apply authority.Source options (Tag prefix, alternative registry, and signature pull secrets) + remoteOpts := []remote.Option{ + remote.WithContext(ctx), + remote.WithAuthFromKeychain(kc), + } + + trustedMaterial, err := trustedMaterialFromAuthority(ctx, authority) + if err != nil { + return nil, fmt.Errorf("failed to get trusted material: %w", err) + } + + // TODO: what if not keyless? + if authority.Keyless.Identities == nil { + return nil, errors.New("must specify at least one identity for keyless authority") + } + + policyOptions := make([]verify.PolicyOption, 0, len(authority.Keyless.Identities)) + for _, id := range authority.Keyless.Identities { + // The sanType is intentionally left blank, as there is currently no means + // to specify it in the policy, and its absence means it will just not + // verify the type. + id, err := verify.NewShortCertificateIdentity(id.Issuer, id.Subject, "", id.SubjectRegExp) + if err != nil { + return nil, fmt.Errorf("failed to create certificate identity: %w", err) + } + policyOptions = append(policyOptions, verify.WithCertificateIdentity(id)) + } + + // If the authority requires a timestamp, use it, otherwise use transparency log + // TODO: We should allow this to be configurable in ClusterImagePolicy. Current behavior is equivalent to the legacy verifier behavior. + var verifierOptions []verify.VerifierOption + if authority.RFC3161Timestamp != nil { + verifierOptions = append(verifierOptions, verify.WithSignedTimestamps(1)) + } else { + verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1)) + } + + verifiedBundles, err := VerifiedBundles(ref, trustedMaterial, remoteOpts, policyOptions, verifierOptions) + if err != nil { + return nil, err + } + + if len(verifiedBundles) == 0 { + return nil, errors.New("no verified bundles found") + } + + return checkPredicates(ctx, authority, verifiedBundles) +} + +func trustedMaterialFromAuthority(ctx context.Context, authority webhookcip.Authority) (sgroot.TrustedMaterial, error) { + var trustedMaterial sgroot.TrustedMaterial + if authority.Keyless != nil { + if authority.Keyless.TrustRootRef != "" { + trustRoot, err := sigstoreKeysFromContext(ctx, authority.Keyless.TrustRootRef) + if err != nil { + return nil, fmt.Errorf("failed to get trusted root from context: %w", err) + } + if pbTrustedRoot, ok := trustRoot.SigstoreKeys[authority.Keyless.TrustRootRef]; ok { + trustedMaterial, err = sgroot.NewTrustedRootFromProtobuf(pbTrustedRoot) + if err != nil { + return nil, fmt.Errorf("failed to parse trusted root from protobuf: %w", err) + } + return trustedMaterial, nil + } else { + return nil, fmt.Errorf("trusted root \"%s\" does not exist", authority.Keyless.TrustRootRef) + } + } + trustedMaterial, err := pctuf.GetTrustedRoot() + if err != nil { + return nil, fmt.Errorf("failed to parse trusted root from protobuf: %w", err) + } + + return trustedMaterial, nil + } + return nil, errors.New("no trusted material specified") // TODO: better error message +} + // ResolvePodScalable implements policyduckv1beta1.PodScalableValidator func (v *Validator) ResolvePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) { // Don't mess with things that are being deleted or already deleted or diff --git a/third_party/VENDOR-LICENSE/github.com/sigstore/sigstore-go/pkg/LICENSE b/third_party/VENDOR-LICENSE/github.com/sigstore/sigstore-go/pkg/LICENSE new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/sigstore/sigstore-go/pkg/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/LICENSE b/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/LICENSE new file mode 100644 index 00000000..85541be2 --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2024 The Update Framework Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/NOTICE b/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/NOTICE new file mode 100644 index 00000000..09005219 --- /dev/null +++ b/third_party/VENDOR-LICENSE/github.com/theupdateframework/go-tuf/v2/metadata/NOTICE @@ -0,0 +1,9 @@ +Copyright 2024 The Update Framework Authors + +Apache 2.0 License +Copyright 2024 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (/). + +SPDX-License-Identifier: Apache-2.0 diff --git a/third_party/VENDOR-LICENSE/golang.org/x/mod/sumdb/note/LICENSE b/third_party/VENDOR-LICENSE/golang.org/x/mod/LICENSE similarity index 100% rename from third_party/VENDOR-LICENSE/golang.org/x/mod/sumdb/note/LICENSE rename to third_party/VENDOR-LICENSE/golang.org/x/mod/LICENSE