Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve json output of cosign verify #1393

Closed
wants to merge 2 commits into from
Closed

Improve json output of cosign verify #1393

wants to merge 2 commits into from

Conversation

ribbybibby
Copy link
Contributor

@ribbybibby ribbybibby commented Feb 2, 2022
edited
Loading

Summary

Separates the payload, cert and bundle output into separate fields, rather than stuffing the latter two into the former.

I've also added the TUF timestamp. Is this actually useful to have in the output?

I've omitted the chain, because I'm not sure what fields in the certificates are or aren't useful to include. Including the whole cert definitely feels like overkill.

The annotations seem to be where all the former information (excluding the payload) are actually stored, so I'm not including that.

As I'm not particularly informed about the underlying implementation of signatures, I would appreciate any guidance on whether this seems like a good way to represent a signature and if there's any other information that it would be good to include.

Examples

A couple of examples of the output. This is indented with jq -r . for readability.

Signed with a static key pair... 
[
  {
    "payload": {
      "critical": {
        "identity": {
          "docker-reference": "ghcr.io/fluxcd/flagger"
        },
        "image": {
          "docker-manifest-digest": "sha256:783446f4da8c224e0570cc0434a3028cc451bdb12cbdaf136949f2f93aee9c73"
        },
        "type": "cosign container image signature"
      },
      "optional": {
        "git_sha": "c63554c5344815aaf4bb54a54d70eea6b0d687f0"
      }
    }
  }
]
Keyless 
[
  {
    "bundle": {
      "SignedEntryTimestamp": "MEYCIQD/1Gy6s6DNtELetftKzpV8YndhwWiWR402w480eQg28gIhALcp+mIYcvgvaKz8qjNZLDeOYJ8heG3hHznpOhwN6Pku",
      "Payload": {
        "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZjkyNjZlYzNmYzU4NmY4MTliY2E0NTQ1OTE1ZTg1ZTE0NTJlZDQzODMwMmY4NWU3ODhiNmFiYTZjNmZhMmRhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRkR2bm5CQjNWdHV1TVB1UkdUT011MDVsZDFKYy9pTnlTaDc3Si9RYkhVQ0FpRUEzd0t2ZEZCTHJNSzJJeDNPV0pqNGJGSEp3OU55blRZcUhrQXBpOEVnbnVVPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTklla05EUVdGaFowRjNTVUpCWjBsVlFVb3diRzlyV1ZnelpWSTRTM2RWUVcxNlVVOUxPRGt6U0UwNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0Y0VFdwWmQwNTZUVFZOVkVKaFJuY3dlVTFxUVhoTmFsbDNUbnBSTlUxRWJHRk5RazE0UlZSQlVFSm5UbFpDUVc5VVEwaE9jRm96VGpCaU0wcHNDazFHYTNkRmQxbElTMjlhU1hwcU1FTkJVVmxKUzI5YVNYcHFNRVJCVVdORVVXZEJSVEJwY0VGbGJDOHphRUZrV0d0UVdTdExNWGhDY21Odk4xUmhVbUVLZVZGUVYyVkVZVnBvVTBGQ1ZHeFpZa1JrTmpVelRsaHNlVEZUYkVONUwxaDVNMlpXTHpCMlFsSmxUV0pTYkdVeWRVTkljVUU0VjJobGNVOUNkMFJEUWdwMlZFRlBRbWRPVmtoUk9FSkJaamhGUWtGTlEwSTBRWGRGZDFsRVZsSXdiRUpCZDNkRFoxbEpTM2RaUWtKUlZVaEJkMDEzUkVGWlJGWlNNRlJCVVVndkNrSkJTWGRCUkVGa1FtZE9Wa2hSTkVWR1oxRlZWR3ROUlZOVGRGWnlZMUY2WjFkcFlXdGtMMkoyUzJWck9FbHZkMGgzV1VSV1VqQnFRa0puZDBadlFWVUtWMDFCWlZnMVJrWndWMkZ3WlhONVVXOWFUV2t3UTNKR2VHWnZkMGRuV1VSV1VqQlNRa0pOZDBWWlJWQmhiV3gwVVVjMWNHTnRNV2hrUjBWMVdUSTVkQXBOUTNkSFEybHpSMEZSVVVKbk56aDNRVkZGUlVodGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRUZMQ2tKblozRm9hMnBQVUZGUlJFRjNUbTVCUkVKclFXcEJLMjlSVDBaSFYxVk1ZbWd6TDJOclZVdHVSazlpVXpWbVkybDVaRnB4Um5oV1MxVnhZVVo0VEdjS1NsQlZSM0pQYUVJd1lsTTFWWEJJVWtOclNVdDNOekJEVFVodFEwSmlWVTFZY214UFNrMXpZekJyWnk5V01HdFVNM05uVEZOM05ubGlOVzVuUzNSMGRRcDFUblU1WkZWcWMyVk5WM0ZhU205aVpIQTRRblF6UzJSRlVUMDlDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMEsifX19fQ==",
        "integratedTime": 1643182752,
        "logIndex": 1161837,
        "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
      }
    },
    "cert": {
      "iss": "https://github.com/login/oauth",
      "sub": "[email protected]"
    },
    "payload": {
      "critical": {
        "identity": {
          "docker-reference": "ghcr.io/jimbugwadia/pause2"
        },
        "image": {
          "docker-manifest-digest": "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"
        },
        "type": "cosign container image signature"
      },
      "optional": null
    },
    "timestamp": {
      "signatures": [
        {
          "keyid": "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d",
          "sig": "3045022100d3b6a827342aa56acc237383594df3f82ed2f827b923462629d9c315296c1fd0022032e2c9010aabac2fc2829cefad6d847fb08d40c6fcd1f696dba5bc2f293423ee"
        }
      ],
      "signed": {
        "_type": "timestamp",
        "spec_version": "1.0",
        "version": 11,
        "expires": "2022-02-05T00:36:19Z",
        "meta": {
          "snapshot.json": {
            "length": 1659,
            "hashes": {
              "sha256": "a3c42638ed93bbdf065767a4b5db06d55d0c35801c118d0c7cbb3dde601df77d",
              "sha512": "da212f7847f009d74bd091c1f83a9e50b10647e86d9dad586f0cae135385ac063dc8f2aed188f9ae1554b9186cb674b1d67b9aa63d895980ef98ec1d9dc134b1"
            },
            "version": 11
          }
        }
      }
    }
  },
  {
    "bundle": {
      "SignedEntryTimestamp": "MEUCIQD1ya1fcNBV32kg9RmLm/d+w5nBZuAfR26DgZtjwZeDeAIgft61veVqZ6QFxKUXZK/LHYTjK3sxwE4CdoOQFvCEGDk=",
      "Payload": {
        "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZjkyNjZlYzNmYzU4NmY4MTliY2E0NTQ1OTE1ZTg1ZTE0NTJlZDQzODMwMmY4NWU3ODhiNmFiYTZjNmZhMmRhIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQTN3ZWh0cWVLM0tLUmNrOGd0TGRWT0xyQWJYVGNpUWpEZmpZSmN3dkx2Q0FpRUFsL1R1WGMrWTBBbVRpYVFzbTg2MXIwTGQ1NlhxdGU5b3ZIZnVxNGJGTkpjPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTkpSRU5EUVdGaFowRjNTVUpCWjBsVlFVa3lRM0V5Um1sSFEyTm9OWEJHU0VaQlExSTJUMUJhV0VWVmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1MycEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWtWM1JIZFpSRlpSVVVSRmQyaDZZVmRrZW1SSE9YbGFWRUZsUm5jd2VRcE5ha0Y0VFdwamVVMVVUWGxOZWxaaFJuY3dlVTFxUVhoTmFtTjVUVlJSZVUxNlVtRk5RazE0UlZSQlVFSm5UbFpDUVc5VVEwaE9jRm96VGpCaU0wcHNDazFHYTNkRmQxbElTMjlhU1hwcU1FTkJVVmxKUzI5YVNYcHFNRVJCVVdORVVXZEJSVk5WSzJGR01FNUtiRnB5TDI1ak5rSjRNVm8wWm5odFNFcEZlamdLTlVSeVlVZzNNV05qTmpWeU9HTkxRVmR6ZUc5VE0xaFNSRkU0UlVoUlRrMUVjRWhrTkZSNlZDczRZbEJaYmtNd01EWkxhelZ6TWxoMGNVOUNkMFJEUWdwMlZFRlBRbWRPVmtoUk9FSkJaamhGUWtGTlEwSTBRWGRGZDFsRVZsSXdiRUpCZDNkRFoxbEpTM2RaUWtKUlZVaEJkMDEzUkVGWlJGWlNNRlJCVVVndkNrSkJTWGRCUkVGa1FtZE9Wa2hSTkVWR1oxRlZLMGRKTm1OR1JrWlJSRkJIZUZSd0syUlViRmhWYWtKd1dFd3dkMGgzV1VSV1VqQnFRa0puZDBadlFWVUtWMDFCWlZnMVJrWndWMkZ3WlhONVVXOWFUV2t3UTNKR2VHWnZkMGRuV1VSV1VqQlNRa0pOZDBWWlJWQmhiV3gwVVVjMWNHTnRNV2hrUjBWMVdUSTVkQXBOUTNkSFEybHpSMEZSVVVKbk56aDNRVkZGUlVodGFEQmtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1hOaU1tUndZbWs1ZGxsWVZqQmhSRUZMQ2tKblozRm9hMnBQVUZGUlJFRjNUbTlCUkVKc1FXcEZRWFJDZFVsNVNUSnJOMVpwV1hCaGRXeGpSa3hoWW1Vd2EyTlZNMmRtUmk5MFowa3habGRKVXpnS01rdEdkWFU0UTNvMFlTdFpiakpWYUROSlJWTjZXbEJZUVdwQlJqWTJibUZwVUdOak9XaEJXblI1ZDNwWFRqSTFVRVZqYVhWaU9VdHhkMXBZVm1ZMGVBcDZhR3hIWTJOc1N5dHFWSGg2YkVWRlZHcHZRMFE0UVN0aVZUUTlDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMEsifX19fQ==",
        "integratedTime": 1643319159,
        "logIndex": 1183764,
        "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
      }
    },
    "cert": {
      "iss": "https://github.com/login/oauth",
      "sub": "[email protected]"
    },
    "payload": {
      "critical": {
        "identity": {
          "docker-reference": "ghcr.io/jimbugwadia/pause2"
        },
        "image": {
          "docker-manifest-digest": "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"
        },
        "type": "cosign container image signature"
      },
      "optional": null
    },
    "timestamp": {
      "signatures": [
        {
          "keyid": "b6710623a30c010738e64c5209d367df1c0a18cf90e6ab5292fb01680f83453d",
          "sig": "3045022100d3b6a827342aa56acc237383594df3f82ed2f827b923462629d9c315296c1fd0022032e2c9010aabac2fc2829cefad6d847fb08d40c6fcd1f696dba5bc2f293423ee"
        }
      ],
      "signed": {
        "_type": "timestamp",
        "spec_version": "1.0",
        "version": 11,
        "expires": "2022-02-05T00:36:19Z",
        "meta": {
          "snapshot.json": {
            "length": 1659,
            "hashes": {
              "sha256": "a3c42638ed93bbdf065767a4b5db06d55d0c35801c118d0c7cbb3dde601df77d",
              "sha512": "da212f7847f009d74bd091c1f83a9e50b10647e86d9dad586f0cae135385ac063dc8f2aed188f9ae1554b9186cb674b1d67b9aa63d895980ef98ec1d9dc134b1"
            },
            "version": 11
          }
        }
      }
    }
  }
]

Ticket Link

Fixes #1370

Release Note

* Improve json output of `cosign verify`

@ribbybibby
Improve json output of cosign verify
91b49a0 
Separate the payload, cert and bundle output into separate fields,
rather than stuffing the latter two into the former.

I've also added the TUF timestamp to the output.

I've omitted the chain, because I'm not sure what fields in the
certificates are or aren't useful to include.

The annotations seem to be where all the former information (excluding
the payload) are actually stored, so I'm not including that.

Signed-off-by: Rob Best <[email protected]>
@dlorenc
Copy link
Member

dlorenc commented Feb 3, 2022

Did the output change here for the "non-experimental" keyed mode, or only keyless? I don't think we can make a breaking change to the non-experimental output without a deprecation period.

@ribbybibby
Copy link
Contributor Author

@dlorenc Good point. I've gated the new output behind options.EnableExperimental().

@github-actions
Copy link

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@ribbybibby ribbybibby closed this Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-pr-activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve json output of cosign verify
2 participants
@ribbybibby @dlorenc