Updates to Timestamp signing and verification

[haydentherapper]

• Switch to using the raw signature rather than base64 signature for OCI and blob signing
• For blob signing, write only the timestamp to disk, not the LocalSignedPayload (since that's already written with the bundle. I want to avoid conflating the Rekor bundle with the TS)
• For blob verification, expect only a timestamp in the file. If you don't pass a bundle, you'll need to also pass the signature by flag
• Some nits from the previous PR

Signed-off-by: Hayden Blauzvern [email protected]

Summary

Release Note

Documentation

[haydentherapper]

Still working on e2e testing and some more unit tests, but just wanted to get this up early for feedback

[codecov-commenter]

Codecov Report

Merging #2499 (a4eb7ba) into main (f7f7f3d) will increase coverage by 0.31%.
The diff coverage is 38.46%.

@@            Coverage Diff             @@
##             main    #2499      +/-   ##
==========================================
+ Coverage   29.62%   29.94%   +0.31%     
==========================================
  Files         139      139              
  Lines        8558     8557       -1     
==========================================
+ Hits         2535     2562      +27     
+ Misses       5666     5640      -26     
+ Partials      357      355       -2     

Impacted Files	Coverage Δ
cmd/cosign/cli/options/signblob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/policy_init.go	1.25% <0.00%> (+<0.01%)	⬆️
cmd/cosign/cli/sign/sign_blob.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
pkg/cosign/bundle/tsa.go	100.00% <ø> (ø)
pkg/cosign/fetch.go	0.00% <ø> (ø)
internal/pkg/cosign/tsa/signer.go	51.42% <50.00%> (-2.31%)	⬇️
cmd/cosign/cli/verify/verify_blob.go	49.09% <55.55%> (+3.52%)	⬆️
pkg/cosign/verify.go	38.73% <70.83%> (+2.69%)	⬆️
... and 3 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[haydentherapper]

Now it should be good to go, would like to add some more tests in verify-blob for completeness, but might do that in a follow up.

[hectorj2f]

This basically removes tests that we had in place. I am not sure we want to change functionality and remove tests. How does it work if I only sign/verify a blob without using tlog ?

[haydentherapper]

I plan to add some more tests in, but the presence of the bundle is just a way to get the signature and/or other timestamp. If you don't use the tlog, then you must provide the cert/sig the same way you currently do, via --certificate/--signature flags.

This PR should only be adding in tests, and refactoring tests based on the proposed changes.

[haydentherapper]

With these changes, it actually requires less tests since this is only an additional flag that affects verification, rather than modifying codepaths that read in the cert/signature.

[haydentherapper]

Verified with a local TSA instance:

# Sign blob and upload to Rekor
cosign sign-blob --timestamp-server-url http://localhost:3000 --rfc3161-timestamp tsaresponse --tlog-upload=true --output-certificate=blob.cert --output-signature=blob.sig --bundle blob.bundle blob

# Verify with local Rekor bundle
cosign verify-blob --rfc3161-timestamp tsaresponse --bundle blob.bundle --timestamp-cert-chain tsacertchain blob

# Verify with skipping checking Rekor
cosign verify-blob --rfc3161-timestamp tsaresponse --timestamp-cert-chain tsacertchain --certificate blob.cert --signature blob.sig --insecure-skip-tlog-verify --offline blob

# Sign blob without Rekor upload
cosign sign-blob --timestamp-server-url http://localhost:3000 --rfc3161-timestamp tsaresponse --tlog-upload=false --output-certificate=blob.cert --output-signature=blob.sig  blob

An unrelated issue is if I skip tlog-upload, then I can't output a certificate (cosign sign-blob --timestamp-server-url http://localhost:3000 --rfc3161-timestamp tsaresponse --tlog-upload=false --output-certificate=blob.cert --output-signature=blob.sig blob fails to output a cert), so I can't verify. I'll fix this separately.

[hectorj2f]

LGTM, I added some nit comments. Ideally, I'd like to see some tests to validate the usage of the rfc3161timestamp with blobs.

[znewman01]

Some nits but overall great changes

[znewman01]

Should we do these checks before signing etc.?

[haydentherapper]

This is a just-in-case check, since TimestampToRFC3161Timestamp might return nil if respBytes is empty for some reason.

[znewman01]

Yeah. Maybe both wouldn't be a bad idea, up to you

[znewman01]

Yeah. Maybe both wouldn't be a bad idea, up to you

[hectorj2f]

lgtm