Fixes to cosign sign / verify for the new bundle format (sigstore#4346)

* Fixes to cosign sign / verify for the new bundle format

Signed-off-by: Zach Steindler <steiza@github.com>

* Update function signature to pass crypto.PublicKey directly

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>

Author: steiza

cmd/cosign/cli/attest/attest.go

@@ -18,7 +18,6 @@ package attest
 import (
 	"bytes"
 	"context"
-	"crypto"
 	_ "crypto/sha256" // for `crypto.SHA256`
 	"encoding/json"
 	"fmt"
@@ -252,10 +251,9 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 		if err != nil {
 			return err
 		}
-		var pubKey *crypto.PublicKey
-		pk, err := sv.PublicKey()
-		if err == nil {
-			pubKey = &pk
+		pubKey, err := sv.PublicKey()
+		if err != nil {
+			return err
 		}
 		bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes)
 		if err != nil {

cmd/cosign/cli/attest/attest_blob.go

@@ -290,10 +290,9 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 	if c.BundlePath != "" {
 		var contents []byte
 		if c.NewBundleFormat {
-			var pubKey *crypto.PublicKey
-			pk, err := sv.PublicKey()
-			if err == nil {
-				pubKey = &pk
+			pubKey, err := sv.PublicKey()
+			if err != nil {
+				return err
 			}
 
 			contents, err = cbundle.MakeNewBundle(pubKey, rekorEntry, payload, sig, signer, timestampBytes)

cmd/cosign/cli/sign/sign.go

@@ -305,10 +305,9 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt
 		return fmt.Errorf("constructing client options: %w", err)
 	}
 
-	var pubKey *crypto.PublicKey
-	pk, err := sv.PublicKey()
-	if err == nil {
-		pubKey = &pk
+	pubKey, err := sv.PublicKey()
+	if err != nil {
+		return err
 	}
 
 	bundleBytes, err := cbundle.MakeNewBundle(pubKey, rekorEntry, payload, signedPayload, signerBytes, timestampBytes)

pkg/cosign/bundle/protobundle.go

@@ -75,23 +75,20 @@ func MakeProtobufBundle(hint string, rawCert []byte, rekorEntry *models.LogEntry
 	return bundle, nil
 }
 
-func MakeNewBundle(pubKey *crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) {
+func MakeNewBundle(pubKey crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) {
 	// Determine if the signer is a certificate or not
 	var hint string
 	var rawCert []byte
 
-	if pubKey != nil {
-		pkixPubKey, err := x509.MarshalPKIXPublicKey(*pubKey)
+	cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer)
+	if err != nil || len(cert) == 0 {
+		pkixPubKey, err := x509.MarshalPKIXPublicKey(pubKey)
 		if err != nil {
 			return nil, err
 		}
 		hashedBytes := sha256.Sum256(pkixPubKey)
 		hint = base64.StdEncoding.EncodeToString(hashedBytes[:])
 	} else {
-		cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer)
-		if err != nil {
-			return nil, err
-		}
 		rawCert = cert[0].Raw
 	}
 

test/e2e_test.go

@@ -1043,6 +1043,8 @@ func TestSignVerifyBundle(t *testing.T) {
 		NewBundleFormat:     true,
 		UseSignedTimestamps: false,
 	}
+
+	must(cmd.Exec(ctx, args), t)
 }
 
 func TestAttestVerify(t *testing.T) {