Sign/Verify Signature command (#65)

New feature signing/verification of component descriptor [EXPERIMENTAL]: add digests, check digests, sign with rsa private key, verify with rsa public key
gardener-attic · Mar 3, 2022 · 7971861 · 7971861
1 parent fa7ddfd
commit 7971861
Show file tree

Hide file tree

Showing 31 changed files with 2,059 additions and 6 deletions.
diff --git a/docs/reference/component-cli_component-archive.md b/docs/reference/component-cli_component-archive.md
@@ -41,5 +41,6 @@ component-cli component-archive [component-archive-path] [ctf-path] [flags]
 * [component-cli component-archive export](component-cli_component-archive_export.md)	 - Exports a component archive as defined by CTF
 * [component-cli component-archive remote](component-cli_component-archive_remote.md)	 - command to interact with component descriptors stored in an oci registry
 * [component-cli component-archive resources](component-cli_component-archive_resources.md)	 - command to modify resources of a component descriptor
+* [component-cli component-archive signature](component-cli_component-archive_signature.md)	 - [EXPERIMENTAL] command to work with signatures and digests in component descriptors
 * [component-cli component-archive sources](component-cli_component-archive_sources.md)	 - command to modify sources of a component descriptor
 
diff --git a/docs/reference/component-cli_component-archive_signature.md b/docs/reference/component-cli_component-archive_signature.md
@@ -0,0 +1,29 @@
+## component-cli component-archive signature
+
+[EXPERIMENTAL] command to work with signatures and digests in component descriptors
+
+### Options
+
+```
+  -h, --help   help for signature
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive](component-cli_component-archive.md)	 - 
+* [component-cli component-archive signature add-digests](component-cli_component-archive_signature_add-digests.md)	 - fetch the component descriptor from an oci registry and add digests
+* [component-cli component-archive signature check-digests](component-cli_component-archive_signature_check-digests.md)	 - fetch the component descriptor from an oci registry and check digests
+* [component-cli component-archive signature sign](component-cli_component-archive_signature_sign.md)	 - command to sign component descriptors
+* [component-cli component-archive signature verify](component-cli_component-archive_signature_verify.md)	 - command to verify the signature of a component descriptor
+
diff --git a/docs/reference/component-cli_component-archive_signature_add-digests.md b/docs/reference/component-cli_component-archive_signature_add-digests.md
@@ -0,0 +1,43 @@
+## component-cli component-archive signature add-digests
+
+fetch the component descriptor from an oci registry and add digests
+
+### Synopsis
+
+
+		fetch the component descriptor from an oci registry and add digests. Optionally resolve and digest the referenced component descriptors.
+
+
+```
+component-cli component-archive signature add-digests BASE_URL COMPONENT_NAME VERSION [flags]
+```
+
+### Options
+
+```
+      --allow-plain-http            allows the fallback to http if the oci registry does not support https
+      --cc-config string            path to the local concourse config file
+      --force                       force overwrite of already existing component descriptors
+  -h, --help                        help for add-digests
+      --insecure-skip-tls-verify    If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --recursive                   recursively upload all referenced component descriptors
+      --registry-config string      path to the dockerconfig.json with the oci registry authentication information
+      --skip-access-types strings   comma separated list of access types that will not be digested
+      --upload-base-url string      target repository context to upload the signed cd
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature](component-cli_component-archive_signature.md)	 - [EXPERIMENTAL] command to work with signatures and digests in component descriptors
+
diff --git a/docs/reference/component-cli_component-archive_signature_check-digests.md b/docs/reference/component-cli_component-archive_signature_check-digests.md
@@ -0,0 +1,34 @@
+## component-cli component-archive signature check-digests
+
+fetch the component descriptor from an oci registry and check digests
+
+```
+component-cli component-archive signature check-digests BASE_URL COMPONENT_NAME VERSION [flags]
+```
+
+### Options
+
+```
+      --allow-plain-http            allows the fallback to http if the oci registry does not support https
+      --cc-config string            path to the local concourse config file
+  -h, --help                        help for check-digests
+      --insecure-skip-tls-verify    If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --registry-config string      path to the dockerconfig.json with the oci registry authentication information
+      --skip-access-types strings   comma separated list of access types that will be ignored for digest verification
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature](component-cli_component-archive_signature.md)	 - [EXPERIMENTAL] command to work with signatures and digests in component descriptors
+
diff --git a/docs/reference/component-cli_component-archive_signature_sign.md b/docs/reference/component-cli_component-archive_signature_sign.md
@@ -0,0 +1,26 @@
+## component-cli component-archive signature sign
+
+command to sign component descriptors
+
+### Options
+
+```
+  -h, --help   help for sign
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature](component-cli_component-archive_signature.md)	 - [EXPERIMENTAL] command to work with signatures and digests in component descriptors
+* [component-cli component-archive signature sign rsa](component-cli_component-archive_signature_sign_rsa.md)	 - fetch the component descriptor from an oci registry and sign it using RSASSA-PKCS1-V1_5-SIGN
+
diff --git a/docs/reference/component-cli_component-archive_signature_sign_rsa.md b/docs/reference/component-cli_component-archive_signature_sign_rsa.md
@@ -0,0 +1,39 @@
+## component-cli component-archive signature sign rsa
+
+fetch the component descriptor from an oci registry and sign it using RSASSA-PKCS1-V1_5-SIGN
+
+```
+component-cli component-archive signature sign rsa BASE_URL COMPONENT_NAME VERSION [flags]
+```
+
+### Options
+
+```
+      --allow-plain-http            allows the fallback to http if the oci registry does not support https
+      --cc-config string            path to the local concourse config file
+      --force                       force overwrite of already existing component descriptors
+  -h, --help                        help for rsa
+      --insecure-skip-tls-verify    If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --private-key string          path to private key file used for signing
+      --recursive                   recursively sign and upload all referenced component descriptors
+      --registry-config string      path to the dockerconfig.json with the oci registry authentication information
+      --signature-name string       name of the signature
+      --skip-access-types strings   comma separated list of access types that will not be digested and signed
+      --upload-base-url string      target repository context to upload the signed cd
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature sign](component-cli_component-archive_signature_sign.md)	 - command to sign component descriptors
+
diff --git a/docs/reference/component-cli_component-archive_signature_verify.md b/docs/reference/component-cli_component-archive_signature_verify.md
@@ -0,0 +1,26 @@
+## component-cli component-archive signature verify
+
+command to verify the signature of a component descriptor
+
+### Options
+
+```
+  -h, --help   help for verify
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature](component-cli_component-archive_signature.md)	 - [EXPERIMENTAL] command to work with signatures and digests in component descriptors
+* [component-cli component-archive signature verify rsa](component-cli_component-archive_signature_verify_rsa.md)	 - fetch the component descriptor from an oci registry and verify its integrity based on a RSASSA-PKCS1-V1_5-SIGN signature
+
diff --git a/docs/reference/component-cli_component-archive_signature_verify_rsa.md b/docs/reference/component-cli_component-archive_signature_verify_rsa.md
@@ -0,0 +1,36 @@
+## component-cli component-archive signature verify rsa
+
+fetch the component descriptor from an oci registry and verify its integrity based on a RSASSA-PKCS1-V1_5-SIGN signature
+
+```
+component-cli component-archive signature verify rsa BASE_URL COMPONENT_NAME VERSION [flags]
+```
+
+### Options
+
+```
+      --allow-plain-http            allows the fallback to http if the oci registry does not support https
+      --cc-config string            path to the local concourse config file
+  -h, --help                        help for rsa
+      --insecure-skip-tls-verify    If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --public-key string           path to public key file
+      --registry-config string      path to the dockerconfig.json with the oci registry authentication information
+      --signature-name string       name of the signature to verify
+      --skip-access-types strings   comma separated list of access types that will be ignored for verification
+```
+
+### Options inherited from parent commands
+
+```
+      --cli                  logger runs as cli logger. enables cli logging
+      --dev                  enable development logging which result in console encoding, enabled stacktrace and enabled caller
+      --disable-caller       disable the caller of logs (default true)
+      --disable-stacktrace   disable the stacktrace of error logs (default true)
+      --disable-timestamp    disable timestamp output (default true)
+  -v, --verbosity int        number for the log level verbosity (default 1)
+```
+
+### SEE ALSO
+
+* [component-cli component-archive signature verify](component-cli_component-archive_signature_verify.md)	 - command to verify the signature of a component descriptor
+
diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/docker/cli v20.10.0-rc1+incompatible
 	github.com/docker/docker v1.4.2-0.20200203170920-46ec8731fbce // indirect
 	github.com/drone/envsubst v1.0.2
-	github.com/gardener/component-spec/bindings-go v0.0.53
+	github.com/gardener/component-spec/bindings-go v0.0.57
 	github.com/gardener/image-vector v0.10.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-logr/logr v0.4.0

diff --git a/go.sum b/go.sum
@@ -291,8 +291,8 @@ github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
 github.com/gardener/component-spec/bindings-go v0.0.52/go.mod h1:kQFMTWowNAp9tOp6aImQa/NoLzfvX29jN5Qgud9rpQU=
-github.com/gardener/component-spec/bindings-go v0.0.53 h1:9M6YOs8FYDSmGJqNqdCFolo3buuQalJSuUy7X8FIXm4=
-github.com/gardener/component-spec/bindings-go v0.0.53/go.mod h1:kQFMTWowNAp9tOp6aImQa/NoLzfvX29jN5Qgud9rpQU=
+github.com/gardener/component-spec/bindings-go v0.0.57 h1:3EYfNnIIlG/9mFI7gY+jKsGV7Gm44DdUXqRMwnUdP5M=
+github.com/gardener/component-spec/bindings-go v0.0.57/go.mod h1:kQFMTWowNAp9tOp6aImQa/NoLzfvX29jN5Qgud9rpQU=
 github.com/gardener/image-vector v0.10.0 h1:Ysg3hxfiGUG/doajiZ0nQuUaJYwfO5BZCOcijL3tRuo=
 github.com/gardener/image-vector v0.10.0/go.mod h1:32SHGcbmmueeK9VkawsFcEbsoENXQPIuuYiFBUP+vMQ=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=

diff --git a/ociclient/mock/client_mock.go b/ociclient/mock/client_mock.go
diff --git a/pkg/commands/componentarchive/componentarchive.go b/pkg/commands/componentarchive/componentarchive.go
@@ -21,6 +21,7 @@ import (
 	"github.com/gardener/component-cli/pkg/commands/componentarchive/componentreferences"
 	"github.com/gardener/component-cli/pkg/commands/componentarchive/remote"
 	"github.com/gardener/component-cli/pkg/commands/componentarchive/resources"
+	"github.com/gardener/component-cli/pkg/commands/componentarchive/signature"
 	"github.com/gardener/component-cli/pkg/commands/componentarchive/sources"
 	ctfcmd "github.com/gardener/component-cli/pkg/commands/ctf"
 	"github.com/gardener/component-cli/pkg/componentarchive"
@@ -74,6 +75,7 @@ func NewComponentArchiveCommand(ctx context.Context) *cobra.Command {
 	cmd.AddCommand(resources.NewResourcesCommand(ctx))
 	cmd.AddCommand(componentreferences.NewCompRefCommand(ctx))
 	cmd.AddCommand(sources.NewSourcesCommand(ctx))
+	cmd.AddCommand(signature.NewSignatureCommand(ctx))
 	return cmd
 }