summaryrefslogtreecommitdiffstats
path: root/debian/patches/avoid-rekor-fulcio.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/avoid-rekor-fulcio.patch')
-rw-r--r--debian/patches/avoid-rekor-fulcio.patch219
1 files changed, 219 insertions, 0 deletions
diff --git a/debian/patches/avoid-rekor-fulcio.patch b/debian/patches/avoid-rekor-fulcio.patch
new file mode 100644
index 0000000..9027005
--- /dev/null
+++ b/debian/patches/avoid-rekor-fulcio.patch
@@ -0,0 +1,219 @@
+Author: Reinhard Tartler <siretart@gmail.com>
+Date: Thu Nov 9 16:10:26 2023 +0000
+Description: Add buildtags to avoid fulcio and rekor dependencies
+Forwarded: https://github.com/containers/image/pull/2180
+
+ For situations where Fulcio and Rekor operations are not required,
+ this commit provides buildtags to avoid those dependencies.
+
+ Signed-off-by: Reinhard Tartler <siretart@gmail.com>
+
+NB: This patch is modified to always use the stubs, so that dependent packages
+are not required to carry along these tags
+
+diff --git a/signature/fulcio_cert.go b/signature/fulcio_cert.go
+index ef5d3df6..c11fa46a 100644
+--- a/signature/fulcio_cert.go
++++ b/signature/fulcio_cert.go
+@@ -1,3 +1,6 @@
++//go:build debian_fulcio_disabled
++// +build debian_fulcio_disabled
++
+ package signature
+
+ import (
+diff --git a/signature/fulcio_cert_stub.go b/signature/fulcio_cert_stub.go
+new file mode 100644
+index 00000000..ee79b031
+--- /dev/null
++++ b/signature/fulcio_cert_stub.go
+@@ -0,0 +1,28 @@
++//go:build !debian_fulcio_disabled
++// +build !debian_fulcio_disabled
++
++package signature
++
++import (
++ "crypto"
++ "crypto/ecdsa"
++ "crypto/x509"
++ "errors"
++)
++
++type fulcioTrustRoot struct {
++ caCertificates *x509.CertPool
++ oidcIssuer string
++ subjectEmail string
++}
++
++func (f *fulcioTrustRoot) validate() error {
++ return errors.New("fulcio disabled at compile-time")
++}
++
++func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte,
++ untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string,
++ untrustedPayloadBytes []byte) (crypto.PublicKey, error) {
++ return nil, errors.New("fulcio diabled at compile-time")
++
++}
+diff --git a/signature/fulcio_cert_test.go b/signature/fulcio_cert_test.go
+index e283ae45..ccf619f4 100644
+--- a/signature/fulcio_cert_test.go
++++ b/signature/fulcio_cert_test.go
+@@ -1,3 +1,6 @@
++//go:build debian_fulcio_disabled
++// +build debian_fulcio_disabled
++
+ package signature
+
+ import (
+diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go
+index d439b5f7..d86e98a4 100644
+--- a/signature/internal/rekor_set.go
++++ b/signature/internal/rekor_set.go
+@@ -1,3 +1,6 @@
++//go:build debian_rekor_disabled
++// +build debian_rekor_disabled
++
+ package internal
+
+ import (
+diff --git a/signature/internal/rekor_set_stub.go b/signature/internal/rekor_set_stub.go
+new file mode 100644
+index 00000000..7c121cc2
+--- /dev/null
++++ b/signature/internal/rekor_set_stub.go
+@@ -0,0 +1,15 @@
++//go:build !debian_rekor_disabled
++// +build !debian_rekor_disabled
++
++package internal
++
++import (
++ "crypto/ecdsa"
++ "time"
++)
++
++// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data.
++// Returns bundle upload time on success.
++func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) {
++ return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time")
++}
+diff --git a/signature/internal/rekor_set_test.go b/signature/internal/rekor_set_test.go
+index 0cc8483d..0040b7b4 100644
+--- a/signature/internal/rekor_set_test.go
++++ b/signature/internal/rekor_set_test.go
+@@ -1,3 +1,6 @@
++//go:build debian_rekor_disabled
++// +build debian_rekor_disabled
++
+ package internal
+
+ import (
+diff --git a/signature/policy_eval_sigstore_test.go b/signature/policy_eval_sigstore_test.go
+index f4dd1136..b4600712 100644
+--- a/signature/policy_eval_sigstore_test.go
++++ b/signature/policy_eval_sigstore_test.go
+@@ -1,3 +1,6 @@
++//go:build debian_fulcio_disabled
++// +build debian_fulcio_disabled
++
+ // Policy evaluation for prCosignSigned.
+
+ package signature
+diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go
+index 0e6746ab..4ba98b98 100644
+--- a/signature/sigstore/fulcio/fulcio.go
++++ b/signature/sigstore/fulcio/fulcio.go
+@@ -1,3 +1,6 @@
++//go:build debian_fulcio_disabled
++// +build debian_fulcio_disabled
++
+ package fulcio
+
+ import (
+diff --git a/signature/sigstore/fulcio/fulcio_stub.go b/signature/sigstore/fulcio/fulcio_stub.go
+new file mode 100644
+index 00000000..4f4d435c
+--- /dev/null
++++ b/signature/sigstore/fulcio/fulcio_stub.go
+@@ -0,0 +1,45 @@
++//go:build !debian_fulcio_disabled
++// +build !debian_fulcio_disabled
++
++package fulcio
++
++import (
++ "fmt"
++ "io"
++ "net/url"
++
++ "github.com/containers/image/v5/signature/sigstore/internal"
++)
++
++func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
++ return func(s *internal.SigstoreSigner) error {
++ return fmt.Errorf("fulcio disabled at compile time")
++ }
++}
++
++// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
++// based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
++//
++// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file).
++func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
++ interactiveOutput io.Writer) internal.Option {
++ return func(s *internal.SigstoreSigner) error {
++ return fmt.Errorf("fulcio disabled at compile time")
++ }
++}
++
++// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
++// based on an interactively-obtained OIDC ID token.
++// The token is obtained
++// - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer,
++// to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process;
++// either or both may be impossible in a container or a remote VM).
++// - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text.
++//
++// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file).
++func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
++ interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
++ return func(s *internal.SigstoreSigner) error {
++ return fmt.Errorf("fulcio disabled at compile time")
++ }
++}
+diff --git a/signature/sigstore/rekor/rekor.go b/signature/sigstore/rekor/rekor.go
+index 0236f0aa..f8ba6dc3 100644
+--- a/signature/sigstore/rekor/rekor.go
++++ b/signature/sigstore/rekor/rekor.go
+@@ -1,3 +1,6 @@
++//go:build debian_rekor_disabled
++// +build debian_rekor_disabled
++
+ package rekor
+
+ import (
+diff --git a/signature/sigstore/rekor/rekor_stub.go b/signature/sigstore/rekor/rekor_stub.go
+new file mode 100644
+index 00000000..d6192653
+--- /dev/null
++++ b/signature/sigstore/rekor/rekor_stub.go
+@@ -0,0 +1,17 @@
++//go:build !debian_rekor_disabled
++// +build !debian_rekor_disabled
++
++package rekor
++
++import (
++ "fmt"
++ "net/url"
++
++ signerInternal "github.com/containers/image/v5/signature/sigstore/internal"
++)
++
++func WithRekor(rekorURL *url.URL) signerInternal.Option {
++ return func(s *signerInternal.SigstoreSigner) error {
++ return fmt.Errorf("rekor disabled at build time")
++ }
++}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 01:36:22 +0000