diff options
Diffstat (limited to 'debian/patches/avoid-rekor-fulcio.patch')
-rw-r--r-- | debian/patches/avoid-rekor-fulcio.patch | 219 |
1 files changed, 219 insertions, 0 deletions
diff --git a/debian/patches/avoid-rekor-fulcio.patch b/debian/patches/avoid-rekor-fulcio.patch new file mode 100644 index 0000000..9027005 --- /dev/null +++ b/debian/patches/avoid-rekor-fulcio.patch @@ -0,0 +1,219 @@ +Author: Reinhard Tartler <siretart@gmail.com> +Date: Thu Nov 9 16:10:26 2023 +0000 +Description: Add buildtags to avoid fulcio and rekor dependencies +Forwarded: https://github.com/containers/image/pull/2180 + + For situations where Fulcio and Rekor operations are not required, + this commit provides buildtags to avoid those dependencies. + + Signed-off-by: Reinhard Tartler <siretart@gmail.com> + +NB: This patch is modified to always use the stubs, so that dependent packages +are not required to carry along these tags + +diff --git a/signature/fulcio_cert.go b/signature/fulcio_cert.go +index ef5d3df6..c11fa46a 100644 +--- a/signature/fulcio_cert.go ++++ b/signature/fulcio_cert.go +@@ -1,3 +1,6 @@ ++//go:build debian_fulcio_disabled ++// +build debian_fulcio_disabled ++ + package signature + + import ( +diff --git a/signature/fulcio_cert_stub.go b/signature/fulcio_cert_stub.go +new file mode 100644 +index 00000000..ee79b031 +--- /dev/null ++++ b/signature/fulcio_cert_stub.go +@@ -0,0 +1,28 @@ ++//go:build !debian_fulcio_disabled ++// +build !debian_fulcio_disabled ++ ++package signature ++ ++import ( ++ "crypto" ++ "crypto/ecdsa" ++ "crypto/x509" ++ "errors" ++) ++ ++type fulcioTrustRoot struct { ++ caCertificates *x509.CertPool ++ oidcIssuer string ++ subjectEmail string ++} ++ ++func (f *fulcioTrustRoot) validate() error { ++ return errors.New("fulcio disabled at compile-time") ++} ++ ++func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte, ++ untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string, ++ untrustedPayloadBytes []byte) (crypto.PublicKey, error) { ++ return nil, errors.New("fulcio diabled at compile-time") ++ ++} +diff --git a/signature/fulcio_cert_test.go b/signature/fulcio_cert_test.go +index e283ae45..ccf619f4 100644 +--- a/signature/fulcio_cert_test.go ++++ b/signature/fulcio_cert_test.go +@@ -1,3 +1,6 @@ ++//go:build debian_fulcio_disabled ++// +build debian_fulcio_disabled ++ + package signature + + import ( +diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go +index d439b5f7..d86e98a4 100644 +--- a/signature/internal/rekor_set.go ++++ b/signature/internal/rekor_set.go +@@ -1,3 +1,6 @@ ++//go:build debian_rekor_disabled ++// +build debian_rekor_disabled ++ + package internal + + import ( +diff --git a/signature/internal/rekor_set_stub.go b/signature/internal/rekor_set_stub.go +new file mode 100644 +index 00000000..7c121cc2 +--- /dev/null ++++ b/signature/internal/rekor_set_stub.go +@@ -0,0 +1,15 @@ ++//go:build !debian_rekor_disabled ++// +build !debian_rekor_disabled ++ ++package internal ++ ++import ( ++ "crypto/ecdsa" ++ "time" ++) ++ ++// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data. ++// Returns bundle upload time on success. ++func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) { ++ return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time") ++} +diff --git a/signature/internal/rekor_set_test.go b/signature/internal/rekor_set_test.go +index 0cc8483d..0040b7b4 100644 +--- a/signature/internal/rekor_set_test.go ++++ b/signature/internal/rekor_set_test.go +@@ -1,3 +1,6 @@ ++//go:build debian_rekor_disabled ++// +build debian_rekor_disabled ++ + package internal + + import ( +diff --git a/signature/policy_eval_sigstore_test.go b/signature/policy_eval_sigstore_test.go +index f4dd1136..b4600712 100644 +--- a/signature/policy_eval_sigstore_test.go ++++ b/signature/policy_eval_sigstore_test.go +@@ -1,3 +1,6 @@ ++//go:build debian_fulcio_disabled ++// +build debian_fulcio_disabled ++ + // Policy evaluation for prCosignSigned. + + package signature +diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go +index 0e6746ab..4ba98b98 100644 +--- a/signature/sigstore/fulcio/fulcio.go ++++ b/signature/sigstore/fulcio/fulcio.go +@@ -1,3 +1,6 @@ ++//go:build debian_fulcio_disabled ++// +build debian_fulcio_disabled ++ + package fulcio + + import ( +diff --git a/signature/sigstore/fulcio/fulcio_stub.go b/signature/sigstore/fulcio/fulcio_stub.go +new file mode 100644 +index 00000000..4f4d435c +--- /dev/null ++++ b/signature/sigstore/fulcio/fulcio_stub.go +@@ -0,0 +1,45 @@ ++//go:build !debian_fulcio_disabled ++// +build !debian_fulcio_disabled ++ ++package fulcio ++ ++import ( ++ "fmt" ++ "io" ++ "net/url" ++ ++ "github.com/containers/image/v5/signature/sigstore/internal" ++) ++ ++func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { ++ return func(s *internal.SigstoreSigner) error { ++ return fmt.Errorf("fulcio disabled at compile time") ++ } ++} ++ ++// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate ++// based on an OIDC ID token obtained using a device authorization grant (RFC 8628). ++// ++// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file). ++func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, ++ interactiveOutput io.Writer) internal.Option { ++ return func(s *internal.SigstoreSigner) error { ++ return fmt.Errorf("fulcio disabled at compile time") ++ } ++} ++ ++// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate ++// based on an interactively-obtained OIDC ID token. ++// The token is obtained ++// - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer, ++// to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process; ++// either or both may be impossible in a container or a remote VM). ++// - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text. ++// ++// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file). ++func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, ++ interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { ++ return func(s *internal.SigstoreSigner) error { ++ return fmt.Errorf("fulcio disabled at compile time") ++ } ++} +diff --git a/signature/sigstore/rekor/rekor.go b/signature/sigstore/rekor/rekor.go +index 0236f0aa..f8ba6dc3 100644 +--- a/signature/sigstore/rekor/rekor.go ++++ b/signature/sigstore/rekor/rekor.go +@@ -1,3 +1,6 @@ ++//go:build debian_rekor_disabled ++// +build debian_rekor_disabled ++ + package rekor + + import ( +diff --git a/signature/sigstore/rekor/rekor_stub.go b/signature/sigstore/rekor/rekor_stub.go +new file mode 100644 +index 00000000..d6192653 +--- /dev/null ++++ b/signature/sigstore/rekor/rekor_stub.go +@@ -0,0 +1,17 @@ ++//go:build !debian_rekor_disabled ++// +build !debian_rekor_disabled ++ ++package rekor ++ ++import ( ++ "fmt" ++ "net/url" ++ ++ signerInternal "github.com/containers/image/v5/signature/sigstore/internal" ++) ++ ++func WithRekor(rekorURL *url.URL) signerInternal.Option { ++ return func(s *signerInternal.SigstoreSigner) error { ++ return fmt.Errorf("rekor disabled at build time") ++ } ++} |