sync: Added support for syncing notary/cosign signatures, closes #261

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2026-06-16 04:17:55 +08:00 · 2021-12-07 20:26:26 +02:00
parent e6d6d5a7de
commit 1109bb4dde
7 changed files with 1026 additions and 57 deletions
@@ -1,8 +1,11 @@
 package sync

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"io/ioutil"
+	"net/url"
 	"os"
 	"path"
 	"strings"
@@ -10,13 +13,20 @@ import (
 	glob "github.com/bmatcuk/doublestar/v4"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/types"
+	"github.com/notaryproject/notation-go-lib"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
+	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
+	"gopkg.in/resty.v1"
 	"zotregistry.io/zot/errors"
 	"zotregistry.io/zot/pkg/extensions/monitoring"
 	"zotregistry.io/zot/pkg/log"
 	"zotregistry.io/zot/pkg/storage"
 )

+type ReferenceList struct {
+	References []notation.Descriptor `json:"references"`
+}
+
 // getTagFromRef returns a tagged reference from an image reference.
 func getTagFromRef(ref types.ImageReference, log log.Logger) reference.Tagged {
 	tagged, isTagged := ref.DockerReference().(reference.Tagged)
@@ -91,6 +101,311 @@ func getFileCredentials(filepath string) (CredentialsFile, error) {
 	return creds, nil
 }

+func getHTTPClient(regCfg *RegistryConfig, credentials Credentials, log log.Logger) (*resty.Client, error) {
+	client := resty.New()
+
+	if regCfg.CertDir != "" {
+		log.Debug().Msgf("sync: using certs directory: %s", regCfg.CertDir)
+		clientCert := path.Join(regCfg.CertDir, "client.cert")
+		clientKey := path.Join(regCfg.CertDir, "client.key")
+		caCertPath := path.Join(regCfg.CertDir, "ca.crt")
+
+		caCert, err := ioutil.ReadFile(caCertPath)
+		if err != nil {
+			log.Error().Err(err).Msg("couldn't read CA certificate")
+
+			return nil, err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		client.SetTLSClientConfig(&tls.Config{RootCAs: caCertPool, MinVersion: tls.VersionTLS12})
+
+		cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
+		if err != nil {
+			log.Error().Err(err).Msg("couldn't read certificates key pairs")
+
+			return nil, err
+		}
+
+		client.SetCertificates(cert)
+	}
+
+	// nolint: gosec
+	if regCfg.TLSVerify != nil && !*regCfg.TLSVerify {
+		client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+	}
+
+	if credentials.Username != "" && credentials.Password != "" {
+		log.Debug().Msgf("sync: using basic auth")
+		client.SetBasicAuth(credentials.Username, credentials.Password)
+	}
+
+	return client, nil
+}
+
+func syncCosignSignature(client *resty.Client, storeController storage.StoreController,
+	regURL url.URL, repo, digest string, log log.Logger) error {
+	log.Info().Msg("syncing cosign signatures")
+
+	getCosignManifestURL := regURL
+
+	cosignEncodedDigest := strings.Replace(digest, ":", "-", 1) + ".sig"
+	getCosignManifestURL.Path = path.Join(getCosignManifestURL.Path, "v2", repo, "manifests", cosignEncodedDigest)
+	getCosignManifestURL.RawQuery = getCosignManifestURL.Query().Encode()
+
+	mResp, err := client.R().Get(getCosignManifestURL.String())
+	if err != nil {
+		log.Error().Err(err).Str("url", getCosignManifestURL.String()).
+			Msgf("couldn't get cosign manifest: %s", cosignEncodedDigest)
+
+		return err
+	}
+
+	if mResp.IsError() {
+		log.Info().Msgf("couldn't find any cosign signature from %s, status code: %d skipping",
+			getCosignManifestURL.String(), mResp.StatusCode())
+
+		return nil
+	}
+
+	var m ispec.Manifest
+
+	err = json.Unmarshal(mResp.Body(), &m)
+	if err != nil {
+		log.Error().Err(err).Str("url", getCosignManifestURL.String()).
+			Msgf("couldn't unmarshal cosign manifest %s", cosignEncodedDigest)
+
+		return err
+	}
+
+	imageStore := storeController.GetImageStore(repo)
+
+	for _, blob := range m.Layers {
+		// get blob
+		getBlobURL := regURL
+		getBlobURL.Path = path.Join(getBlobURL.Path, "v2", repo, "blobs", blob.Digest.String())
+		getBlobURL.RawQuery = getBlobURL.Query().Encode()
+
+		resp, err := client.R().SetDoNotParseResponse(true).Get(getBlobURL.String())
+		if err != nil {
+			log.Error().Err(err).Msgf("couldn't get cosign blob: %s", blob.Digest.String())
+
+			return err
+		}
+
+		if resp.IsError() {
+			log.Info().Msgf("couldn't find cosign blob from %s, status code: %d", getBlobURL.String(), resp.StatusCode())
+
+			return errors.ErrBadBlobDigest
+		}
+
+		defer resp.RawBody().Close()
+
+		// push blob
+		_, _, err = imageStore.FullBlobUpload(repo, resp.RawBody(), blob.Digest.String())
+		if err != nil {
+			log.Error().Err(err).Msg("couldn't upload cosign blob")
+
+			return err
+		}
+	}
+
+	// get config blob
+	getBlobURL := regURL
+	getBlobURL.Path = path.Join(getBlobURL.Path, "v2", repo, "blobs", m.Config.Digest.String())
+	getBlobURL.RawQuery = getBlobURL.Query().Encode()
+
+	resp, err := client.R().SetDoNotParseResponse(true).Get(getBlobURL.String())
+	if err != nil {
+		log.Error().Err(err).Msgf("couldn't get cosign config blob: %s", getBlobURL.String())
+
+		return err
+	}
+
+	if resp.IsError() {
+		log.Info().Msgf("couldn't find cosign config blob from %s, status code: %d", getBlobURL.String(), resp.StatusCode())
+
+		return errors.ErrBadBlobDigest
+	}
+
+	defer resp.RawBody().Close()
+
+	// push config blob
+	_, _, err = imageStore.FullBlobUpload(repo, resp.RawBody(), m.Config.Digest.String())
+	if err != nil {
+		log.Error().Err(err).Msg("couldn't upload cosign blob")
+
+		return err
+	}
+
+	// push manifest
+	_, err = imageStore.PutImageManifest(repo, cosignEncodedDigest, ispec.MediaTypeImageManifest, mResp.Body())
+	if err != nil {
+		log.Error().Err(err).Msg("couldn't upload cosing manifest")
+
+		return err
+	}
+
+	return nil
+}
+
+func syncNotarySignature(client *resty.Client, storeController storage.StoreController,
+	regURL url.URL, repo, digest string, log log.Logger) error {
+	log.Info().Msg("syncing notary signatures")
+
+	getReferrersURL := regURL
+	getRefManifestURL := regURL
+
+	// based on manifest digest get referrers
+	getReferrersURL.Path = path.Join(getReferrersURL.Path, "oras/artifacts/v1/", repo, "manifests", digest, "referrers")
+	getReferrersURL.RawQuery = getReferrersURL.Query().Encode()
+
+	resp, err := client.R().
+		SetHeader("Content-Type", "application/json").
+		SetQueryParam("artifactType", "application/vnd.cncf.notary.v2.signature").
+		Get(getReferrersURL.String())
+	if err != nil {
+		log.Error().Err(err).Msgf("couldn't get referrers from %s", getReferrersURL.String())
+
+		return err
+	}
+
+	if resp.IsError() {
+		log.Info().Msgf("couldn't find any notary signature from %s, status code: %d, skipping",
+			getReferrersURL.String(), resp.StatusCode())
+
+		return nil
+	}
+
+	var referrers ReferenceList
+
+	err = json.Unmarshal(resp.Body(), &referrers)
+	if err != nil {
+		log.Error().Err(err).Msgf("couldn't unmarshal notary signature from %s", getReferrersURL.String())
+
+		return err
+	}
+
+	imageStore := storeController.GetImageStore(repo)
+
+	for _, ref := range referrers.References {
+		// get referrer manifest
+		getRefManifestURL.Path = path.Join(getRefManifestURL.Path, "v2", repo, "manifests", ref.Digest.String())
+		getRefManifestURL.RawQuery = getRefManifestURL.Query().Encode()
+
+		resp, err := client.R().
+			Get(getRefManifestURL.String())
+		if err != nil {
+			log.Error().Err(err).Msgf("couldn't get notary manifest: %s", getRefManifestURL.String())
+
+			return err
+		}
+
+		// read manifest
+		var m artifactspec.Manifest
+
+		err = json.Unmarshal(resp.Body(), &m)
+		if err != nil {
+			log.Error().Err(err).Msgf("couldn't unmarshal notary manifest: %s", getRefManifestURL.String())
+
+			return err
+		}
+
+		for _, blob := range m.Blobs {
+			getBlobURL := regURL
+			getBlobURL.Path = path.Join(getBlobURL.Path, "v2", repo, "blobs", blob.Digest.String())
+			getBlobURL.RawQuery = getBlobURL.Query().Encode()
+
+			resp, err := client.R().SetDoNotParseResponse(true).Get(getBlobURL.String())
+			if err != nil {
+				log.Error().Err(err).Msgf("couldn't get notary blob: %s", getBlobURL.String())
+
+				return err
+			}
+
+			defer resp.RawBody().Close()
+
+			if resp.IsError() {
+				log.Info().Msgf("couldn't find notary blob from %s, status code: %d",
+					getBlobURL.String(), resp.StatusCode())
+
+				return errors.ErrBadBlobDigest
+			}
+
+			_, _, err = imageStore.FullBlobUpload(repo, resp.RawBody(), blob.Digest.String())
+			if err != nil {
+				log.Error().Err(err).Msg("couldn't upload notary sig blob")
+
+				return err
+			}
+		}
+
+		_, err = imageStore.PutImageManifest(repo, ref.Digest.String(), artifactspec.MediaTypeArtifactManifest, resp.Body())
+		if err != nil {
+			log.Error().Err(err).Msg("couldn't upload notary sig manifest")
+
+			return err
+		}
+	}
+
+	return nil
+}
+
+func syncSignatures(client *resty.Client, storeController storage.StoreController,
+	registryURL, repo, tag string, log log.Logger) error {
+	log.Info().Msg("syncing signatures")
+	// get manifest and find out its digest
+	regURL, err := url.Parse(registryURL)
+	if err != nil {
+		log.Error().Err(err).Msgf("couldn't parse registry URL: %s", registryURL)
+
+		return err
+	}
+
+	getManifestURL := *regURL
+
+	getManifestURL.Path = path.Join(getManifestURL.Path, "v2", repo, "manifests", tag)
+
+	resp, err := client.R().SetHeader("Content-Type", "application/json").Head(getManifestURL.String())
+	if err != nil {
+		log.Error().Err(err).Str("url", getManifestURL.String()).
+			Msgf("couldn't query %s", registryURL)
+
+		return err
+	}
+
+	digests, ok := resp.Header()["Docker-Content-Digest"]
+	if !ok {
+		log.Error().Err(errors.ErrBadBlobDigest).Str("url", getManifestURL.String()).
+			Msgf("couldn't get digest for manifest: %s:%s", repo, tag)
+
+		return errors.ErrBadBlobDigest
+	}
+
+	if len(digests) != 1 {
+		log.Error().Err(errors.ErrBadBlobDigest).Str("url", getManifestURL.String()).
+			Msgf("multiple digests found for: %s:%s", repo, tag)
+
+		return errors.ErrBadBlobDigest
+	}
+
+	err = syncNotarySignature(client, storeController, *regURL, repo, digests[0], log)
+	if err != nil {
+		return err
+	}
+
+	err = syncCosignSignature(client, storeController, *regURL, repo, digests[0], log)
+	if err != nil {
+		return err
+	}
+
+	log.Info().Msg("successfully synced signatures")
+
+	return nil
+}
+
 func pushSyncedLocalImage(repo, tag, uuid string,
 	storeController storage.StoreController, log log.Logger) error {
 	log.Info().Msgf("pushing synced local image %s:%s to local registry", repo, tag)
@@ -165,3 +480,13 @@ func pushSyncedLocalImage(repo, tag, uuid string,

 	return nil
 }
+
+// sync feature will try to pull cosign signature because for sync cosign signature is just an image
+// this function will check if tag is a cosign tag.
+func isCosignTag(tag string) bool {
+	if strings.HasPrefix(tag, "sha256-") && strings.HasSuffix(tag, ".sig") {
+		return true
+	}
+
+	return false
+}