workflow/plugin/cosign.go at v0.3.47 · GoCodeAlone/workflow · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package plugin

import (
	"fmt"
	"log/slog"
	"os/exec"
)

// CosignVerifier verifies plugin binaries using cosign keyless signatures.
// It requires the cosign CLI to be installed; if not found, verification is
// skipped with a warning to support environments without cosign installed.
type CosignVerifier struct {
	OIDCIssuer            string
	AllowedIdentityRegexp string
}

// NewCosignVerifier creates a CosignVerifier for the given OIDC issuer and
// identity regexp (e.g. "https://github.com/GoCodeAlone/.*").
func NewCosignVerifier(oidcIssuer, identityRegexp string) *CosignVerifier {
	return &CosignVerifier{
		OIDCIssuer:            oidcIssuer,
		AllowedIdentityRegexp: identityRegexp,
	}
}

// Verify runs `cosign verify-blob` to validate the signature of a plugin binary.
// If cosign is not installed, a warning is logged and nil is returned so that
// deployments without cosign are not broken.
func (v *CosignVerifier) Verify(binaryPath, sigPath, certPath string) error {
	_, err := exec.LookPath("cosign")
	if err != nil {
		slog.Warn("cosign not found — skipping binary verification", "binary", binaryPath)
		return nil //nolint:nilerr // intentional: graceful degradation when cosign not installed
	}

	// Arguments are not user-controlled; they come from internal plugin manifest
	// configuration and verified file paths.
	cmd := exec.Command("cosign", //nolint:gosec // args are internal, not user input
		"verify-blob",
		"--signature", sigPath,
		"--certificate", certPath,
		"--certificate-oidc-issuer", v.OIDCIssuer,
		"--certificate-identity-regexp", v.AllowedIdentityRegexp,
		binaryPath,
	)

	if out, runErr := cmd.CombinedOutput(); runErr != nil {
		return fmt.Errorf("cosign verify-blob: %w: %s", runErr, out)
	}
	return nil
}