Rework options sets

This commit modifies the options sets to brake them into more logical options
that can be used to init verifiers and pass to verification operations.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

options/bundle.go

@@ -0,0 +1,33 @@
+// SPDX-FileCopyrightText: Copyright 2025 Carabiner Systems, Inc
+// SPDX-License-Identifier: Apache-2.0
+
+package options
+
+// SigstoreVerification configures how we verify signatures using a particular
+// instance.
+type SigstoreVerification struct {
+	// ExpectedIssuer and ExpectedSan define the issuer and SAN to look for in
+	// the fulcio cert. For a broader matching behavior, choose the *Regex
+	// alternatives.
+	//
+	// Verification will fail if thse are not set. To skip the identity check
+	// set SkipIdentityCheck to true.
+	ExpectedIssuer      string
+	ExpectedIssuerRegex string
+	ExpectedSan         string
+	ExpectedSanRegex    string
+
+	// SkipIdentityCheck makes the verifier skip the identity check. This
+	// will ignore any setting in ExpectedIssuer ExpectedIssuerRegex
+	// ExpectedSan or ExpectedSanRegex
+	SkipIdentityCheck bool
+
+	// Artifact digest to check when verifier in addition to the signature
+	ArtifactDigestAlgo string
+	ArtifactDigest     string
+}
+
+type BundleVerifier struct {
+	// RootsFile path to roots file
+	RootsFile string
+}

options/signer.go

@@ -29,7 +29,7 @@ var DefaultSigstore = Sigstore{
 
 var DefaultSigner = Signer{
 	TufOptions: tuf.TufOptions{
-		TufRootURL:  tuf.SigstorePublicGoodBaseURL,
+		// TufRootURL:  tuf.SigstorePublicGoodBaseURL,
 		TufRootPath: "",
 		Fetcher:     tuf.Defaultfetcher(),
 	},

options/sigstore.go

@@ -9,39 +9,55 @@ import (
 	"net/url"
 
 	"github.com/spf13/cobra"
+
+	"github.com/carabiner-dev/signer/internal/tuf"
 )
 
 // Sigstore options to control how signer handles signing with sigstore
 type Sigstore struct {
+	// Embed the tuf options struct
+	tuf.TufOptions
+
 	Timestamp bool
 
 	// AppendToRekor controls if the signing operation is recorded into the
 	// transparency log.
-	AppendToRekor bool
+	AppendToRekor bool `json:"rekor-append"`
 	DisableSTS    bool
 
 	// FulcioURL url of the Fulcio CA (defaults to the public good instance)
-	FulcioURL string
+	FulcioURL string `json:"fulcio-url"`
 
 	// RekorURL url of the Rekor transparency log (defaults to the public good instance)
-	RekorURL string
+	RekorURL string `json:"rekor-url"`
 
 	// Hide the OIDC options in the CLI --help
 	HideOIDCOptions bool
 
 	// OidcRedirectURL defines the URL that the browser will redirect to.
 	// if the port is set to 0, bind will randomize it to a high number
 	// port before starting the OIDC flow.
-	OidcRedirectURL string
+	OidcRedirectURL string `json:"oidc-redirect-url"`
 
 	// OIDC token issuer endpoint
-	OidcIssuer string
+	OidcIssuer string `json:"oidc-issuer"`
 
 	// Client ID to stamp on the tokens
-	OidcClientID string
+	OidcClientID string `json:"oidc-client-id"`
 
 	// Client secret to pass in OIDC calls
-	OidcClientSecret string
+	OidcClientSecret string `json:"oidc-client-secret"`
+
+	// Time stamp verification options
+
+	// Look for a signed timestamp in the cert and verify with the CTLog Auth
+	RequireCTlog bool `json:"require-ct-log"`
+	// Verify the cert validity in the transparency log
+	RequireTlog bool `json:"require-tlog"`
+	// Verify the certificate validity time with a signed timestamp
+	RequireSignedTimestamps bool `json:"require-signed-timestamps"`
+	// Allow no timestamp, for keys instead of certs
+	RequireObserverTimestamp bool `json:"require-observer-timestamp"`
 }
 
 // Verify checks the integrity of the sigstore options

options/verification.go

@@ -0,0 +1,83 @@
+// SPDX-FileCopyrightText: Copyright 2025 Carabiner Systems, Inc
+// SPDX-License-Identifier: Apache-2.0
+
+package options
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"regexp"
+)
+
+type VerificationOptFunc func(*Verification) error
+
+// Verification options are generic options that all the Verify* functions take
+type Verification struct {
+	SigstoreVerification
+	KeyVerification
+}
+
+var DefaultVerification = Verification{}
+
+// WithExpectedIdentity serts the ExpectedIssuer and ExptectedSan options
+// and unsets the regex alternatives
+func WithExpectedIdentity(issuer, san string) VerificationOptFunc {
+	return func(v *Verification) error {
+		if issuer != "" {
+			v.ExpectedIssuerRegex = ""
+			v.ExpectedIssuer = issuer
+		}
+
+		if san != "" {
+			v.ExpectedSanRegex = ""
+			v.ExpectedSan = san
+		}
+		return nil
+	}
+}
+
+// WithExpectedIdentityRegex sets the ExpectedIssuerRegex and ExptectedSanRegex
+// options and unsets the non-regex alternatives.
+func WithExpectedIdentityRegex(issuer, san string) VerificationOptFunc {
+	return func(v *Verification) error {
+		if issuer != "" {
+			if _, err := regexp.Compile(issuer); err != nil {
+				return fmt.Errorf("compiling issuer regex: %w", err)
+			}
+			v.ExpectedIssuerRegex = issuer
+			v.ExpectedIssuer = ""
+		}
+
+		if san != "" {
+			if _, err := regexp.Compile(san); err != nil {
+				return fmt.Errorf("compiling SAN regex: %w", err)
+			}
+			v.ExpectedSanRegex = san
+			v.ExpectedSan = ""
+		}
+		return nil
+	}
+}
+
+// WithSkipIdentityCheck instructs the verifier to not check the signature
+// identities, only the signed payload will be checked.
+func WithSkipIdentityCheck(yesno bool) VerificationOptFunc {
+	return func(v *Verification) error {
+		v.SkipIdentityCheck = yesno
+		return nil
+	}
+}
+
+// WithArtifactData hashes the artifact data to verify along the signature.
+// This is required for message verifications
+func WithArtifactData(data []byte) VerificationOptFunc {
+	return func(opts *Verification) error {
+		s256 := sha256.New()
+		s256.Write(data)
+		hashedBytes := s256.Sum(nil)
+
+		opts.ArtifactDigest = fmt.Sprintf("%x", hashedBytes)
+		opts.ArtifactDigestAlgo = "sha256"
+		return nil
+	}
+}

options/verifier.go

@@ -5,107 +5,51 @@ package options
 
 import (
 	"crypto"
-	"crypto/sha256"
-	"fmt"
-	"regexp"
-
-	"github.com/carabiner-dev/signer/internal/tuf"
+	_ "embed"
 )
 
-type VerifierOptFunc func(*Verifier) error
-
-type Verifier struct {
-	tuf.TufOptions
-	// Artifact digest to check when verifier in addition to the signature
-	ArtifactDigestAlgo string
-	ArtifactDigest     string
-
-	// ExpectedIssuer and ExpectedSan define the issuer and SAN to look for in
-	// the fulcio cert. For a broader matching behavior, choose the *Regex
-	// alternatives.
-	// Verification will fail if thse are not set. To skip the identity check
-	// set SkipIdentityCheck to true.
-	ExpectedIssuer      string
-	ExpectedIssuerRegex string
-	ExpectedSan         string
-	ExpectedSanRegex    string
+//go:embed sigstore-roots.json
+var defaultRoots []byte
 
-	// SkipIdentityCheck makes the verifier skip the identity check. This
-	// will ignore any setting in ExpectedIssuer ExpectedIssuerRegex
-	// ExpectedSan or ExpectedSanRegex
-	SkipIdentityCheck bool
+type VerifierOptFunc func(*Verifier)
 
-	RequireCTlog     bool
-	RequireTimestamp bool
-	RequireTlog      bool
-
-	// Public keys to verify DSSE envelopes
+// KeyVerification options
+type KeyVerification struct {
 	PubKeys []crypto.PublicKey
 }
 
-var DefaultVerifier = Verifier{
-	TufOptions: tuf.TufOptions{
-		TufRootURL:  tuf.SigstorePublicGoodBaseURL,
-		TufRootPath: "",
-		Fetcher:     tuf.Defaultfetcher(),
-	},
-	ArtifactDigestAlgo: "sha256",
-	RequireCTlog:       true,
-	RequireTimestamp:   true,
-	RequireTlog:        true,
-}
+// Verifier options
+type Verifier struct {
+	// The verifier options embed a set of verification options. These are
+	// treated as defaults when calling the sigstore/dsse verifiers
+	Verification
 
-// WithExpectedIdentity serts the ExpectedIssuer and ExptectedSan options
-// and unsets the regex alternatives
-func WithExpectedIdentity(issuer, san string) VerifierOptFunc {
-	return func(v *Verifier) error {
-		v.ExpectedIssuerRegex = ""
-		v.ExpectedSanRegex = ""
-		v.ExpectedIssuer = issuer
-		v.ExpectedSan = san
-		return nil
-	}
-}
+	// SigstoreRootsPath is the path to a sigstore roots file
+	SigstoreRootsPath string
 
-// WithExpectedIdentityRegex sets the ExpectedIssuerRegex and ExptectedSanRegex
-// options and unsets the non-regex alternatives.
-func WithExpectedIdentityRegex(issuer, san string) VerifierOptFunc {
-	return func(v *Verifier) error {
-		// Check the regular expressions
-		if _, err := regexp.Compile(issuer); err != nil {
-			return fmt.Errorf("compiling issuer regex: %w", err)
-		}
-		if _, err := regexp.Compile(san); err != nil {
-			return fmt.Errorf("compiling SAN regex: %w", err)
-		}
+	// SigstoreRootsData holds raw json with data about the configured roots
+	SigstoreRootsData []byte
 
-		v.ExpectedIssuerRegex = issuer
-		v.ExpectedSanRegex = san
-		v.ExpectedIssuer = ""
-		v.ExpectedSan = ""
-		return nil
-	}
+	// // Public keys to verify DSSE envelopes
+	// PubKeys []crypto.PublicKey
 }
 
-// WithSkipIdentityCheck instructs the verifier to not check the signature
-// identities, only the signed payload will be checked.
-func WithSkipIdentityCheck(yesno bool) VerifierOptFunc {
-	return func(v *Verifier) error {
-		v.SkipIdentityCheck = yesno
-		return nil
-	}
+// DefaultVerifier default options to configure the verifier
+var DefaultVerifier = Verifier{
+	Verification:      DefaultVerification,
+	SigstoreRootsData: defaultRoots, // Embedded data from the file
 }
 
-// WithArtifactData hashes the artifact data to verify along the signature.
-// This is required for message verifications
-func WithArtifactData(data []byte) VerifierOptFunc {
-	return func(opts *Verifier) error {
-		s256 := sha256.New()
-		s256.Write(data)
-		hashedBytes := s256.Sum(nil)
+// WithSigstoreRootsPath sets the path to the sigstore roots configuration file
+func WithSigstoreRootsPath(path string) VerifierOptFunc {
+	return func(v *Verifier) {
+		v.SigstoreRootsPath = path
+	}
+}
 
-		opts.ArtifactDigest = fmt.Sprintf("%x", hashedBytes)
-		opts.ArtifactDigestAlgo = "sha256"
-		return nil
+// WithSigstoreRootsData sets the sigstore roots data from raw json
+func WithSigstoreRoots(raw []byte) VerifierOptFunc {
+	return func(v *Verifier) {
+		v.SigstoreRootsData = raw
 	}
 }