Merge pull request #18395 from mlschroe/master

mlschroe · web-flow · commit 59027a494c4c · 2025-08-20T17:42:31.000+02:00
[backend] BSPublisher/Container: put consign_pubkey into the manifestinfo
diff --git a/src/backend/BSPublisher/Container.pm b/src/backend/BSPublisher/Container.pm
@@ -497,7 +497,7 @@ sub query_repostate {
 }
 
 sub create_manifestinfo {
-  my ($registry, $prp, $repository, $containerinfo, $imginfo) = @_;
+  my ($registry, $prp, $repository, $containerinfo, $imginfo, $cosign) = @_;
 
   my $dir = $registry->{'manifestinfos'};
   my $mani_id = $imginfo->{'distmanifest'};
@@ -519,6 +519,10 @@ sub create_manifestinfo {
   $_->{'base'} && ($_->{'base'} = \1) for @{$bins || []};       # turn flag to True
   $imginfo->{'packages'} = $bins if $bins;
   mkdir_p("$dir/$repository");
+  if ($cosign) {
+    $imginfo->{'cosign_cookie'} = $cosign->{'cookie'} if $cosign->{'cookie'};
+    $imginfo->{'cosign_pubkey'} = $cosign->{'pubkey_fp'} if $cosign->{'pubkey_fp'};
+  }
   my $imginfo_json = JSON::XS->new->utf8->canonical->encode($imginfo);
   unlink("$dir/$repository/.$mani_id.$$");
   writestr("$dir/$repository/.$mani_id.$$", "$dir/$repository/$mani_id", $imginfo_json);
@@ -615,7 +619,6 @@ sub upload_to_registry {
 
   return '' unless @{$containerinfos || []} && @{$tags || []};
   
-  my ($pubkey, $signargs) = ($data->{'pubkey'}, $data->{'signargs'});
   my $registryserver = $registry->{pushserver} || $registry->{server};
   my $pullserver = $registry->{server};
   $pullserver =~ s/https?:\/\///;
@@ -632,10 +635,6 @@ sub upload_to_registry {
     $oci = 1 if grep {$_ && $_ ne 'gzip'} @{$containerinfo->{'layer_compression'} || []};
   }
 
-  my $gun = $registry->{'notary_gunprefix'} || $registry->{'server'};
-  $gun =~ s/^https?:\/\///;
-  $gun .= "/$repository";
-
   # check if the registry is up-to-date
   if ($repostate && !($cosign && $cosign->{'force_rekor_upload'})) {
     my $taginfo = $data->{'regdata_cb'} ? {} : undef;
@@ -729,19 +728,19 @@ sub upload_to_registry {
   push @opts, '-m' if $multiarch;
   push @opts, '--oci' if $oci;
   push @opts, '-B', $blobdir if $blobdir;
-  if ($cosign && $cosign->{'cookie'}) {
+  if ($cosign) {
     my @signargs;
     push @signargs, '--project', $projid if $BSConfig::sign_project;
-    push @signargs, @{$signargs || []};
+    push @signargs, @{$cosign->{'signargs'} || []};
     my $pubkeyfile = "$uploaddir/publisher.$$.pubkey";
     push @tempfiles, $pubkeyfile;
     mkdir_p($uploaddir);
     unlink($pubkeyfile);
-    writestr($pubkeyfile, undef, $pubkey);
+    writestr($pubkeyfile, undef, $cosign->{'pubkey'});
     push @opts, '--cosign', '--cosigncookie', $cosign->{'cookie'};
-    push @opts, '-p', $pubkeyfile, '-G', $gun, @signargs;
-    push @opts, '--rekor', $registry->{'rekorserver'} if $registry->{'rekorserver'};
-    push @opts, '--force-rekor-upload' if $registry->{'rekorserver'} && $cosign->{'force_rekor_upload'};
+    push @opts, '-p', $pubkeyfile, '-G', $cosign->{'gun'}, @signargs;
+    push @opts, '--rekor', $cosign->{'rekorserver'} if $cosign->{'rekorserver'};
+    push @opts, '--force-rekor-upload' if $cosign->{'rekorserver'} && $cosign->{'force_rekor_upload'};
     push @opts, '--slsaprovenance' if $do_slsaprovenance;
     push @opts, '--sbom' if $do_sbom;
   }
@@ -756,6 +755,9 @@ sub upload_to_registry {
   process_regpush_error('uploading to registry', $result) if $result;
 
   if ($data->{'notify'}) {
+    my $gun = $registry->{'notary_gunprefix'} || $registry->{'server'};
+    $gun =~ s/^https?:\/\///;
+    $gun .= "/$repository";
     $data->{'notify'}->("$gun:$_") for @$tags;
   }
 
@@ -770,7 +772,7 @@ sub upload_to_registry {
       next unless $imginfo->{'distmanifest'};
       my $containerinfo = $uploadfiles{delete $imginfo->{'file'}};
       $imginfo->{'containerinfo'} = $containerinfo;
-      create_manifestinfo($registry, "$projid/$repoid", $repository, $containerinfo, $imginfo) if $registry->{'manifestinfos'};
+      create_manifestinfo($registry, "$projid/$repoid", $repository, $containerinfo, $imginfo, $cosign) if $registry->{'manifestinfos'};
     }
     if ($data->{'regdata_cb'}) {
       for my $tag (@{$uploadinfo->{'tags'} || []}) {
@@ -821,8 +823,9 @@ sub add_notary_upload {
   return unless $registry->{'notary'};
   my $gun = $registry->{'notary_gunprefix'} || $registry->{'server'};
   $gun =~ s/^https?:\/\///;
-  $notary_uploads->{"$gun/$repository"} ||= {'registry' => $registry, 'digests' => '', 'gun' => "$gun/$repository"};
-  $notary_uploads->{"$gun/$repository"}->{'digests'} .= $digest if $digest;
+  $gun .= "/$repository";
+  $notary_uploads->{$gun} ||= {'registry' => $registry, 'digests' => '', 'gun' => $gun};
+  $notary_uploads->{$gun}->{'digests'} .= $digest if $digest;
 }
 
 =head2 upload_to_notary - do all the collected notary uploads
@@ -954,9 +957,7 @@ sub do_local_uploads {
     my $containerinfo = { 'type' => 'artifacthub', 'artifacthubdata' => $data->{'artifacthubdata'}->{"$gun/$repository"} };
     push @{$todo{'artifacthub.io'}}, $containerinfo;
   }
-  eval {
-    BSPublisher::Registry::push_containers($registry, $projid, $repoid, $repository, \%todo, $data);
-  };
+  eval { BSPublisher::Registry::push_containers($registry, $projid, $repoid, $repository, \%todo, $data) };
   unlink($_) for @tempfiles;
   die($@) if $@;
   printf "local updating of %s took %d seconds\n", $repository, time() - $now;
@@ -1047,8 +1048,14 @@ sub do_remote_uploads {
     $cosign = $cosign ? {} : undef;
   }
   if ($cosign) {
-    my $creator = 'OBS';
-    $cosign->{'cookie'} = BSConSign::create_cosign_cookie($data->{'pubkey'}, $gun, $creator);
+    $cosign->{'creator'} = 'OBS';
+    $cosign->{'gun'} = $gun;
+    $cosign->{'pubkey'} = $data->{'pubkey'};
+    $cosign->{'signargs'} = $data->{'signargs'};
+    $cosign->{'pubkey_fp'} = BSPGP::pk2fingerprint(BSPGP::unarmor($data->{'pubkey'}));
+    $cosign->{'cookie'} = BSConSign::create_cosign_cookie($data->{'pubkey'}, $gun, $cosign->{'creator'});
+    $cosign->{'rekorserver'} = $registry->{'rekorserver'};
+    print "cosign cookie: $cosign->{'cookie'}\n";
     my $cosign_attestation = defined($registry->{'cosign_attestation'}) ? $registry->{'cosign_attestation'} : 1;
     $cosign_attestation = $cosign_attestation->($repository, $projid) if $cosign_attestation && ref($cosign_attestation) eq 'CODE';
     $cosign->{'attestation'} = 1 if $cosign_attestation;
diff --git a/src/backend/BSPublisher/Registry.pm b/src/backend/BSPublisher/Registry.pm
@@ -475,19 +475,21 @@ sub create_cosign_attestation_ent {
 }
 
 sub update_cosign {
-  my ($prp, $repo, $gun, $digests_to_cosign, $pubkey, $signargs, $rekorserver, $knownmanifests, $knownblobs) = @_;
+  my ($prp, $repo, $cosign, $digests_to_cosign, $knownmanifests, $knownblobs) = @_;
 
-  my $creator = 'OBS';
   my ($projid, $repoid) = split('/', $prp, 2);
+  my $gun = $cosign->{'gun'};
+  my $creator = $cosign->{'creator'};
+  my $rekorserver = $cosign->{'rekorserver'};
   my @signcmd;
   push @signcmd, $BSConfig::sign;
   push @signcmd, '--project', $projid if $BSConfig::sign_project;
-  push @signcmd, @{$signargs || []};
+  push @signcmd, @{$cosign->{'signargs'} || []};
   my $signfunc =  sub { BSUtil::xsystem($_[0], @signcmd, '-O', '-h', 'sha256') };
   my $repodir = "$registrydir/$repo";
   my $oldsigs = BSUtil::retrieve("$repodir/:cosign", 1) || {};
   return if !%$oldsigs && !%$digests_to_cosign;
-  my $gpgpubkey = BSPGP::unarmor($pubkey);
+  my $gpgpubkey = BSPGP::unarmor($cosign->{'pubkey'});
   my $pubkey_fp = BSPGP::pk2fingerprint($gpgpubkey);
   if (($oldsigs->{'pubkey'} || '') ne $pubkey_fp || ($oldsigs->{'gun'} || '') ne $gun || ($oldsigs->{'creator'} || '') ne ($creator || '')) {
     $oldsigs = {};	# fingerprint/gun/creator mismatch, do not use old signatures
@@ -585,7 +587,6 @@ sub push_containers {
 
   my ($pubkey, $signargs) = ($data->{'pubkey'}, $data->{'signargs'});
 
-  my $rekorserver = $registry->{'rekorserver'};
   my $gun = $registry->{'notary_gunprefix'} || $registry->{'server'};
   undef $gun if $gun && $gun eq 'local:';
   if ($gun) {
@@ -784,7 +785,8 @@ sub push_containers {
 
   # write signatures file (need to do this early as it adds manifests/blobs)
   if ($gun && defined($pubkey) && %digests_to_cosign) {
-    update_cosign($prp, $repo, $gun, \%digests_to_cosign, $pubkey, $signargs, $rekorserver, \%knownmanifests, \%knownblobs);
+    my $cosign = { 'creator' => 'OBS', 'gun' => $gun, 'pubkey' => $pubkey, 'signargs' => $signargs, 'rekorserver' => $registry->{'rekorserver'} };
+    update_cosign($prp, $repo, $cosign, \%digests_to_cosign, \%knownmanifests, \%knownblobs);
   } elsif (-e "$repodir/:cosign") {
     unlink("$repodir/:cosign");
   }
