znewman01/cosign_byo_pki.sh

## cosign_byo_pki.sh
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p step-cli cosign crane

set -eu


REPO=ttl.sh/$(whoami)-test
IMAGE=$REPO:15m
COSIGN=cosign

function image_setup {
	DIGEST=$(crane digest $IMAGE 2> /dev/null || true)
       	if [ -z "$DIGEST" ]; then
	       crane cp cgr.dev/chainguard/musl-dynamic:latest $IMAGE 2> /dev/null
		DIGEST=$(crane digest $IMAGE)
	fi
	IMAGE_DIGEST="$REPO@$DIGEST"
}

function make_a_pki {
	# Can't use defaults (`--profile root-ca` etc.) because we need "extKeyUsage"
	cat > root.tpl <<-EOF
	{
	    "subject": {{ toJson .Subject }},
	    "issuer": {{ toJson .Subject }},
	    "keyUsage": ["certSign", "crlSign"],
	    "extKeyUsage": ["codeSigning"],
	    "basicConstraints": {
		"isCA": true,
		"maxPathLen": 1
	    }
	}
	EOF
	step certificate create root-ca root-ca.crt root-ca.key --template root.tpl --no-password --insecure
	cat > intermediate.tpl <<-EOF
	{
	    "subject": {{ toJson .Subject }},
	    "keyUsage": ["certSign", "crlSign"],
	    "extKeyUsage": ["codeSigning"],
	    "basicConstraints": {
		"isCA": true,
		"maxPathLen": 0
	    }
	}
	EOF
	step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
		--template intermediate.tpl --ca ./root-ca.crt --ca-key ./root-ca.key \
		--no-password --insecure
	cat > leaf.tpl <<-EOF
	{
	    "subject": {{ toJson .Subject }},
	    "sans": [{"type": "email", "value": "user@example.com"}],
	    "keyUsage": ["digitalSignature"],
	    "extKeyUsage": ["codeSigning"]
	}
	EOF
	step certificate create leaf leaf.crt leaf.key --template leaf.tpl \
		--ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
		--no-password --insecure
}

function main  {
	WORKING_DIR=$(mktemp -d)
	cd $WORKING_DIR

	image_setup
	make_a_pki

	export COSIGN_PASSWORD=''

	$COSIGN import-key-pair --key leaf.key
	$COSIGN sign --key import-cosign.key --output-signature image.sig --upload=false $IMAGE_DIGEST
	$COSIGN verify --certificate-chain <(cat root-ca.crt intermediate-ca.crt) --certificate leaf.crt --signature image.sig $IMAGE

	cd -
	rm -rf "$WORKING_DIR"
}

main

## output
Your certificate has been saved in root-ca.crt.
Your private key has been saved in root-ca.key.
Your certificate has been saved in intermediate-ca.crt.
Your private key has been saved in intermediate-ca.key.
Your certificate has been saved in leaf.crt.
Your private key has been saved in leaf.key.
Private key written to import-cosign.key
Public key written to import-cosign.pub

Verification for ttl.sh/zjn-test:15m --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ttl.sh/zjn-test"},"image":{"docker-manifest-digest":"sha256:c77be1d3a47d0caf71a82dd893ee61ce01f32fc758031a6ec4cf1389248bb833"},"type":"cosign container image signature"},"optional":null}]
	#!/usr/bin/env nix-shell
	#!nix-shell -i bash -p step-cli cosign crane

	set -eu


	REPO=ttl.sh/$(whoami)-test
	IMAGE=$REPO:15m
	COSIGN=cosign

	function image_setup {
	DIGEST=$(crane digest $IMAGE 2> /dev/null \|\| true)
	if [ -z "$DIGEST" ]; then
	crane cp cgr.dev/chainguard/musl-dynamic:latest $IMAGE 2> /dev/null
	DIGEST=$(crane digest $IMAGE)
	fi
	IMAGE_DIGEST="$REPO@$DIGEST"
	}

	function make_a_pki {
	# Can't use defaults (`--profile root-ca` etc.) because we need "extKeyUsage"
	cat > root.tpl <<-EOF
	{
	"subject": {{ toJson .Subject }},
	"issuer": {{ toJson .Subject }},
	"keyUsage": ["certSign", "crlSign"],
	"extKeyUsage": ["codeSigning"],
	"basicConstraints": {
	"isCA": true,
	"maxPathLen": 1
	}
	}
	EOF
	step certificate create root-ca root-ca.crt root-ca.key --template root.tpl --no-password --insecure
	cat > intermediate.tpl <<-EOF
	{
	"subject": {{ toJson .Subject }},
	"keyUsage": ["certSign", "crlSign"],
	"extKeyUsage": ["codeSigning"],
	"basicConstraints": {
	"isCA": true,
	"maxPathLen": 0
	}
	}
	EOF
	step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
	--template intermediate.tpl --ca ./root-ca.crt --ca-key ./root-ca.key \
	--no-password --insecure
	cat > leaf.tpl <<-EOF
	{
	"subject": {{ toJson .Subject }},
	"sans": [{"type": "email", "value": "user@example.com"}],
	"keyUsage": ["digitalSignature"],
	"extKeyUsage": ["codeSigning"]
	}
	EOF
	step certificate create leaf leaf.crt leaf.key --template leaf.tpl \
	--ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
	--no-password --insecure
	}

	function main {
	WORKING_DIR=$(mktemp -d)
	cd $WORKING_DIR

	image_setup
	make_a_pki

	export COSIGN_PASSWORD=''

	$COSIGN import-key-pair --key leaf.key
	$COSIGN sign --key import-cosign.key --output-signature image.sig --upload=false $IMAGE_DIGEST
	$COSIGN verify --certificate-chain <(cat root-ca.crt intermediate-ca.crt) --certificate leaf.crt --signature image.sig $IMAGE

	cd -
	rm -rf "$WORKING_DIR"
	}

	main
	Your certificate has been saved in root-ca.crt.
	Your private key has been saved in root-ca.key.
	Your certificate has been saved in intermediate-ca.crt.
	Your private key has been saved in intermediate-ca.key.
	Your certificate has been saved in leaf.crt.
	Your private key has been saved in leaf.key.
	Private key written to import-cosign.key
	Public key written to import-cosign.pub

	Verification for ttl.sh/zjn-test:15m --
	The following checks were performed on each of these signatures:
	- The cosign claims were validated
	- The signatures were verified against the specified public key

	[{"critical":{"identity":{"docker-reference":"ttl.sh/zjn-test"},"image":{"docker-manifest-digest":"sha256:c77be1d3a47d0caf71a82dd893ee61ce01f32fc758031a6ec4cf1389248bb833"},"type":"cosign container image signature"},"optional":null}]