Merge pull request #13 from tonistiigi/add-kind-name

types: add kind/name categorization for signatureinfo

Author: tonistiigi

cmd/policy-helper/formatter.go

@@ -17,6 +17,8 @@ func (f SignatureInfoFormatter) Format(s fmt.State, verb rune) {
 			tw := tabwriter.NewWriter(s, 0, 0, 2, ' ', 0)
 			defer tw.Flush()
 
+			fmt.Fprintf(tw, "Signature:\t%s\n", types.SignatureInfo(f).Name())
+
 			if f.IsDHI {
 				fmt.Fprintln(tw, "Image Type:\tDocker Hardened Image (DHI)")
 			}

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/sigstore/protobuf-specs v0.5.0
 	github.com/sigstore/sigstore v1.10.0
 	github.com/sigstore/sigstore-go v1.1.4-0.20251124094504-b5fe07a5a7d7
+	github.com/stretchr/testify v1.11.1
 	github.com/theupdateframework/go-tuf/v2 v2.3.0
 	golang.org/x/sync v0.18.0
 )
@@ -26,6 +27,7 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -62,6 +64,7 @@ require (
 	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/rekor v1.4.3 // indirect
@@ -87,4 +90,5 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

types/name.go

@@ -0,0 +1,172 @@
+package types
+
+import (
+	"strings"
+)
+
+const (
+	githubPrefix                 = "https://github.com/"
+	githubBuilderURIExperimental = githubPrefix + "docker/github-builder-experimental/.github/workflows/"
+	githubBuilderURI             = githubPrefix + "docker/github-builder/.github/workflows/"
+
+	githubIssuer     = "https://token.actions.githubusercontent.com"
+	googleUserIssuer = "https://accounts.google.com"
+	githubUserIssuer = githubPrefix + "login/oauth"
+
+	sigstoreIssuer = "CN=sigstore-intermediate,O=sigstore.dev"
+)
+
+func (s SignatureInfo) DetectKind() Kind {
+	if isDHI(s) {
+		return KindDockerHardenedImage
+	}
+	if isGithubBuilder(s) {
+		return KindDockerGithubBuilder
+	}
+	if isGithubSelfSigned(s) {
+		return KindSelfSignedGithubRepo
+	}
+	if isSelfSigned(s) {
+		return KindSelfSigned
+	}
+	return KindUntrusted
+}
+
+func (s SignatureInfo) Name() string {
+	switch s.Kind {
+	case KindDockerHardenedImage:
+		return s.Kind.String() + " (" + s.DockerReference + ")"
+
+	case KindDockerGithubBuilder:
+		n := s.Kind.String()
+		if strings.HasPrefix(s.Signer.BuildSignerURI, githubBuilderURIExperimental) {
+			n += " Experimental"
+		}
+		n += " (" + strings.TrimPrefix(s.Signer.SourceRepositoryURI, githubPrefix)
+
+		if v, ok := strings.CutPrefix(s.Signer.SourceRepositoryRef, "refs/heads/"); ok {
+			n += "@" + v
+		} else if v, ok := strings.CutPrefix(s.Signer.SourceRepositoryRef, "refs/tags/"); ok {
+			n += "@" + v
+		}
+		n += ")"
+		return n
+
+	case KindSelfSignedGithubRepo:
+
+		return s.Kind.String() + " (" + strings.TrimPrefix(s.Signer.SourceRepositoryURI, githubPrefix) + ")"
+
+	case KindSelfSigned:
+		n := s.Kind.String()
+		if s.Signer.RunnerEnvironment != "github-hosted" {
+			n += " Local"
+		}
+		switch s.Signer.Issuer {
+		case googleUserIssuer:
+			n += " (Google: " + s.Signer.SubjectAlternativeName + ")"
+		case githubUserIssuer:
+			n += " (GitHub: " + s.Signer.SubjectAlternativeName + ")"
+		}
+		return n
+
+	default:
+		return s.Kind.String()
+	}
+}
+
+func isDHI(s SignatureInfo) bool {
+	if !s.IsDHI {
+		return false
+	}
+	if s.DockerReference == "" {
+		return false
+	}
+	return true
+}
+
+func isGithubBuilder(s SignatureInfo) bool {
+	if s.Signer == nil {
+		return false
+	}
+
+	if s.Signer.CertificateIssuer != sigstoreIssuer {
+		return false
+	}
+
+	isGithubBuilder := strings.HasPrefix(s.Signer.BuildSignerURI, githubBuilderURI)
+	isExperimental := strings.HasPrefix(s.Signer.BuildSignerURI, githubBuilderURIExperimental)
+	if !isGithubBuilder && !isExperimental {
+		return false
+	}
+
+	if !strings.HasPrefix(s.Signer.SubjectAlternativeName, githubBuilderURI) && !strings.HasPrefix(s.Signer.SubjectAlternativeName, githubBuilderURIExperimental) {
+		return false
+	}
+
+	if s.Signer.Issuer != githubIssuer {
+		return false
+	}
+
+	if !strings.HasPrefix(s.Signer.SourceRepositoryURI, githubPrefix) {
+		return false
+	}
+
+	if s.Signer.RunnerEnvironment != "github-hosted" {
+		return false
+	}
+
+	if len(s.Timestamps) == 0 {
+		return false
+	}
+
+	if s.SignatureType != SignatureBundleV03 {
+		return false
+	}
+
+	return true
+}
+
+func isSelfSigned(s SignatureInfo) bool {
+	if s.Signer == nil {
+		return false
+	}
+
+	if s.Signer.CertificateIssuer != sigstoreIssuer {
+		return false
+	}
+
+	return true
+}
+
+func isGithubSelfSigned(s SignatureInfo) bool {
+	if s.Signer == nil {
+		return false
+	}
+
+	if s.Signer.CertificateIssuer != sigstoreIssuer {
+		return false
+	}
+
+	if s.Signer.Issuer != githubIssuer {
+		return false
+	}
+
+	if !strings.HasPrefix(s.Signer.SourceRepositoryURI, "https://github.com/") {
+		return false
+	}
+
+	signerURIPrefix := s.Signer.SourceRepositoryURI + "/.github/workflows/"
+	if !strings.HasPrefix(s.Signer.BuildSignerURI, signerURIPrefix) {
+		return false
+	}
+
+	if !strings.HasPrefix(s.Signer.SubjectAlternativeName, signerURIPrefix) {
+		return false
+	}
+
+	if s.Signer.RunnerEnvironment != "github-hosted" {
+		return false
+	}
+
+	return true
+}