diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b9e5337819..52c8cd666b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -47,7 +47,7 @@ jobs: awk -F'[ .]' '/^go /{print "version=" $2 "." $3; exit}' go.mod >>"${GITHUB_OUTPUT}" - name: Set up Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: "${{ steps.go_version.outputs.version }}" check-latest: true diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml index 887c85887f..7cec2d281f 100644 --- a/.github/workflows/depsreview.yml +++ b/.github/workflows/depsreview.yml @@ -33,4 +33,4 @@ jobs: with: persist-credentials: false - name: 'Dependency Review' - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # 4.6.0 + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # 4.7.1 diff --git a/.github/workflows/e2e_test.yml b/.github/workflows/e2e_test.yml index ae19c6adf7..f84d657577 100644 --- a/.github/workflows/e2e_test.yml +++ b/.github/workflows/e2e_test.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: Set up Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: './go.mod' check-latest: true @@ -71,7 +71,7 @@ jobs: with: persist-credentials: false - name: Set up Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: 'go.mod' check-latest: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 76716006d2..34a6830997 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -43,7 +43,7 @@ jobs: persist-credentials: false - name: Set up Go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: ${{ matrix.go-version }} check-latest: true diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 61f3c4732b..548f2ebefe 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -37,7 +37,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: './go.mod' check-latest: true @@ -70,12 +70,12 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version-file: ${{ matrix.module }}/go.mod check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0 + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 with: - version: v2.0 + version: v2.1 working-directory: ${{ matrix.module }} diff --git a/POLICY.md b/POLICY.md index 0431d56865..90e815369a 100644 --- a/POLICY.md +++ b/POLICY.md @@ -3,70 +3,62 @@ sigstore/sigstore contains interfaces to provide signing and verification options with in-memory and cloud-provider KMS keys. This document specifies the currently supported signing and hashing algorithms and KMS providers, along with criteria for proposing new algorithms and providers. -## Signing algorithms +## Signing and hashing algorithms -Sigstore supports the following signing algorithms: +See the [algorithm registry specification](https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md) +for the set of supported algorithms. This document describes the set of algorithms that _may_ be supported +by Sigstore clients. Clients that support only the public-good instance will implement a subset of these +algorithms, as documented in the +[public deployment specification](https://github.com/sigstore/architecture-docs/blob/main/sigstore-public-deployment-spec.md). -* RSA, with key sizes: - * 2048 - * 3072 - * 4096 -* ECDSA, with curves: - * NIST P-224 (secp224r1) - * NIST P-256 (secp256r1, prime256v1) - * NIST P-384 (secp384r1) - * NIST P-521 (secp521r1) -* Ed25519 - -Sigstore supports both the RSA-PKCS#1v1.5 and RSA-PSS signature schemes, and will only support well-known schemes implemented by the Golang crypto package. -Sigstore will not support non-standard RSA key sizes. Sigstore will only support well-known ECDSA curves implemented by the Golang crypto package. +New algorithms must be implemented by a Go library, since Fulcio and Rekor will need to be updated to support the new +signing algorithms. We would prefer algorithms are implemented by the standard library, but may accept proposals +that use well-known and vetted libraries, and that are not based on C implementations with Go bindings. ### Post-quantum signing algorithms -Post-quantum (PQ) computing will require new signing algorithms, as modern signing algorithms that depend on the difficulty of the integer factorization problem and discrete logarithm problem will be easily broken by quantum computing. +Post-quantum (PQ) computing will require new signing algorithms, as modern signing algorithms that depend on the difficulty of the +integer factorization problem and discrete logarithm problem will be easily broken by quantum computing. + +Sigstore has begun to experiment with support for post-quantum cryptography signing algorithms. We have selected +the two NIST-standardized algorithms, ML-DSA (FIPS 204, Dilithium) and SLH-DSA (FIPS 205, SPHINCS+), for the +initial experiments. While LMS and LMS-OTS could be used to generate signatures with ephemeral keys, they will not +be supported due to requiring state. + +Before adding support for a new algorithm under `pkg/signature`, the algorithm will need to be added to the +[algorithm registry specification](https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md), +along with an updated to the protobuf specification, updating +[`PublicKeyDetails`](https://github.com/sigstore/protobuf-specs/blob/c30eb14cece57d88c08579197ecfdb57a5f1aba5/protos/sigstore_common.proto#L63) +and [`HashAlgorithm`](https://github.com/sigstore/protobuf-specs/blob/c30eb14cece57d88c08579197ecfdb57a5f1aba5/protos/sigstore_common.proto#L37) +if necessary. -Sigstore does not yet have a stance on which PQ signing algorithms will be supported. -NIST is [currently selecting](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022) -a set of recommended signing algorithms. We present some high-level thoughts on the top candidates and existing hash-based schemes: +We present some high-level thoughts on the current set of standardized algorithms: -* LMS/XMSS - Hash-based signature schemes that are quick to produce and verify with a small public key size, but larger in signature size. +* LMS/XMSS (SP 800-208) - Hash-based signature schemes that are quick to produce and verify with a small public key size, but larger in signature size. NIST selected these two algorithms for hash-based signature schemes in 2020 ([SP 800.208](https://csrc.nist.gov/pubs/sp/800/208/final)). LMS/XMSS have a significant drawback in that these signatures are stateful. Signing key reuse over a given amount breaks the security of LMS/XMSS. These signing algorithms could work well for Sigstore's usage of ephemeral keys, since a key should only be used once for a signing event. However, these would not work for: * Self-managed keys that may be reused, unless the signer keeps track of usage * CAs (Fulcio) that sign certificates or transparency logs (Rekor) that sign log checkpoints, unless the services keep track of usage. For Sigstore, service key rotation is currently a manual process involving a TUF root signing event, so we are unable to automatically rotate service key material. * TUF metadata itself, which is signed, unless the metadata keys are rotated out before being reused too frequently. -* SPHINCS+ - Hash-based signature scheme that is quick to verify with a small public key size, but with a very large signature size and is very slow to verify. +* SLH-DSA (FIPS 205, SPHINCS+) - Hash-based signature scheme that is quick to verify with a small public key size, but with a very large signature size and is very slow to verify. Note that this scheme is stateless, so reuse is not a concern. Neither of the drawbacks are a significant concern in code signing, although storage costs would increase for transparency log operators. Code signing can be slow, because it's a one-time process that can be automated. -* CRYSTALS-Dilithium - Lattice-based signature scheme with fast signing and verification, but larger public key and signature sizes. +* ML-DSA (FIPS 204, Dilithium) - Lattice-based signature scheme with fast signing and verification, but larger public key and signature sizes. Dilithium offers good tradeoffs between signing/verification time and public key/signature sizes, though the larger key and signature sizes will increase storage costs for transparency log operators. * Falcon - Lattice-based signature scheme with fast verification, with larger public key and signature sizes, but smaller than Dilithium, and slower signing than Dilithium. Like Dilithium, Falcon offers good tradeoffs between signing/verification time and public key/signature sizes. However, Falcon is likely to be a complex implementation and there are some concerns around its use of floating point operations. This is not an exhaustive list, and this list may be updated as candidates are removed or if new signing algorithms are designed. -We recommend reading Cloudflare's [scheme comparison](https://blog.cloudflare.com/sizing-up-post-quantum-signatures/) -and [a deep dive into signing](https://blog.cloudflare.com/post-quantum-signatures/) to learn more. - -We will add support for PQ signing algorithms once the Golang crypto package adopts these signing algorithms. -We will accept PRs with experimental support for NIST candidates once well-known and vetted Golang libraries are created for PQ signing. -We will not accept PRs for PQ signing algorithms based on C implementations with a Go shim, though we encourage experimentation on forks and welcome any feedback on recommended algorithms in a GitHub discussion. - -## Hashing algorithms - -Sigstore supports the following hashing algorithms: - -* SHA256 -* SHA384 -* SHA512 - -Supported but discouraged algorithms include: - -* SHA1 - SHA1 is allowed only in limited cases for compatibility with certain file types that require SHA1. -* SHA224 - -Sigstore will add support for SHA3 once the SHA3 implementation is moved from Golang's x/crypto package to its standard crypto package. +We recommend reading Cloudflare's [scheme comparison](https://blog.cloudflare.com/sizing-up-post-quantum-signatures/), +[a deep dive into signing](https://blog.cloudflare.com/post-quantum-signatures/), and +[another look at PQ signatures](https://blog.cloudflare.com/another-look-at-pq-signatures/) to learn more. + +We will add support for PQ signing algorithms once the Go crypto package adopts these signing algorithms. +We will accept PRs with experimental support for NIST-standardized or candidate algorithms using well-known and vetted Go libraries are created for PQ signing. +We will not accept PRs for PQ signing algorithms based on C implementations with Go bindings, though we encourage experimentation on forks and welcome +any feedback on recommended algorithms in a GitHub discussion. ## KMS providers diff --git a/go.mod b/go.mod index cafd0ceeef..96ec48cfe0 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.23.0 toolchain go1.23.6 require ( - github.com/coreos/go-oidc/v3 v3.13.0 + github.com/coreos/go-oidc/v3 v3.14.1 github.com/go-jose/go-jose/v4 v4.0.5 github.com/go-rod/rod v0.116.2 github.com/go-test/deep v1.1.1 @@ -19,11 +19,10 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 github.com/stretchr/testify v1.10.0 github.com/theupdateframework/go-tuf v0.7.0 - github.com/tink-crypto/tink-go/v2 v2.3.0 + github.com/tink-crypto/tink-go/v2 v2.4.0 golang.org/x/crypto v0.36.0 - golang.org/x/oauth2 v0.28.0 + golang.org/x/oauth2 v0.30.0 golang.org/x/term v0.30.0 - google.golang.org/protobuf v1.36.6 ) require ( @@ -40,5 +39,6 @@ require ( github.com/ysmood/leakless v0.9.0 // indirect golang.org/x/sys v0.31.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect + google.golang.org/protobuf v1.36.6 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 5fe47857c6..bd6faebcf4 100644 --- a/go.sum +++ b/go.sum @@ -7,8 +7,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4= -github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8= -github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU= +github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk= +github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -106,8 +106,8 @@ github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDd github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48= github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI= github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= -github.com/tink-crypto/tink-go/v2 v2.3.0 h1:4/TA0lw0lA/iVKBL9f8R5eP7397bfc4antAMXF5JRhs= -github.com/tink-crypto/tink-go/v2 v2.3.0/go.mod h1:kfPOtXIadHlekBTeBtJrHWqoGL+Fm3JQg0wtltPuxLU= +github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= +github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ= @@ -141,8 +141,8 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c= golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= -golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= -golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/pkg/signature/kms/aws/go.mod b/pkg/signature/kms/aws/go.mod index 44ba763cf9..94106e37fd 100644 --- a/pkg/signature/kms/aws/go.mod +++ b/pkg/signature/kms/aws/go.mod @@ -7,17 +7,17 @@ go 1.23.0 toolchain go1.23.6 require ( - github.com/aws/aws-sdk-go v1.55.6 + github.com/aws/aws-sdk-go v1.55.7 github.com/aws/aws-sdk-go-v2 v1.36.3 - github.com/aws/aws-sdk-go-v2/config v1.29.13 - github.com/aws/aws-sdk-go-v2/service/kms v1.38.2 + github.com/aws/aws-sdk-go-v2/config v1.29.14 + github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 github.com/jellydator/ttlcache/v3 v3.3.0 github.com/sigstore/sigstore v1.6.4 github.com/stretchr/testify v1.10.0 ) require ( - github.com/aws/aws-sdk-go-v2/credentials v1.17.66 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect @@ -26,7 +26,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.18 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect github.com/aws/smithy-go v1.22.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v4 v4.0.5 // indirect diff --git a/pkg/signature/kms/aws/go.sum b/pkg/signature/kms/aws/go.sum index 98923a1798..25c929caf1 100644 --- a/pkg/signature/kms/aws/go.sum +++ b/pkg/signature/kms/aws/go.sum @@ -1,11 +1,11 @@ -github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk= -github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= +github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= -github.com/aws/aws-sdk-go-v2/config v1.29.13 h1:RgdPqWoE8nPpIekpVpDJsBckbqT4Liiaq9f35pbTh1Y= -github.com/aws/aws-sdk-go-v2/config v1.29.13/go.mod h1:NI28qs/IOUIRhsR7GQ/JdexoqRN9tDxkIrYZq0SOF44= -github.com/aws/aws-sdk-go-v2/credentials v1.17.66 h1:aKpEKaTy6n4CEJeYI1MNj97oSDLi4xro3UzQfwf5RWE= -github.com/aws/aws-sdk-go-v2/credentials v1.17.66/go.mod h1:xQ5SusDmHb/fy55wU0QqTy0yNfLqxzec59YcsRZB+rI= +github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM= +github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g= +github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= @@ -18,14 +18,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= -github.com/aws/aws-sdk-go-v2/service/kms v1.38.2 h1:945yEU8s1zYwy9s/2JzEJoHKvbAaZEkPqt8TOuO6r/g= -github.com/aws/aws-sdk-go-v2/service/kms v1.38.2/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk= +github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 h1:RivOtUH3eEu6SWnUMFHKAW4MqDOzWn1vGQ3S38Y5QMg= +github.com/aws/aws-sdk-go-v2/service/kms v1.38.3/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk= github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8= github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.18 h1:xz7WvTMfSStb9Y8NpCT82FXLNC3QasqBfuAFHY4Pk5g= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.18/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= diff --git a/pkg/signature/kms/azure/go.mod b/pkg/signature/kms/azure/go.mod index 8b445fd9e9..5273f0793e 100644 --- a/pkg/signature/kms/azure/go.mod +++ b/pkg/signature/kms/azure/go.mod @@ -7,20 +7,20 @@ go 1.23.0 toolchain go1.23.6 require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 github.com/go-jose/go-jose/v4 v4.0.5 github.com/google/go-cmp v0.7.0 github.com/jellydator/ttlcache/v3 v3.3.0 github.com/sigstore/sigstore v1.6.4 - golang.org/x/crypto v0.36.0 + golang.org/x/crypto v0.38.0 ) require ( - github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect github.com/google/go-containerregistry v0.20.3 // indirect github.com/google/uuid v1.6.0 // indirect @@ -31,11 +31,11 @@ require ( github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect - golang.org/x/net v0.36.0 // indirect - golang.org/x/sync v0.12.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/term v0.30.0 // indirect - golang.org/x/text v0.23.0 // indirect + golang.org/x/net v0.40.0 // indirect + golang.org/x/sync v0.14.0 // indirect + golang.org/x/sys v0.33.0 // indirect + golang.org/x/term v0.32.0 // indirect + golang.org/x/text v0.25.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/protobuf v1.36.6 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/pkg/signature/kms/azure/go.sum b/pkg/signature/kms/azure/go.sum index cf2fbe3c87..fa8b6e915b 100644 --- a/pkg/signature/kms/azure/go.sum +++ b/pkg/signature/kms/azure/go.sum @@ -1,19 +1,19 @@ -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 h1:j8BorDEigD8UFOSZQiSqAMOOleyQOOQPnUAwV+Ls1gA= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4= -github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs= +github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= @@ -40,8 +40,8 @@ github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHT github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= -github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= -github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= +github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= +github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -66,8 +66,8 @@ github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= -github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= -github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= +github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI= +github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= @@ -80,19 +80,19 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= -golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= -golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA= -golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I= -golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= -golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= +golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= +golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= -golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= -golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= +golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= +golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8= google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 h1:P8OJ/WCl/Xo4E4zoe4/bifHpSmmKwARqyqE4nW6J2GQ= google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:RGnPtTG7r4i8sPlNyDeikXF99hMM+hN6QMm4ooG9g2g= diff --git a/pkg/signature/kms/azure/signer.go b/pkg/signature/kms/azure/signer.go index 1207849ede..3889306ae4 100644 --- a/pkg/signature/kms/azure/signer.go +++ b/pkg/signature/kms/azure/signer.go @@ -87,12 +87,14 @@ func LoadSignerVerifier(defaultCtx context.Context, referenceStr string) (*Signe // All other options are ignored if specified. func (a *SignerVerifier) SignMessage(message io.Reader, opts ...signature.SignOption) ([]byte, error) { var digest []byte + ctx := a.defaultCtx for _, opt := range opts { + opt.ApplyContext(&ctx) opt.ApplyDigest(&digest) } - hashFunc, _, err := a.client.getKeyVaultHashFunc(a.defaultCtx) + hashFunc, _, err := a.client.getKeyVaultHashFunc(ctx) if err != nil { return nil, err } @@ -102,7 +104,7 @@ func (a *SignerVerifier) SignMessage(message io.Reader, opts ...signature.SignOp return nil, err } - rawSig, err := a.client.sign(a.defaultCtx, digest) + rawSig, err := a.client.sign(ctx, digest) if err != nil { return nil, err } diff --git a/pkg/signature/kms/gcp/go.mod b/pkg/signature/kms/gcp/go.mod index 43d13bd3ac..ff2ea6c9c1 100644 --- a/pkg/signature/kms/gcp/go.mod +++ b/pkg/signature/kms/gcp/go.mod @@ -7,21 +7,21 @@ go 1.23.0 toolchain go1.23.6 require ( - cloud.google.com/go/kms v1.21.1 + cloud.google.com/go/kms v1.21.2 github.com/jellydator/ttlcache/v3 v3.3.0 github.com/sigstore/sigstore v1.6.4 - golang.org/x/oauth2 v0.28.0 - google.golang.org/api v0.228.0 + golang.org/x/oauth2 v0.30.0 + google.golang.org/api v0.233.0 google.golang.org/protobuf v1.36.6 ) require ( - cloud.google.com/go v0.118.3 // indirect - cloud.google.com/go/auth v0.15.0 // indirect + cloud.google.com/go v0.120.0 // indirect + cloud.google.com/go/auth v0.16.1 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.6.0 // indirect - cloud.google.com/go/iam v1.4.1 // indirect - cloud.google.com/go/longrunning v0.6.5 // indirect + cloud.google.com/go/iam v1.5.0 // indirect + cloud.google.com/go/longrunning v0.6.6 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v4 v4.0.5 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -36,21 +36,21 @@ require ( github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect - go.opentelemetry.io/otel v1.34.0 // indirect - go.opentelemetry.io/otel/metric v1.34.0 // indirect - go.opentelemetry.io/otel/trace v1.34.0 // indirect - golang.org/x/crypto v0.36.0 // indirect - golang.org/x/net v0.37.0 // indirect - golang.org/x/sync v0.12.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/term v0.30.0 // indirect - golang.org/x/text v0.23.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect + go.opentelemetry.io/otel v1.35.0 // indirect + go.opentelemetry.io/otel/metric v1.35.0 // indirect + go.opentelemetry.io/otel/trace v1.35.0 // indirect + golang.org/x/crypto v0.38.0 // indirect + golang.org/x/net v0.40.0 // indirect + golang.org/x/sync v0.14.0 // indirect + golang.org/x/sys v0.33.0 // indirect + golang.org/x/term v0.32.0 // indirect + golang.org/x/text v0.25.0 // indirect golang.org/x/time v0.11.0 // indirect google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect - google.golang.org/grpc v1.71.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 // indirect + google.golang.org/grpc v1.72.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/pkg/signature/kms/gcp/go.sum b/pkg/signature/kms/gcp/go.sum index ee73f886d9..932e6897e5 100644 --- a/pkg/signature/kms/gcp/go.sum +++ b/pkg/signature/kms/gcp/go.sum @@ -1,17 +1,17 @@ -cloud.google.com/go v0.118.3 h1:jsypSnrE/w4mJysioGdMBg4MiW/hHx/sArFpaBWHdME= -cloud.google.com/go v0.118.3/go.mod h1:Lhs3YLnBlwJ4KA6nuObNMZ/fCbOQBPuWKPoE0Wa/9Vc= -cloud.google.com/go/auth v0.15.0 h1:Ly0u4aA5vG/fsSsxu98qCQBemXtAtJf+95z9HK+cxps= -cloud.google.com/go/auth v0.15.0/go.mod h1:WJDGqZ1o9E9wKIL+IwStfyn/+s59zl4Bi+1KQNVXLZ8= +cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA= +cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q= +cloud.google.com/go/auth v0.16.1 h1:XrXauHMd30LhQYVRHLGvJiYeczweKQXZxsTbV9TiguU= +cloud.google.com/go/auth v0.16.1/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= -cloud.google.com/go/iam v1.4.1 h1:cFC25Nv+u5BkTR/BT1tXdoF2daiVbZ1RLx2eqfQ9RMM= -cloud.google.com/go/iam v1.4.1/go.mod h1:2vUEJpUG3Q9p2UdsyksaKpDzlwOrnMzS30isdReIcLM= -cloud.google.com/go/kms v1.21.1 h1:r1Auo+jlfJSf8B7mUnVw5K0fI7jWyoUy65bV53VjKyk= -cloud.google.com/go/kms v1.21.1/go.mod h1:s0wCyByc9LjTdCjG88toVs70U9W+cc6RKFc8zAqX7nE= -cloud.google.com/go/longrunning v0.6.5 h1:sD+t8DO8j4HKW4QfouCklg7ZC1qC4uzVZt8iz3uTW+Q= -cloud.google.com/go/longrunning v0.6.5/go.mod h1:Et04XK+0TTLKa5IPYryKf5DkpwImy6TluQ1QTLwlKmY= +cloud.google.com/go/iam v1.5.0 h1:QlLcVMhbLGOjRcGe6VTGGTyQib8dRLK2B/kYNV0+2xs= +cloud.google.com/go/iam v1.5.0/go.mod h1:U+DOtKQltF/LxPEtcDLoobcsZMilSRwR7mgNL7knOpo= +cloud.google.com/go/kms v1.21.2 h1:c/PRUSMNQ8zXrc1sdAUnsenWWaNXN+PzTXfXOcSFdoE= +cloud.google.com/go/kms v1.21.2/go.mod h1:8wkMtHV/9Z8mLXEXr1GK7xPSBdi6knuLXIhqjuWcI6w= +cloud.google.com/go/longrunning v0.6.6 h1:XJNDo5MUfMM05xK3ewpbSdmt7R2Zw+aQEMbdQR65Rbw= +cloud.google.com/go/longrunning v0.6.6/go.mod h1:hyeGJUrPHcx0u2Uu1UFSoYZLn4lkMrccJig0t4FI7yw= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= @@ -79,48 +79,48 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= -go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= -go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= -go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= -go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= -go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= -go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= -go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= -go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= -go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= -go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= +go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= +go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= +go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= +go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= +go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY= +go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg= +go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o= +go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w= +go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= +go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= -golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= -golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c= -golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= -golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc= -golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= -golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= -golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= -golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= -golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= -golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= +golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= +golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= +golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= +golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= -google.golang.org/api v0.228.0 h1:X2DJ/uoWGnY5obVjewbp8icSL5U4FzuCfy9OjbLSnLs= -google.golang.org/api v0.228.0/go.mod h1:wNvRS1Pbe8r4+IfBIniV8fwCpGwTrYa+kMUDiC5z5a4= +google.golang.org/api v0.233.0 h1:iGZfjXAJiUFSSaekVB7LzXl6tRfEKhUN7FkZN++07tI= +google.golang.org/api v0.233.0/go.mod h1:TCIVLLlcwunlMpZIhIp7Ltk77W+vUSdUKAAIlbxY44c= google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE= google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE= -google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950= -google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= -google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg= -google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec= +google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e h1:UdXH7Kzbj+Vzastr5nVfccbmFsmYNygVLSPk1pEfDoY= +google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e/go.mod h1:085qFyf2+XaZlRdCgKNCIZ3afY2p4HHZdoIRpId8F4A= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2 h1:IqsN8hx+lWLqlN+Sc3DoMy/watjofWiU8sRFgQ8fhKM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM= +google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/pkg/signature/kms/hashivault/client.go b/pkg/signature/kms/hashivault/client.go index 4501e8640b..49501cf28a 100644 --- a/pkg/signature/kms/hashivault/client.go +++ b/pkg/signature/kms/hashivault/client.go @@ -289,9 +289,24 @@ func (h hashivaultClient) sign(digest []byte, alg crypto.Hash, opts ...signature } } + prehashed := alg != crypto.Hash(0) + + pub, err := h.public() + if err != nil { + return nil, fmt.Errorf("determining key type: %w", err) + } + switch pub.(type) { + case ed25519.PublicKey: + if alg == crypto.SHA512 { + prehashed = true + break + } + prehashed = false + } + signResult, err := client.Write(fmt.Sprintf("/%s/sign/%s%s", h.transitSecretEnginePath, h.keyPath, hashString(alg)), map[string]interface{}{ "input": base64.StdEncoding.Strict().EncodeToString(digest), - "prehashed": alg != crypto.Hash(0), + "prehashed": prehashed, "key_version": keyVersion, "signature_algorithm": "pkcs1v15", }) @@ -337,10 +352,24 @@ func (h hashivaultClient) verify(sig, digest []byte, alg crypto.Hash, opts ...si } } } + prehashed := alg != crypto.Hash(0) + + pub, err := h.public() + if err != nil { + return fmt.Errorf("determining key type: %w", err) + } + switch pub.(type) { + case ed25519.PublicKey: + if alg == crypto.SHA512 { + prehashed = true + break + } + prehashed = false + } result, err := client.Write(fmt.Sprintf("/%s/verify/%s/%s", h.transitSecretEnginePath, h.keyPath, hashString(alg)), map[string]interface{}{ "input": base64.StdEncoding.EncodeToString(digest), - "prehashed": alg != crypto.Hash(0), + "prehashed": prehashed, "signature": fmt.Sprintf("%s%s", vaultDataPrefix, encodedSig), }) if err != nil { diff --git a/pkg/signature/kms/hashivault/e2e_test.go b/pkg/signature/kms/hashivault/e2e_test.go index bc71bcaade..6ea16d3fae 100644 --- a/pkg/signature/kms/hashivault/e2e_test.go +++ b/pkg/signature/kms/hashivault/e2e_test.go @@ -425,7 +425,7 @@ func (suite *VaultSuite) TestVerify() { } func (suite *VaultSuite) TestED25519() { - provider := suite.GetProvider("testverify") + provider := suite.GetProvider("tested25519") key, err := provider.CreateKey(context.Background(), AlgorithmED25519) assert.Nil(suite.T(), err) diff --git a/pkg/signature/kms/hashivault/go.mod b/pkg/signature/kms/hashivault/go.mod index ec0ae52a7b..895582098a 100644 --- a/pkg/signature/kms/hashivault/go.mod +++ b/pkg/signature/kms/hashivault/go.mod @@ -37,7 +37,7 @@ require ( github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect golang.org/x/crypto v0.36.0 // indirect - golang.org/x/net v0.36.0 // indirect + golang.org/x/net v0.38.0 // indirect golang.org/x/sync v0.12.0 // indirect golang.org/x/sys v0.31.0 // indirect golang.org/x/term v0.30.0 // indirect diff --git a/pkg/signature/kms/hashivault/go.sum b/pkg/signature/kms/hashivault/go.sum index 2d4182029a..21f7f106b6 100644 --- a/pkg/signature/kms/hashivault/go.sum +++ b/pkg/signature/kms/hashivault/go.sum @@ -98,8 +98,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= -golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA= -golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= diff --git a/pkg/signature/kms/kms.go b/pkg/signature/kms/kms.go index 7baf9504b8..9432dfe4e8 100644 --- a/pkg/signature/kms/kms.go +++ b/pkg/signature/kms/kms.go @@ -23,6 +23,7 @@ import ( "fmt" "os/exec" "strings" + "sync" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms/cliplugin" @@ -45,10 +46,15 @@ type ProviderInit func(context.Context, string, crypto.Hash, ...signature.RPCOpt // AddProvider adds the provider implementation into the local cache func AddProvider(keyResourceID string, init ProviderInit) { + providersMapMu.Lock() + defer providersMapMu.Unlock() providersMap[keyResourceID] = init } -var providersMap = map[string]ProviderInit{} +var ( + providersMapMu sync.RWMutex + providersMap = map[string]ProviderInit{} +) // Get returns a KMS SignerVerifier for the given resource string and hash function. // If no matching built-in provider is found, it will try to use the plugin system as a provider. @@ -58,6 +64,8 @@ var providersMap = map[string]ProviderInit{} // - the plugin program, can't be found. // It also returns an error if initializing the SignerVerifier fails. func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (SignerVerifier, error) { + providersMapMu.RLock() + defer providersMapMu.RUnlock() for ref, pi := range providersMap { if strings.HasPrefix(keyResourceID, ref) { sv, err := pi(ctx, keyResourceID, hashFunc, opts...) @@ -77,6 +85,8 @@ func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts . // SupportedProviders returns list of initialized providers func SupportedProviders() []string { keys := make([]string, 0, len(providersMap)) + providersMapMu.RLock() + defer providersMapMu.RUnlock() for key := range providersMap { keys = append(keys, key) } diff --git a/pkg/signature/tink/tink.go b/pkg/signature/tink/tink.go index 9edc22166d..c6f6eaddee 100644 --- a/pkg/signature/tink/tink.go +++ b/pkg/signature/tink/tink.go @@ -18,137 +18,73 @@ import ( "crypto" "crypto/ecdsa" "crypto/ed25519" - "errors" + "crypto/elliptic" "fmt" "math/big" - "github.com/tink-crypto/tink-go/v2/insecurecleartextkeyset" + "github.com/tink-crypto/tink-go/v2/insecuresecretdataaccess" "github.com/tink-crypto/tink-go/v2/keyset" - commonpb "github.com/tink-crypto/tink-go/v2/proto/common_go_proto" - ecdsapb "github.com/tink-crypto/tink-go/v2/proto/ecdsa_go_proto" - ed25519pb "github.com/tink-crypto/tink-go/v2/proto/ed25519_go_proto" - tinkpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto" - signatureSubtle "github.com/tink-crypto/tink-go/v2/signature/subtle" - "github.com/tink-crypto/tink-go/v2/subtle" - "google.golang.org/protobuf/proto" + tinkecdsa "github.com/tink-crypto/tink-go/v2/signature/ecdsa" + tinked25519 "github.com/tink-crypto/tink-go/v2/signature/ed25519" ) -var ( - ecdsaSignerKeyVersion uint32 - ed25519SignerKeyVersion uint32 - ecdsaSignerTypeURL = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey" - ed25519SignerTypeURL = "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey" -) - -// KeyHandleToSigner converts a key handle to the crypto.Signer interface. -// Heavily pulls from Tink's signature and subtle packages. -func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, crypto.Hash, error) { - // extract the key material from the key handle - ks := insecurecleartextkeyset.KeysetMaterial(kh) - - k := getPrimaryKey(ks) - if k == nil { - return nil, 0, errors.New("no enabled key found in keyset") - } - - switch k.GetTypeUrl() { - case ecdsaSignerTypeURL: - // https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ecdsa/signer_key_manager.go#L48 - privKey := new(ecdsapb.EcdsaPrivateKey) - if err := proto.Unmarshal(k.GetValue(), privKey); err != nil { - return nil, 0, fmt.Errorf("error unmarshalling ecdsa private key: %w", err) - } - if err := validateEcdsaPrivKey(privKey); err != nil { - return nil, 0, fmt.Errorf("error validating ecdsa private key: %w", err) - } - // https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/subtle/ecdsa_signer.go#L37 - hashAlg, curve, _ := getECDSAParamNames(privKey.PublicKey.Params) - p := new(ecdsa.PrivateKey) - c := subtle.GetCurve(curve) - if c == nil { - return nil, 0, errors.New("tink ecdsa signer: invalid curve") - } - p.Curve = c - p.D = new(big.Int).SetBytes(privKey.GetKeyValue()) - p.X, p.Y = c.ScalarBaseMult(privKey.GetKeyValue()) - hash := getHashFunc(hashAlg) - return p, hash, nil - case ed25519SignerTypeURL: - // https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ed25519/signer_key_manager.go#L47 - privKey := new(ed25519pb.Ed25519PrivateKey) - if err := proto.Unmarshal(k.GetValue(), privKey); err != nil { - return nil, 0, fmt.Errorf("error unmarshalling ed25519 private key: %w", err) - } - if err := validateEd25519PrivKey(privKey); err != nil { - return nil, 0, fmt.Errorf("error validating ed25519 private key: %w", err) - } - // https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/subtle/ed25519_signer.go#L27 - p := ed25519.NewKeyFromSeed(privKey.GetKeyValue()) - return p, crypto.SHA512, nil +func curveFromTinkECDSACurveType(curveType tinkecdsa.CurveType) (elliptic.Curve, error) { + switch curveType { + case tinkecdsa.NistP256: + return elliptic.P256(), nil + case tinkecdsa.NistP384: + return elliptic.P384(), nil + case tinkecdsa.NistP521: + return elliptic.P521(), nil default: - return nil, 0, fmt.Errorf("unsupported key type: %s", k.GetTypeUrl()) + // Should never happen. + return nil, fmt.Errorf("unsupported curve: %v", curveType) } } -// getPrimaryKey returns the first enabled key from a keyset. -func getPrimaryKey(ks *tinkpb.Keyset) *tinkpb.KeyData { - for _, k := range ks.GetKey() { - if k.GetKeyId() == ks.GetPrimaryKeyId() && k.GetStatus() == tinkpb.KeyStatusType_ENABLED { - return k.GetKeyData() - } - } - return nil -} - -// validateEcdsaPrivKey validates the given ECDSAPrivateKey. -// https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ecdsa/signer_key_manager.go#L151 -func validateEcdsaPrivKey(key *ecdsapb.EcdsaPrivateKey) error { - if err := keyset.ValidateKeyVersion(key.Version, ecdsaSignerKeyVersion); err != nil { - return fmt.Errorf("ecdsa: invalid key version in key: %w", err) - } - if err := keyset.ValidateKeyVersion(key.GetPublicKey().GetVersion(), ecdsaSignerKeyVersion); err != nil { - return fmt.Errorf("ecdsa: invalid public version in key: %w", err) +// KeyHandleToSigner constructs a [crypto.Signer] from a Tink [keyset.Handle]'s +// primary key. +// +// NOTE: Tink validates keys on [keyset.Handle] creation. +func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) { + primary, err := kh.Primary() + if err != nil { + return nil, err } - hash, curve, encoding := getECDSAParamNames(key.PublicKey.Params) - return signatureSubtle.ValidateECDSAParams(hash, curve, encoding) -} -// getECDSAParamNames returns the string representations of each parameter in -// the given ECDSAParams. -// https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ecdsa/proto.go#L24 -func getECDSAParamNames(params *ecdsapb.EcdsaParams) (string, string, string) { - hashName := commonpb.HashType_name[int32(params.GetHashType())] - curveName := commonpb.EllipticCurveType_name[int32(params.GetCurve())] - encodingName := ecdsapb.EcdsaSignatureEncoding_name[int32(params.GetEncoding())] - return hashName, curveName, encodingName -} + switch privateKey := primary.Key().(type) { + case *tinkecdsa.PrivateKey: + publicKey, err := privateKey.PublicKey() + if err != nil { + return nil, err + } + ecdsaPublicKey, ok := publicKey.(*tinkecdsa.PublicKey) + if !ok { + return nil, fmt.Errorf("error asserting ecdsa public key") + } -// validateEd25519PrivKey validates the given ED25519PrivateKey. -// https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ed25519/signer_key_manager.go#L157 -func validateEd25519PrivKey(key *ed25519pb.Ed25519PrivateKey) error { - if err := keyset.ValidateKeyVersion(key.Version, ed25519SignerKeyVersion); err != nil { - return fmt.Errorf("ed25519: invalid key: %w", err) - } - if len(key.KeyValue) != ed25519.SeedSize { - return fmt.Errorf("ed25519: invalid key length, got %d", len(key.KeyValue)) - } - return nil -} + curveParams, ok := ecdsaPublicKey.Parameters().(*tinkecdsa.Parameters) + if !ok { + return nil, fmt.Errorf("error asserting ecdsa parameters") + } + curve, err := curveFromTinkECDSACurveType(curveParams.CurveType()) + if err != nil { + return nil, err + } -// getHashFunc returns the hash function for a given hash name -func getHashFunc(hash string) crypto.Hash { - switch hash { - case "SHA1": - return crypto.SHA1 - case "SHA224": - return crypto.SHA224 - case "SHA256": - return crypto.SHA256 - case "SHA384": - return crypto.SHA384 - case "SHA512": - return crypto.SHA512 + // Encoded as: 0x04 || X || Y. + // See https://github.com/tink-crypto/tink-go/blob/v2.3.0/signature/ecdsa/key.go#L335 + publicPoint := ecdsaPublicKey.PublicPoint() + xy := publicPoint[1:] + pk := new(ecdsa.PrivateKey) + pk.Curve = curve + pk.X = new(big.Int).SetBytes(xy[:len(xy)/2]) + pk.Y = new(big.Int).SetBytes(xy[len(xy)/2:]) + pk.D = new(big.Int).SetBytes(privateKey.PrivateKeyValue().Data(insecuresecretdataaccess.Token{})) + return pk, err + case *tinked25519.PrivateKey: + return ed25519.NewKeyFromSeed(privateKey.PrivateKeyBytes().Data(insecuresecretdataaccess.Token{})), err default: - return crypto.SHA256 + return nil, fmt.Errorf("unsupported key type: %T", primary.Key()) } } diff --git a/pkg/signature/tink/tink_test.go b/pkg/signature/tink/tink_test.go index 3eb16f5015..24d572de53 100644 --- a/pkg/signature/tink/tink_test.go +++ b/pkg/signature/tink/tink_test.go @@ -15,92 +15,93 @@ package tink import ( - "crypto" "crypto/ecdsa" "crypto/ed25519" "crypto/rand" + "crypto/sha256" + "crypto/sha512" + "hash" "testing" "github.com/tink-crypto/tink-go/v2/keyset" - "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto" + tinkpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto" "github.com/tink-crypto/tink-go/v2/signature" ) -type TestStruct struct { - keyTemplate *tink_go_proto.KeyTemplate - h crypto.Hash -} - func TestKeyHandleToSignerECDSA(t *testing.T) { - supportedKeyTypes := []TestStruct{ + for _, tc := range []struct { + name string + keyTemplate *tinkpb.KeyTemplate + h hash.Hash + }{ { + name: "ECDSA-P256-SHA256", keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), - h: crypto.SHA256, + h: sha256.New(), }, { + name: "ECDSA-P384-SHA512", keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), - h: crypto.SHA512, + h: sha512.New(), }, { + name: "ECDSA-P521-SHA512", keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), - h: crypto.SHA512, + h: sha512.New(), }, - } - for _, kt := range supportedKeyTypes { - kh, err := keyset.NewHandle(kt.keyTemplate) - if err != nil { - t.Fatalf("error creating ECDSA key handle: %v", err) - } - // convert to crypto.Signer interface - signer, hash, err := KeyHandleToSigner(kh) - if err != nil { - t.Fatalf("error converting ECDSA key handle to signer: %v", err) - } - if hash != kt.h { - t.Fatalf("unexpected hash function, expected %s, got %s", kt.h, hash) - } - msg := []byte("hello there") + } { + t.Run(tc.name, func(t *testing.T) { + kh, err := keyset.NewHandle(tc.keyTemplate) + if err != nil { + t.Fatalf("error creating ECDSA key handle: %v", err) + } + // convert to crypto.Signer interface + signer, err := KeyHandleToSigner(kh) + if err != nil { + t.Fatalf("error converting ECDSA key handle to signer: %v", err) + } + msg := []byte("hello there") - // sign with key handle, verify with signer public key - tinkSigner, err := signature.NewSigner(kh) - if err != nil { - t.Fatalf("error creating tink signer: %v", err) - } - sig, err := tinkSigner.Sign(msg) - if err != nil { - t.Fatalf("error signing with tink signer: %v", err) - } - h := kt.h.New() - h.Write(msg) - digest := h.Sum(nil) - ecdsaPubKey, ok := signer.Public().(*ecdsa.PublicKey) - if !ok { - t.Fatal("invalid key") - } - if !ecdsa.VerifyASN1(ecdsaPubKey, digest, sig) { - t.Fatalf("signature from tink signer did not match") - } + // sign with key handle, verify with signer public key + tinkSigner, err := signature.NewSigner(kh) + if err != nil { + t.Fatalf("error creating tink signer: %v", err) + } + sig, err := tinkSigner.Sign(msg) + if err != nil { + t.Fatalf("error signing with tink signer: %v", err) + } + tc.h.Write(msg) + digest := tc.h.Sum(nil) + publicKey, ok := signer.Public().(*ecdsa.PublicKey) + if !ok { + t.Fatalf("error asserting ecdsa public key") + } + if !ecdsa.VerifyASN1(publicKey, digest, sig) { + t.Fatalf("signature from tink signer did not match") + } - // sign with signer, verify with key handle - pk, ok := signer.(*ecdsa.PrivateKey) - if !ok { - t.Fatalf("error asserting key type") - } - sig, err = ecdsa.SignASN1(rand.Reader, pk, digest) - if err != nil { - t.Fatalf("error signing with crypto signer: %v", err) - } - pubkh, err := kh.Public() - if err != nil { - t.Fatalf("error fetching public key handle: %v", err) - } - v, err := signature.NewVerifier(pubkh) - if err != nil { - t.Fatalf("error creating tink verifier: %v", err) - } - if err := v.Verify(sig, msg); err != nil { - t.Fatalf("error verifying with tink verifier: %v", err) - } + // sign with signer, verify with key handle + privKey, ok := signer.(*ecdsa.PrivateKey) + if !ok { + t.Fatalf("error asserting ecdsa private key") + } + sig, err = ecdsa.SignASN1(rand.Reader, privKey, digest) + if err != nil { + t.Fatalf("error signing with crypto signer: %v", err) + } + pubkh, err := kh.Public() + if err != nil { + t.Fatalf("error fetching public key handle: %v", err) + } + v, err := signature.NewVerifier(pubkh) + if err != nil { + t.Fatalf("error creating tink verifier: %v", err) + } + if err := v.Verify(sig, msg); err != nil { + t.Fatalf("error verifying with tink verifier: %v", err) + } + }) } } @@ -110,13 +111,10 @@ func TestKeyHandleToSignerED25519(t *testing.T) { t.Fatalf("error creating ED25519 key handle: %v", err) } // convert to crypto.Signer interface - signer, hash, err := KeyHandleToSigner(kh) + signer, err := KeyHandleToSigner(kh) if err != nil { t.Fatalf("error converting ED25519 key handle to signer: %v", err) } - if hash != crypto.SHA512 { - t.Fatalf("unexpected hash function, expected SHA512, got %s", hash) - } msg := []byte("hello there") // sign with key handle, verify with signer public key @@ -128,20 +126,20 @@ func TestKeyHandleToSignerED25519(t *testing.T) { if err != nil { t.Fatalf("error signing with tink signer: %v", err) } - edPubKey, ok := signer.Public().(ed25519.PublicKey) + publicKey, ok := signer.Public().(ed25519.PublicKey) if !ok { - t.Fatal("invalid key") + t.Fatalf("error asserting ed25519 public key") } - if !ed25519.Verify(edPubKey, msg, sig) { + if !ed25519.Verify(publicKey, msg, sig) { t.Fatalf("signature from tink signer did not match") } // sign with signer, verify with key handle - edPrivKey, ok := signer.(ed25519.PrivateKey) + privKey, ok := signer.(ed25519.PrivateKey) if !ok { - t.Fatal("invalid key") + t.Fatalf("error asserting ed25519 private key") } - sig = ed25519.Sign(edPrivKey, msg) + sig = ed25519.Sign(privKey, msg) if err != nil { t.Fatalf("error signing with crypto signer: %v", err) } @@ -157,3 +155,13 @@ func TestKeyHandleToSignerED25519(t *testing.T) { t.Fatalf("error verifying with tink verifier: %v", err) } } + +func TestKeyHandleToSignerFailsWithInvalidKeyType(t *testing.T) { + kh, err := keyset.NewHandle(signature.RSA_SSA_PKCS1_3072_SHA256_F4_RAW_Key_Template()) + if err != nil { + t.Fatalf("keyset.NewHandle() err = %v, want nil", err) + } + if _, err := KeyHandleToSigner(kh); err == nil { + t.Errorf("KeyHandleToSigner(kh) err = nil, want error") + } +} diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go index d03973e72a..dd78dd1c5a 100644 --- a/pkg/tuf/client.go +++ b/pkg/tuf/client.go @@ -110,6 +110,7 @@ type MetadataStatus struct { } type TargetFile struct { + Name string Target []byte Status StatusKind } @@ -430,7 +431,7 @@ func (t *TUF) GetTargetsByMeta(usage UsageKind, fallbacks []string) ([]TargetFil if err != nil { return nil, fmt.Errorf("error getting target %s by usage: %w", name, err) } - matchedTargets = append(matchedTargets, TargetFile{Target: target, Status: scm.Sigstore.Status}) + matchedTargets = append(matchedTargets, TargetFile{Name: name, Target: target, Status: scm.Sigstore.Status}) } } if len(matchedTargets) == 0 { @@ -440,7 +441,7 @@ func (t *TUF) GetTargetsByMeta(usage UsageKind, fallbacks []string) ([]TargetFil fmt.Fprintf(os.Stderr, "**Warning** Missing fallback target %s, skipping\n", fallback) continue } - matchedTargets = append(matchedTargets, TargetFile{Target: target, Status: Active}) + matchedTargets = append(matchedTargets, TargetFile{Name: fallback, Target: target, Status: Active}) } } if len(matchedTargets) == 0 { diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go index 0ead4b57ef..46f8d21044 100644 --- a/pkg/tuf/client_test.go +++ b/pkg/tuf/client_test.go @@ -443,6 +443,9 @@ func TestGetTargetsByMeta(t *testing.T) { if targets[0].Status != Active { t.Fatalf("target without custom metadata not active, got: %v", targets[0].Status) } + if targets[0].Name != "fooNoCustom.txt" { + t.Fatalf("target has wrong name, expected: %s, got: %s", "fooNoCustom.txt", targets[0].Name) + } // Fetch multiple targets with no custom metadata. targets, err = tufObj.GetTargetsByMeta(UnknownUsage, []string{"fooNoCustom.txt", "fooNoCustomOther.txt"}) if err != nil { @@ -478,6 +481,12 @@ func TestGetTargetsByMeta(t *testing.T) { if !reflect.DeepEqual(targetBytes, expectedTB) { t.Fatalf("target metadata mismatched, expected: %v, got: %v", expectedTB, targetBytes) } + targetNames := []string{targets[0].Name, targets[1].Name} + sort.Strings(targetNames) + expectedTN := []string{"fooActive.txt", "fooExpired.txt"} + if !reflect.DeepEqual(targetNames, expectedTN) { + t.Fatalf("target names mismatched, expected: %v, got: %v", expectedTN, targetNames) + } targetStatuses := []StatusKind{targets[0].Status, targets[1].Status} sort.Slice(targetStatuses, func(i, j int) bool { return targetStatuses[i] < targetStatuses[j] diff --git a/test/e2e/dexidp.Dockerfile b/test/e2e/dexidp.Dockerfile index 57cce9dd94..a953303692 100644 --- a/test/e2e/dexidp.Dockerfile +++ b/test/e2e/dexidp.Dockerfile @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM ghcr.io/dexidp/dex:v2.42.0@sha256:1b4a6eee8550240b0faedad04d984ca939513650e1d9bd423502c67355e3822f +FROM ghcr.io/dexidp/dex:v2.42.1@sha256:8186d6dd81f400bf0424a4c978c8217736822fcbdf65ba454d025fbf2c0ff300 diff --git a/test/e2e/docker-compose.yml b/test/e2e/docker-compose.yml index a05be864e7..73ecb73058 100644 --- a/test/e2e/docker-compose.yml +++ b/test/e2e/docker-compose.yml @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -version: "3.8" services: vault: build: @@ -41,4 +40,3 @@ services: volumes: - ./dex-config.yml:/etc/dex/dex-config.yml:z command: ["dex", "serve", "/etc/dex/dex-config.yml"] - diff --git a/test/e2e/localstack.Dockerfile b/test/e2e/localstack.Dockerfile index d4e5d3f2d2..2a0c27b7ee 100644 --- a/test/e2e/localstack.Dockerfile +++ b/test/e2e/localstack.Dockerfile @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM docker.io/localstack/localstack:4.2.0@sha256:b5a68908bafbb56468bb1dd6ea0d0d333149c084c63e84a8de95d9059ad7e96d +FROM docker.io/localstack/localstack:4.3.0@sha256:f3cb1a79f3add997575e859c3a2808e6dae4b0de836661de255baa2b576868f8 diff --git a/test/e2e/vault.Dockerfile b/test/e2e/vault.Dockerfile index ca5227e6ba..8c9cbe518d 100644 --- a/test/e2e/vault.Dockerfile +++ b/test/e2e/vault.Dockerfile @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM docker.io/hashicorp/vault:1.18.5@sha256:750bb37c1638fa194ab37053a81618c61bb0491ddec6fccac87c07a8e6cd8166 +FROM docker.io/hashicorp/vault:1.19.2@sha256:69fca96c67b499cbc3e8364dedfb5f97ba736a7fa5c8ecb97bf14602cceaf33e diff --git a/test/fuzz/go.mod b/test/fuzz/go.mod index 0869bbebec..a060fb2981 100644 --- a/test/fuzz/go.mod +++ b/test/fuzz/go.mod @@ -8,7 +8,7 @@ require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20211102141018-f7be0cbad29c github.com/dvyukov/go-fuzz v0.0.0-20210914135545-4980593459a1 github.com/secure-systems-lab/go-securesystemslib v0.9.0 - github.com/sigstore/sigstore v1.9.1 + github.com/sigstore/sigstore v1.9.4 ) require ( @@ -18,14 +18,14 @@ require ( github.com/google/go-containerregistry v0.20.3 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/sigstore/protobuf-specs v0.4.1-0.20250403155539-95810107164a // indirect + github.com/sigstore/protobuf-specs v0.4.1 // indirect github.com/stephens2424/writerset v1.0.2 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect - golang.org/x/crypto v0.35.0 // indirect + golang.org/x/crypto v0.36.0 // indirect golang.org/x/mod v0.22.0 // indirect golang.org/x/sync v0.10.0 // indirect - golang.org/x/sys v0.30.0 // indirect - golang.org/x/term v0.29.0 // indirect + golang.org/x/sys v0.31.0 // indirect + golang.org/x/term v0.30.0 // indirect golang.org/x/tools v0.29.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/protobuf v1.36.6 // indirect diff --git a/test/fuzz/go.sum b/test/fuzz/go.sum index 45649b7f3b..98c7ae660f 100644 --- a/test/fuzz/go.sum +++ b/test/fuzz/go.sum @@ -48,10 +48,10 @@ github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB github.com/robertkrimen/godocdown v0.0.0-20130622164427-0bfa04905481/go.mod h1:C9WhFzY47SzYBIvzFqSvHIR6ROgDo4TtdTuRaOMjF/s= github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= -github.com/sigstore/protobuf-specs v0.4.1-0.20250403155539-95810107164a h1:n8cgr1fSHwc6/5wIehYaOO4V8jAWvr55kFT9ewSYjUk= -github.com/sigstore/protobuf-specs v0.4.1-0.20250403155539-95810107164a/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/sigstore v1.9.1 h1:bNMsfFATsMPaagcf+uppLk4C9rQZ2dh5ysmCxQBYWaw= -github.com/sigstore/sigstore v1.9.1/go.mod h1:zUoATYzR1J3rLNp3jmp4fzIJtWdhC3ZM6MnpcBtnsE4= +github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby1BxGU7Zc= +github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= +github.com/sigstore/sigstore v1.9.4 h1:64+OGed80+A4mRlNzRd055vFcgBeDghjZw24rPLZgDU= +github.com/sigstore/sigstore v1.9.4/go.mod h1:Q7tGTC3gbtK7c3jcxEmGc2MmK4rRpIRzi3bxRFWKvEY= github.com/stephens2424/writerset v1.0.2 h1:znRLgU6g8RS5euYRcy004XeE4W+Tu44kALzy7ghPif8= github.com/stephens2424/writerset v1.0.2/go.mod h1:aS2JhsMn6eA7e82oNmW4rfsgAOp9COBTTl8mzkwADnc= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -60,16 +60,16 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= -golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= -golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= +golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= +golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= -golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= -golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= +golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y= +golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE= golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588= google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=