Support multiple --sign-container-identity

With this change, cosign sign can be run only once when an image
has multiple pull references.

Closes #4330

Signed-off-by: Emily Zheng <[email protected]>

Author: emilyzheng

cmd/cosign/cli/options/sign.go

@@ -40,7 +40,7 @@ type SignOptions struct {
 	TSAServerName           string
 	TSAServerURL            string
 	IssueCertificate        bool
-	SignContainerIdentity   string
+	SignContainerIdentities []string
 	RecordCreationTimestamp bool
 	NewBundleFormat         bool
 	UseSigningConfig        bool
@@ -137,7 +137,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false,
 		"issue a code signing certificate from Fulcio, even if a key is provided")
 
-	cmd.Flags().StringVar(&o.SignContainerIdentity, "sign-container-identity", "",
+	cmd.Flags().StringArrayVar(&o.SignContainerIdentities, "sign-container-identity", nil,
 		"manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature")
 
 	cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value")

cmd/cosign/cli/sign/sign.go

@@ -392,16 +392,26 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt
 func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions,
 	annotations map[string]interface{}, se oci.SignedEntity) error {
 	var err error
+	var payloads [][]byte
 	// The payload can be passed to skip generation.
 	if len(payload) == 0 {
-		payload, err = (&sigPayload.Cosign{
-			Image:           digest,
-			ClaimedIdentity: signOpts.SignContainerIdentity,
-			Annotations:     annotations,
-		}).MarshalJSON()
-		if err != nil {
-			return fmt.Errorf("payload: %w", err)
+		identities := signOpts.SignContainerIdentities
+		if len(identities) == 0 {
+			identities = append(identities, "")
+		}
+		for _, identity := range identities {
+			payload, err = (&sigPayload.Cosign{
+				Image:           digest,
+				ClaimedIdentity: identity,
+				Annotations:     annotations,
+			}).MarshalJSON()
+			if err != nil {
+				return fmt.Errorf("payload: %w", err)
+			}
+			payloads = append(payloads, payload)
 		}
+	} else {
+		payloads = append(payloads, payload)
 	}
 
 	sv, genKey, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko)
@@ -447,14 +457,21 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 		s = irekor.NewSigner(s, rClient)
 	}
 
-	ociSig, _, err := s.Sign(ctx, bytes.NewReader(payload))
-	if err != nil {
-		return err
-	}
+	ociSigs := make([]oci.Signature, len(payloads))
+	b64sigs := make([]string, len(payloads))
 
-	b64sig, err := ociSig.Base64Signature()
-	if err != nil {
-		return err
+	for i, payload := range payloads {
+		ociSig, _, err := s.Sign(ctx, bytes.NewReader(payload))
+		if err != nil {
+			return err
+		}
+		ociSigs[i] = ociSig
+
+		b64sig, err := ociSig.Base64Signature()
+		if err != nil {
+			return err
+		}
+		b64sigs[i] = b64sig
 	}
 
 	outputSignature := signOpts.OutputSignature
@@ -463,7 +480,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 		if signOpts.Recursive {
 			outputSignature = fmt.Sprintf("%s-%s", outputSignature, strings.Replace(digest.DigestStr(), ":", "-", 1))
 		}
-		if err := os.WriteFile(outputSignature, []byte(b64sig), 0600); err != nil {
+		if err := os.WriteFile(outputSignature, []byte(strings.Join(b64sigs, "\n")), 0600); err != nil {
 			return fmt.Errorf("create signature file: %w", err)
 		}
 	}
@@ -473,7 +490,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 		if signOpts.Recursive {
 			outputPayload = fmt.Sprintf("%s-%s", outputPayload, strings.Replace(digest.DigestStr(), ":", "-", 1))
 		}
-		if err := os.WriteFile(outputPayload, payload, 0600); err != nil {
+		if err := os.WriteFile(outputPayload, bytes.Join(payloads, []byte("\n")), 0600); err != nil {
 			return fmt.Errorf("create payload file: %w", err)
 		}
 	}
@@ -492,16 +509,20 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 	}
 
 	if ko.BundlePath != "" {
-		signedPayload, err := fetchLocalSignedPayload(ociSig)
-		if err != nil {
-			return fmt.Errorf("failed to fetch signed payload: %w", err)
-		}
+		var contents [][]byte
+		for _, ociSig := range ociSigs {
+			signedPayload, err := fetchLocalSignedPayload(ociSig)
+			if err != nil {
+				return fmt.Errorf("failed to fetch signed payload: %w", err)
+			}
 
-		contents, err := json.Marshal(signedPayload)
-		if err != nil {
-			return fmt.Errorf("failed to marshal signed payload: %w", err)
+			content, err := json.Marshal(signedPayload)
+			if err != nil {
+				return fmt.Errorf("failed to marshal signed payload: %w", err)
+			}
+			contents = append(contents, content)
 		}
-		if err := os.WriteFile(ko.BundlePath, contents, 0600); err != nil {
+		if err := os.WriteFile(ko.BundlePath, bytes.Join(contents, []byte("\n")), 0600); err != nil {
 			return fmt.Errorf("create bundle file: %w", err)
 		}
 		ui.Infof(ctx, "Wrote bundle to file %s", ko.BundlePath)
@@ -512,9 +533,13 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 	}
 
 	// Attach the signature to the entity.
-	newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp))
-	if err != nil {
-		return err
+	var newSE oci.SignedEntity
+	for _, ociSig := range ociSigs {
+		newSE, err = mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp))
+		if err != nil {
+			return err
+		}
+		se = newSE
 	}
 
 	// Publish the signatures associated with this entity