Add ctlogs to cosign trusted-root create

With `--ignore-sct` to support if you are using keys instead of Fulcio.

Signed-off-by: Zach Steindler <[email protected]>

cmd/cosign/cli/options/trustedroot.go

@@ -23,6 +23,7 @@ type TrustedRootCreateOptions struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
+	IgnoreSCT        bool
 	Out              string
 	RekorURL         string
 	TSACertChainPath string
@@ -53,6 +54,10 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
+	cmd.Flags().BoolVar(&o.IgnoreSCT, "ignore-sct", false,
+		"when set, do not include key for verifying certificate transparency "+
+			"log. Set this if you signed with a key instead of using Fulcio.")
+
 	cmd.Flags().StringVar(&o.Out, "out", "",
 		"path to output trusted root")
 

cmd/cosign/cli/trustedroot.go

@@ -48,6 +48,7 @@ func trustedRootCreate() *cobra.Command {
 				CAIntermediates:  o.CAIntermediates,
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
+				IgnoreSCT:        o.IgnoreSCT,
 				Out:              o.Out,
 				RekorURL:         o.RekorURL,
 				TSACertChainPath: o.TSACertChainPath,

cmd/cosign/cli/trustedroot/trustedroot.go

@@ -21,6 +21,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -29,19 +30,22 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/root"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
 
 type CreateCmd struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
+	IgnoreSCT        bool
 	Out              string
 	RekorURL         string
 	TSACertChainPath string
 }
 
-func (c *CreateCmd) Exec(_ context.Context) error {
+func (c *CreateCmd) Exec(ctx context.Context) error {
 	var fulcioCertAuthorities []root.CertificateAuthority
+	ctLogs := make(map[string]*root.TransparencyLog)
 	var timestampAuthorities []root.CertificateAuthority
 	rekorTransparencyLogs := make(map[string]*root.TransparencyLog)
 
@@ -80,6 +84,26 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 		}
 	}
 
+	if !c.IgnoreSCT {
+		ctLogPubKeys, err := cosign.GetCTLogPubs(ctx)
+		if err != nil {
+			return err
+		}
+
+		for id, key := range ctLogPubKeys.Keys {
+			idBytes, err := hex.DecodeString(id)
+			if err != nil {
+				return err
+			}
+			ctLogs[id] = &root.TransparencyLog{
+				ID:                idBytes,
+				HashFunc:          crypto.SHA256,
+				PublicKey:         key.PubKey,
+				SignatureHashFunc: crypto.SHA256,
+			}
+		}
+	}
+
 	if c.RekorURL != "" {
 		rekorClient, err := rekor.NewClient(c.RekorURL)
 		if err != nil {
@@ -124,7 +148,8 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	}
 
 	newTrustedRoot, err := root.NewTrustedRoot(root.TrustedRootMediaType01,
-		fulcioCertAuthorities, nil, timestampAuthorities, rekorTransparencyLogs,
+		fulcioCertAuthorities, ctLogs, timestampAuthorities,
+		rekorTransparencyLogs,
 	)
 	if err != nil {
 		return err

cmd/cosign/cli/trustedroot/trustedroot_test.go

@@ -45,6 +45,7 @@ func TestCreateCmd(t *testing.T) {
 
 	trustedrootCreate := CreateCmd{
 		CertChain:        fulcioChainPath,
+		IgnoreSCT:        true,
 		Out:              outPath,
 		TSACertChainPath: tsaChainPath,
 	}