api: add functions to transparently handle signatures upon API interaction (#2142)

2025-12-01 17:04:59 -05:00 · 2023-08-01 16:48:13 +02:00 · 2023-08-01 16:48:13 +02:00 · dac690656e
commit dac690656e
parent 002c3a9a32
45 changed files with 707 additions and 472 deletions
--- a/internal/sigstore/keyselect/keyselect.go
+++ b/internal/sigstore/keyselect/keyselect.go
@ -0,0 +1,28 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+// Package keyselect is used to select the correct public key for signature verification.
+// The content of keyselect must be kept separate from internal/sigstore because keyselect relies on internal/api/versionsapi.
+// Since internal/api relies on internal/sigstore, we need to separate the functions to avoid import cycles.
+package keyselect
+
+import (
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+)
+
+// CosignPublicKeyForVersion returns the public key for the given version.
+func CosignPublicKeyForVersion(ver versionsapi.Version) ([]byte, error) {
+	if err := ver.Validate(); err != nil {
+		return nil, fmt.Errorf("selecting public key: invalid version %s: %w", ver.ShortPath(), err)
+	}
+	if ver.Ref() == versionsapi.ReleaseRef && ver.Stream() == "stable" {
+		return []byte(constants.CosignPublicKeyReleases), nil
+	}
+	return []byte(constants.CosignPublicKeyDev), nil
+}