Add support for package deploy via cosign sget (zarf-dev#550)

* boilerplate for deploying remote packages via sget verification
* Move main.go to root to embed cosign.pub
* fix bugs with sget'ing a remote package
* misc cleanup of sget package deployment updates
* use fixed name since path is dynamic
* add e2e for sget package deploy

Co-authored-by: Jeff McCoy <code@jeffm.us>
Co-authored-by: Minimind <882485+jeff-mccoy@users.noreply.github.com>

Author: YrrepNoj

.hooks/verify-zarf-schema.sh

@@ -1,2 +1,2 @@
 #!/usr/bin/env sh
-go run src/main.go tools config-schema > zarf.schema.json
+go run main.go tools config-schema > zarf.schema.json

Makefile

@@ -41,18 +41,18 @@ clean: ## Clean the build dir
 	rm -rf build
 
 build-cli-linux-amd: build-injector-registry
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf src/main.go
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf main.go
 
 build-cli-linux-arm: build-injector-registry
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-arm src/main.go
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-arm main.go
 
 build-cli-mac-intel: build-injector-registry
-	GOOS=darwin GOARCH=amd64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-mac-intel src/main.go
+	GOOS=darwin GOARCH=amd64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-mac-intel main.go
 
 build-cli-mac-apple: build-injector-registry
-	GOOS=darwin GOARCH=arm64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-mac-apple src/main.go
+	GOOS=darwin GOARCH=arm64 go build -ldflags="$(BUILD_ARGS)" -o build/zarf-mac-apple main.go
 
-build-cli-linux: build-cli-linux-amd build-cli-linux-arm 
+build-cli-linux: build-cli-linux-amd build-cli-linux-arm
 
 build-cli: build-cli-linux-amd build-cli-linux-arm build-cli-mac-intel build-cli-mac-apple ## Build the CLI
 
@@ -64,7 +64,7 @@ build-injector-registry:
 dev-agent-image:
 	$(eval tag := defenseunicorns/dev-zarf-agent:$(shell date +%s))
 	$(eval arch := $(shell uname -m))
-	CGO_ENABLED=0 GOOS=linux go build -o build/zarf-linux-$(arch) src/main.go
+	CGO_ENABLED=0 GOOS=linux go build -o build/zarf-linux-$(arch) main.go
 	DOCKER_BUILDKIT=1 docker build --tag $(tag) --build-arg TARGETARCH=$(arch) . && \
 	kind load docker-image zarf-agent:$(tag) && \
 	kubectl -n zarf set image deployment/agent-hook server=$(tag)

main.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	_ "embed"
+
+	"github.com/defenseunicorns/zarf/src/cmd"
+	"github.com/defenseunicorns/zarf/src/config"
+)
+
+//go:embed cosign.pub
+var cosignPublicKey string
+
+func main() {
+	config.SGetPublicKey = cosignPublicKey
+	cmd.Execute()
+}

src/cmd/package.go

@@ -108,4 +108,6 @@ func init() {
 	packageDeployCmd.Flags().StringVar(&config.DeployOptions.Components, "components", "", "Comma-separated list of components to install.  Adding this flag will skip the init prompts for which components to install")
 	packageDeployCmd.Flags().BoolVar(&insecureDeploy, "insecure", false, "Skip shasum validation of remote package. Required if deploying a remote package and `--shasum` is not provided")
 	packageDeployCmd.Flags().StringVar(&shasum, "shasum", "", "Shasum of the package to deploy. Required if deploying a remote package and `--insecure` is not provided")
+
+	packageDeployCmd.Flags().StringVar(&config.DeployOptions.SGetKeyPath, "sget", "", "Path to public sget key file for remote packages signed via cosign")
 }

src/config/config.go

@@ -61,6 +61,8 @@ var (
 	// Private vars
 	active types.ZarfPackage
 	state  types.ZarfState
+
+	SGetPublicKey string
 )
 
 func IsZarfInitConfig() bool {

src/internal/packager/common.go

@@ -1,6 +1,7 @@
 package packager
 
 import (
+	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
@@ -79,10 +80,10 @@ func confirmAction(configPath, userMessage string, sbomViewFiles []string) bool
 	if err != nil {
 		message.Fatal(err, "Unable to open the package config file")
 	}
-	
+
 	// Convert []byte to string and print to screen
 	text := string(content)
-	
+
 	pterm.Println()
 	utils.ColorPrintYAML(text)
 
@@ -118,6 +119,11 @@ func HandleIfURL(packagePath string, shasum string, insecureDeploy bool) (string
 		return packagePath, func() {}
 	}
 
+	// Handle case where deploying remote package validated via sget
+	if strings.HasPrefix(packagePath, "sget://") {
+		return handleSgetPackage(packagePath)
+	}
+
 	if !insecureDeploy && shasum == "" {
 		message.Fatal(nil, "When deploying a remote package you must provide either a `--shasum` or the `--insecure` flag. Neither were provided.")
 	}
@@ -163,6 +169,36 @@ func HandleIfURL(packagePath string, shasum string, insecureDeploy bool) (string
 	return localPackagePath, tempPath.clean
 }
 
+func handleSgetPackage(sgetPackagePath string) (string, func()) {
+	// Write the package to a local file in a temp path
+	tempPath := createPaths()
+
+	// Create the local file for the package
+	localPackagePath := filepath.Join(tempPath.base, "remote.tar.zst")
+	destinationFile, err := os.Create(localPackagePath)
+	if err != nil {
+		message.Fatal(err, "Unable to create the destination file")
+	}
+	defer destinationFile.Close()
+
+	// If this is a DefenseUnicorns package, use an internal sget public key
+	if strings.HasPrefix(sgetPackagePath, "sget://defenseunicorns") {
+		os.Setenv("DU_SGET_KEY", config.SGetPublicKey)
+		config.DeployOptions.SGetKeyPath = "env://DU_SGET_KEY"
+	}
+
+	// Remove the 'sget://' header for the actual sget call
+	sgetPackagePath = strings.TrimPrefix(sgetPackagePath, "sget://")
+
+	// Sget the package
+	err = utils.Sget(sgetPackagePath, config.DeployOptions.SGetKeyPath, destinationFile, context.TODO())
+	if err != nil {
+		message.Fatal(err, "Unable to get the remote package via sget")
+	}
+
+	return localPackagePath, tempPath.clean
+}
+
 func isValidFileExtension(filename string) bool {
 	for _, extension := range config.GetValidPackageExtensions() {
 		if strings.HasSuffix(filename, extension) {

src/main.go

@@ -0,0 +1,22 @@
+package test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestE2eRemoteSgete(t *testing.T) {
+	defer e2e.cleanupAfterTest(t)
+
+	//run `zarf init`
+	output, err := e2e.execZarfCommand("init", "--confirm")
+	require.NoError(t, err, output)
+
+	path := fmt.Sprintf("sget://defenseunicorns/zarf-hello-world:%s", e2e.arch)
+
+	// Deploy the game
+	output, err = e2e.execZarfCommand("package", "deploy", path, "--confirm")
+	require.NoError(t, err, output)
+}

src/test/e2e/e2e_remote_sget_test.go

@@ -155,6 +155,7 @@ type ZarfDeployOptions struct {
 	PackagePath string
 	Confirm     bool
 	Components  string
+	SGetKeyPath string
 
 	// Zarf init is installing the k3s component
 	ApplianceMode bool