archy/core/security/src/image_verifier.rs

// Container image signature verification using Cosign
// Verifies that container images are signed and trusted

use anyhow::{Context, Result};
use std::process::Command;
use tracing::{info, warn};

pub struct ImageVerifier {
    cosign_public_key: Option<String>,
    require_signatures: bool,
}

impl ImageVerifier {
    pub fn new(cosign_public_key: Option<String>) -> Self {
        Self { cosign_public_key, require_signatures: false }
    }

    /// Create a verifier that requires all images to be signed.
    pub fn new_strict(cosign_public_key: Option<String>) -> Self {
        Self { cosign_public_key, require_signatures: true }
    }

    /// Verify a container image signature
    pub async fn verify_image(&self, image: &str, signature: Option<&str>) -> Result<bool> {
        if signature.is_none() && self.cosign_public_key.is_none() {
            if self.require_signatures {
                return Err(anyhow::anyhow!(
                    "Image '{}' has no signature and no cosign key is configured. \
                     All container images must be signed for production use.",
                    image
                ));
            }
            warn!("No signature provided for image: {}", image);
            return Ok(false);
        }

        // Check if cosign is available
        let cosign_available = Command::new("cosign")
            .arg("version")
            .output()
            .is_ok();

        if !cosign_available {
            if self.require_signatures {
                return Err(anyhow::anyhow!(
                    "Cosign binary not found. Install cosign to verify container image signatures."
                ));
            }
            warn!("Cosign not available, skipping signature verification");
            return Ok(false);
        }
        
        // If public key is provided, use it for verification
        if let Some(ref public_key) = self.cosign_public_key {
            let output = Command::new("cosign")
                .arg("verify")
                .arg("--key")
                .arg(public_key)
                .arg(image)
                .output()
                .context("Failed to run cosign verify")?;
            
            if output.status.success() {
                info!("Image signature verified: {}", image);
                return Ok(true);
            } else {
                let stderr = String::from_utf8_lossy(&output.stderr);
                return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));
            }
        }
        
        // If signature URL is provided, verify using that
        if let Some(sig_url) = signature {
            if sig_url.starts_with("cosign://") {
                // Extract signature reference
                let sig_ref = sig_url.strip_prefix("cosign://").unwrap();
                let output = Command::new("cosign")
                    .arg("verify")
                    .arg("--signature")
                    .arg(sig_ref)
                    .arg(image)
                    .output()
                    .context("Failed to run cosign verify")?;
                
                if output.status.success() {
                    info!("Image signature verified: {}", image);
                    return Ok(true);
                } else {
                    let stderr = String::from_utf8_lossy(&output.stderr);
                    return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));
                }
            }
        }
        
        Ok(false)
    }
    
    /// Check if an image has a signature
    pub async fn has_signature(&self, image: &str) -> bool {
        // Try to find signature in registry
        let output = Command::new("cosign")
            .arg("triangulate")
            .arg(image)
            .output();
        
        output.is_ok() && output.unwrap().status.success()
    }
}
Initial commit 2026-01-24 22:01:51 +00:00			`// Container image signature verification using Cosign`
			`// Verifies that container images are signed and trusted`

			`use anyhow::{Context, Result};`
			`use std::process::Command;`
			`use tracing::{info, warn};`

			`pub struct ImageVerifier {`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00			`cosign_public_key: Option<String>,`
			`require_signatures: bool,`
Initial commit 2026-01-24 22:01:51 +00:00			`}`

			`impl ImageVerifier {`
			`pub fn new(cosign_public_key: Option<String>) -> Self {`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00			`Self { cosign_public_key, require_signatures: false }`
Initial commit 2026-01-24 22:01:51 +00:00			`}`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00
			`/// Create a verifier that requires all images to be signed.`
			`pub fn new_strict(cosign_public_key: Option<String>) -> Self {`
			`Self { cosign_public_key, require_signatures: true }`
			`}`

Initial commit 2026-01-24 22:01:51 +00:00			`/// Verify a container image signature`
			`pub async fn verify_image(&self, image: &str, signature: Option<&str>) -> Result<bool> {`
			`if signature.is_none() && self.cosign_public_key.is_none() {`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00			`if self.require_signatures {`
			`return Err(anyhow::anyhow!(`
			`"Image '{}' has no signature and no cosign key is configured. \`
			`All container images must be signed for production use.",`
			`image`
			`));`
			`}`
Initial commit 2026-01-24 22:01:51 +00:00			`warn!("No signature provided for image: {}", image);`
			`return Ok(false);`
			`}`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00
Initial commit 2026-01-24 22:01:51 +00:00			`// Check if cosign is available`
			`let cosign_available = Command::new("cosign")`
			`.arg("version")`
			`.output()`
			`.is_ok();`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00
Initial commit 2026-01-24 22:01:51 +00:00			`if !cosign_available {`
fix: Phase 3 — command injection, unwrap/expect panics, unsigned image acceptance - VPN key gen: replaced sh -c with format string (command injection) with safe stdin piping to wg pubkey - Secrets manager: replaced .unwrap() on path.parent() with proper error - Tor proxy: replaced .expect("valid proxy") with continue on error - Image verifier: added require_signatures flag, strict mode rejects unsigned images and missing cosign binary Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:45:15 +00:00			`if self.require_signatures {`
			`return Err(anyhow::anyhow!(`
			`"Cosign binary not found. Install cosign to verify container image signatures."`
			`));`
			`}`
Initial commit 2026-01-24 22:01:51 +00:00			`warn!("Cosign not available, skipping signature verification");`
			`return Ok(false);`
			`}`

			`// If public key is provided, use it for verification`
			`if let Some(ref public_key) = self.cosign_public_key {`
			`let output = Command::new("cosign")`
			`.arg("verify")`
			`.arg("--key")`
			`.arg(public_key)`
			`.arg(image)`
			`.output()`
			`.context("Failed to run cosign verify")?;`

			`if output.status.success() {`
			`info!("Image signature verified: {}", image);`
			`return Ok(true);`
			`} else {`
			`let stderr = String::from_utf8_lossy(&output.stderr);`
			`return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));`
			`}`
			`}`

			`// If signature URL is provided, verify using that`
			`if let Some(sig_url) = signature {`
			`if sig_url.starts_with("cosign://") {`
			`// Extract signature reference`
			`let sig_ref = sig_url.strip_prefix("cosign://").unwrap();`
			`let output = Command::new("cosign")`
			`.arg("verify")`
			`.arg("--signature")`
			`.arg(sig_ref)`
			`.arg(image)`
			`.output()`
			`.context("Failed to run cosign verify")?;`

			`if output.status.success() {`
			`info!("Image signature verified: {}", image);`
			`return Ok(true);`
			`} else {`
			`let stderr = String::from_utf8_lossy(&output.stderr);`
			`return Err(anyhow::anyhow!("Signature verification failed: {}", stderr));`
			`}`
			`}`
			`}`

			`Ok(false)`
			`}`

			`/// Check if an image has a signature`
			`pub async fn has_signature(&self, image: &str) -> bool {`
			`// Try to find signature in registry`
			`let output = Command::new("cosign")`
			`.arg("triangulate")`
			`.arg(image)`
			`.output();`

			`output.is_ok() && output.unwrap().status.success()`
			`}`
			`}`