From 5e0701f1476b94da840bc68580c418b5db11ddc9 Mon Sep 17 00:00:00 2001 From: Chuck D'Antonio Date: Tue, 25 Nov 2025 17:40:07 -0500 Subject: [PATCH] Uses KOTS kinds to verify signatures --- go.mod | 8 ++++---- go.sum | 8 ++++++++ pkg/license/signature.go | 28 ++++------------------------ 3 files changed, 16 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 0d0610d2..dc9d5011 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/pact-foundation/pact-go v1.10.0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 - github.com/replicatedhq/kotskinds v0.0.0-20251125152515-acc84923a4f5 + github.com/replicatedhq/kotskinds v0.0.0-20251125171126-af5844407f2a github.com/robfig/cron/v3 v3.0.1 github.com/spf13/cobra v1.10.1 github.com/spf13/pflag v1.0.10 @@ -131,9 +131,9 @@ require ( gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.34.1 // indirect - k8s.io/apiserver v0.34.1 // indirect - k8s.io/component-base v0.34.1 // indirect + k8s.io/apiextensions-apiserver v0.34.2 // indirect + k8s.io/apiserver v0.34.2 // indirect + k8s.io/component-base v0.34.2 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect k8s.io/kubectl v0.34.0 // indirect diff --git a/go.sum b/go.sum index 24320c5e..776535e5 100644 --- a/go.sum +++ b/go.sum @@ -326,6 +326,8 @@ github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA= github.com/replicatedhq/kotskinds v0.0.0-20251125152515-acc84923a4f5 h1:NaLh1hQbIrjU/hIppLGEnOWm6FvFdOwNrQP101K7H9g= github.com/replicatedhq/kotskinds v0.0.0-20251125152515-acc84923a4f5/go.mod h1:+k4PHo2wukoU9kdiKrqqgi89Wmj+9AiwppYGVK11zig= +github.com/replicatedhq/kotskinds v0.0.0-20251125171126-af5844407f2a h1:E+Zv8NjHUvPprNyLuAUKoXApE7u/LmzeGAPAC4cA/XU= +github.com/replicatedhq/kotskinds v0.0.0-20251125171126-af5844407f2a/go.mod h1:hpR1pZ3mEtbMrl/tmuqNjK+cSBcmb8F7A1EPhXwssfI= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis= github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= @@ -575,16 +577,22 @@ k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY= k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw= k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= +k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo= +k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE= k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4= k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= +k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE= +k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI= k8s.io/cli-runtime v0.34.2 h1:cct1GEuWc3IyVT8MSCoIWzRGw9HJ/C5rgP32H60H6aE= k8s.io/cli-runtime v0.34.2/go.mod h1:X13tsrYexYUCIq8MarCBy8lrm0k0weFPTpcaNo7lms4= k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M= k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE= k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +k8s.io/component-base v0.34.2 h1:HQRqK9x2sSAsd8+R4xxRirlTjowsg6fWCPwWYeSvogQ= +k8s.io/component-base v0.34.2/go.mod h1:9xw2FHJavUHBFpiGkZoKuYZ5pdtLKe97DEByaA+hHbM= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= diff --git a/pkg/license/signature.go b/pkg/license/signature.go index 03acc0af..217312a6 100644 --- a/pkg/license/signature.go +++ b/pkg/license/signature.go @@ -5,32 +5,12 @@ import ( licensewrapper "github.com/replicatedhq/kotskinds/pkg/licensewrapper" ) - // VerifySignature verifies a license wrapper using the appropriate algorithm func VerifySignature(wrapper licensewrapper.LicenseWrapper) (licensewrapper.LicenseWrapper, error) { - if wrapper.V1 != nil { - // Use kotskinds built-in validation for v1beta1 licenses - _, err := wrapper.V1.ValidateLicense() - if err != nil { - return licensewrapper.LicenseWrapper{}, err - } - // ValidateLicense() verifies all signatures and field integrity - // Return the original wrapper since the license is already verified - return wrapper, nil - } - - if wrapper.V2 != nil { - // Use kotskinds built-in validation for v1beta2 licenses - _, err := wrapper.V2.ValidateLicense() - if err != nil { - return licensewrapper.LicenseWrapper{}, err - } - // ValidateLicense() verifies all signatures and field integrity - // Return the original wrapper since the license is already verified - return wrapper, nil - } - - return licensewrapper.LicenseWrapper{}, errors.New("license wrapper is empty") + if wrapper.IsEmpty() { + return licensewrapper.LicenseWrapper{}, errors.New("license wrapper is empty") + } + return wrapper, wrapper.VerifySignature() }