From 5205495f49d3b25ed64dadfed4b585eec554f489 Mon Sep 17 00:00:00 2001
From: Ziwen Ning <ningziwe@amazon.com>
Date: Wed, 26 Apr 2023 22:46:03 -0700
Subject: [PATCH] Add Cosign keyless mode required args for nerdctl compose

Signed-off-by: Ziwen Ning <ningziwe@amazon.com>
---
 docs/cosign.md                              | 20 ++++++++++++++++++++
 pkg/cmd/compose/compose.go                  | 12 ++++++++++++
 pkg/composer/pull.go                        | 13 +++++++++++++
 pkg/composer/serviceparser/serviceparser.go | 12 ++++++++----
 4 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/docs/cosign.md b/docs/cosign.md
index a7530f6a80c..3aa3cb0af75 100644
--- a/docs/cosign.md
+++ b/docs/cosign.md
@@ -154,6 +154,26 @@ services:
     - 8081:80
 ```
 
+For keyless mode, the `docker-compose.yaml` will be:
+```
+$ cat docker-compose.yml
+services:
+  svc0:
+    build: .
+    image: ${REGISTRY}/svc1_image # replace with your registry
+    x-nerdctl-verify: cosign
+    x-nerdctl-sign: cosign
+    x-nerdctl-cosign-certificate-identity: name@example.com # or x-nerdctl-cosign-certificate-identity-regexp
+    x-nerdctl-cosign-certificate-oidc-issuer: https://accounts.example.com # or x-nerdctl-cosign-certificate-oidc-issuer-regexp
+    ports:
+    - 8080:80
+  svc1:
+    build: .
+    image: ${REGISTRY}/svc1_image # replace with your registry
+    ports:
+    - 8081:80
+```
+
 > The `env "COSIGN_PASSWORD="$COSIGN_PASSWORD""` part in the below commands is a walkaround to use rootful nerdctl and make the env variable visible to root (in sudo). You don't need this part if (1) you're using rootless, or (2) your `COSIGN_PASSWORD` is visible in root.
 
 First let's `build` and `push` the two services:
diff --git a/pkg/cmd/compose/compose.go b/pkg/cmd/compose/compose.go
index 43b06a30be1..1b5cd8d37c0 100644
--- a/pkg/cmd/compose/compose.go
+++ b/pkg/cmd/compose/compose.go
@@ -155,5 +155,17 @@ func imageVerifyOptionsFromCompose(ps *serviceparser.Service) types.ImageVerifyO
 	if keyVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
 		opt.CosignKey = keyVal.(string)
 	}
+	if ciVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
+		opt.CosignCertificateIdentity = ciVal.(string)
+	}
+	if cirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
+		opt.CosignCertificateIdentityRegexp = cirVal.(string)
+	}
+	if coiVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
+		opt.CosignCertificateOidcIssuer = coiVal.(string)
+	}
+	if coirVal, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
+		opt.CosignCertificateOidcIssuerRegexp = coirVal.(string)
+	}
 	return opt
 }
diff --git a/pkg/composer/pull.go b/pkg/composer/pull.go
index bbdab6ceb03..59bb50a3cc9 100644
--- a/pkg/composer/pull.go
+++ b/pkg/composer/pull.go
@@ -57,6 +57,19 @@ func (c *Composer) pullServiceImage(ctx context.Context, image string, platform
 	if publicKey, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignPublicKey]; ok {
 		args = append(args, "--cosign-key="+publicKey.(string))
 	}
+	if certificateIdentity, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentity]; ok {
+		args = append(args, "--cosign-certificate-identity="+certificateIdentity.(string))
+	}
+	if certificateIdentityRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateIdentityRegexp]; ok {
+		args = append(args, "--cosign-certificate-identity-regexp="+certificateIdentityRegexp.(string))
+	}
+	if certificateOidcIssuer, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuer]; ok {
+		args = append(args, "--cosign-certificate-oidc-issuer="+certificateOidcIssuer.(string))
+	}
+	if certificateOidcIssuerRegexp, ok := ps.Unparsed.Extensions[serviceparser.ComposeCosignCertificateOidcIssuerRegexp]; ok {
+		args = append(args, "--cosign-certificate-oidc-issuer-regexp="+certificateOidcIssuerRegexp.(string))
+	}
+
 	if c.Options.Experimental {
 		args = append(args, "--experimental")
 	}
diff --git a/pkg/composer/serviceparser/serviceparser.go b/pkg/composer/serviceparser/serviceparser.go
index 971e96d8bd4..0e558a17ce1 100644
--- a/pkg/composer/serviceparser/serviceparser.go
+++ b/pkg/composer/serviceparser/serviceparser.go
@@ -37,10 +37,14 @@ import (
 
 // ComposeExtensionKey defines fields used to implement extension features.
 const (
-	ComposeVerify           = "x-nerdctl-verify"
-	ComposeCosignPublicKey  = "x-nerdctl-cosign-public-key"
-	ComposeSign             = "x-nerdctl-sign"
-	ComposeCosignPrivateKey = "x-nerdctl-cosign-private-key"
+	ComposeVerify                            = "x-nerdctl-verify"
+	ComposeCosignPublicKey                   = "x-nerdctl-cosign-public-key"
+	ComposeSign                              = "x-nerdctl-sign"
+	ComposeCosignPrivateKey                  = "x-nerdctl-cosign-private-key"
+	ComposeCosignCertificateIdentity         = "x-nerdctl-cosign-certificate-identity"
+	ComposeCosignCertificateIdentityRegexp   = "x-nerdctl-cosign-certificate-identity-regexp"
+	ComposeCosignCertificateOidcIssuer       = "x-nerdctl-cosign-certificate-oidc-issuer"
+	ComposeCosignCertificateOidcIssuerRegexp = "x-nerdctl-cosign-certificate-oidc-issuer-regexp"
 )
 
 func warnUnknownFields(svc types.ServiceConfig) {