fix: rouge options surrounding hard PKI

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
anchore · Jan 20, 2023 · f5797e3 · f5797e3
1 parent 738b869
commit f5797e3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/cmd/syft/cli/attest.go b/cmd/syft/cli/attest.go
@@ -21,7 +21,7 @@ const (
 )
 
 //nolint:dupl
-func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po *options.PackagesOptions) *cobra.Command {
+func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po *options.PackagesOptions, ao *options.AttestOptions) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "attest --output [FORMAT] <IMAGE>",
 		Short: "Generate an SBOM as an attestation for the given [SOURCE] container image",
@@ -50,11 +50,17 @@ func Attest(v *viper.Viper, app *config.Application, ro *options.RootOptions, po
 		},
 	}
 
-	// syft attest is an enhancment of the packages command, so it should have the same flags
+	// syft attest is an enhancement of the packages command, so it should have the same flags
 	err := po.AddFlags(cmd, v)
 	if err != nil {
 		log.Fatal(err)
 	}
 
+	// syft attest has its own options not included as part of the packages command
+	err = ao.AddFlags(cmd, v)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	return cmd
 }
diff --git a/cmd/syft/cli/attest/attest.go b/cmd/syft/cli/attest/attest.go
@@ -131,9 +131,18 @@ func execWorker(app *config.Application, si source.Input, writer sbom.Writer) <-
 			}
 
 			args := []string{"attest", si.UserInput, "--type", "custom", "--predicate", f.Name()}
+			if app.Attest.Key != "" {
+				args = append(args, "--key", app.Attest.Key)
+			}
+
 			execCmd := exec.Command(cmd, args...)
 			execCmd.Env = os.Environ()
-			execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1")
+			if app.Attest.Key != "" {
+				execCmd.Env = append(execCmd.Env, fmt.Sprintf("COSIGN_PASSWORD=%s", app.Attest.Password))
+			} else {
+				// no key provided, use cosign's keyless mode
+				execCmd.Env = append(execCmd.Env, "COSIGN_EXPERIMENTAL=1")
+			}
 
 			// bus adapter for ui to hook into stdout via an os pipe
 			r, w, err := os.Pipe()

diff --git a/cmd/syft/cli/commands.go b/cmd/syft/cli/commands.go
@@ -45,12 +45,13 @@ func New() (*cobra.Command, error) {
 	// we also need the command to have information about the `root` options because of this alias
 	ro := &options.RootOptions{}
 	po := &options.PackagesOptions{}
+	ao := &options.AttestOptions{}
 	packagesCmd := Packages(v, app, ro, po)
 
 	// root options are also passed to the attestCmd so that a user provided config location can be discovered
 	poweruserCmd := PowerUser(v, app, ro)
 	convertCmd := Convert(v, app, ro, po)
-	attestCmd := Attest(v, app, ro, po)
+	attestCmd := Attest(v, app, ro, po, ao)
 
 	// rootCmd is currently an alias for the packages command
 	rootCmd := &cobra.Command{

diff --git a/internal/config/attest.go b/internal/config/attest.go
@@ -3,9 +3,11 @@ package config
 import "github.com/spf13/viper"
 
 type attest struct {
-	key string `yaml:"key" json:"key" mapstructure:"key"`
+	Key      string `yaml:"key" json:"key" mapstructure:"key"`
+	Password string `yaml:"password" json:"password" mapstructure:"password"`
 }
 
 func (cfg attest) loadDefaultValues(v *viper.Viper) {
-	v.SetDefault("attest.key", "key.pub")
+	v.SetDefault("attest.key", "")
+	v.SetDefault("attest.password", "")
 }