Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

web layout tool generates suggested in-toto-sign commands with incorrect usage #53

Open
nealmcb opened this issue May 5, 2022 · 4 comments
Open

web layout tool generates suggested in-toto-sign commands with incorrect usage #53

nealmcb opened this issue May 5, 2022 · 4 comments

Comments

@nealmcb
Copy link

nealmcb commented May 5, 2022

Description of issue or feature request:

The web layout tool generates a suggested in-toto-sign command at the end:

in-toto-sign --key <PROJECT-OWNER> --file <PROJECT-OWNER> <YOUR LAYOUT>.layout

Filling in the blanks leads to an error.

Current behavior:

$ in-toto-sign --key powner -file powner untitled-165179314087.layout
usage: in-toto-sign [-h] -f <path> [-k <path> [<path> ...]] [-t {rsa,ed25519} [{rsa,ed25519} ...]] [-p] [-g [<id> [<id> ...]]] [--gpg-home <path>] [-o <path>] [-a] [--verify]
                    [-v | -q] [--version]
in-toto-sign: error: unrecognized arguments: powner untitled-165179314087.layout

Expected behavior:
Successful signature generated.

I'm using in-toto-sign 1.2.0

I would also suggest using the self-explanatory --output <path> argument in the recommended command. Without it, I'm left wondering what happens to the input and where the signature goes.
@adityasaky
Copy link
Member

Hi @nealmcb, I think there's an error in your command.

  1. It's either -f or --file.

  2. You don't need to list powner as an argument for --file.

Can you try this?

in-toto-sign --key powner --file untitled-165179314087.layout

@lukpueh
Copy link
Member

lukpueh commented May 9, 2022

What about in-toto-sign --help? It does discuss your question in a few places, e.g.:

  * write signed metadata to a specified path. If no output path is specified,

    + layout metadata is written to the path of the input file,
    + link metadata is written to '<name>.<keyid prefix>.link'.

or

  -o <path>, --output <path>
                        path to location where the metadata file is stored after signing. If not passed, layout
                        metadata is written to the path of the input file and link metadata is written to
                        '<name>.<keyid prefix>.link'

and also in EXAMPLE USAGE

Sign 'unsigned.layout' with two keys and write it to 'root.layout'.

  in-toto-sign -f unsigned.layout -k priv_key1 priv_key2 -o root.layout

Replace signature in link file and write to default filename, i.e.
'package.<priv_key keyid prefix>.link'.

  in-toto-sign -f package.2f89b927.link -k priv_key

@lukpueh
Copy link
Member

lukpueh commented May 9, 2022

Oh, never mind what I just wrote. I got confused by @adityasaky's comment. @nealmcb isn't reporting an issue with in-toto-sign, but rather with the layout web tool. I suggest we transfer the issue to the corresponding repo.

@lukpueh lukpueh transferred this issue from in-toto/in-toto May 9, 2022
@adityasaky
Copy link
Member

Ahh I just got it, sorry for causing confusion. :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nealmcb @lukpueh @adityasaky