make COSIGN_REPOSITORY use explicit again

Signed-off-by: Jake Sanders <jsand@google.com>

cmd/cosign/cli/attach/sig.go

@@ -43,7 +43,11 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
 	if err != nil {
 		return err
 	}
-	digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...)
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return err
+	}
+	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -67,7 +71,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
 		return err
 	}
 
-	se, err := ociremote.SignedEntity(digest, regOpts.ClientOpts(ctx)...)
+	se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -79,7 +83,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
 	}
 
 	// Publish the signatures associated with this entity
-	return ociremote.WriteSignatures(digest.Repository, newSE, regOpts.ClientOpts(ctx)...)
+	return ociremote.WriteSignatures(digest.Repository, newSE, ociremoteOpts...)
 }
 
 type SignatureArgType uint8

cmd/cosign/cli/attest/attest.go

@@ -86,7 +86,11 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	if err != nil {
 		return errors.Wrap(err, "parsing reference")
 	}
-	digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...)
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return err
+	}
+	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -151,7 +155,7 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 		return err
 	}
 
-	se, err := ociremote.SignedEntity(digest, regOpts.ClientOpts(ctx)...)
+	se, err := ociremote.SignedEntity(digest, ociremoteOpts...)
 	if err != nil {
 		return err
 	}
@@ -163,5 +167,5 @@ func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOpt
 	}
 
 	// Publish the attestations associated with this entity
-	return ociremote.WriteAttestations(digest.Repository, newSE, regOpts.ClientOpts(ctx)...)
+	return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...)
 }

cmd/cosign/cli/download/sbom.go

@@ -23,7 +23,7 @@ import (
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/pkg/oci/remote"
+	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 )
 
 func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef string, out io.Writer) ([]string, error) {
@@ -32,12 +32,16 @@ func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef stri
 		return nil, err
 	}
 
-	opts := append(regOpts.ClientOpts(ctx),
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return nil, err
+	}
+	ociremoteOpts = append(ociremoteOpts,
 		// TODO(mattmoor): This isn't really "signatures", consider shifting to
 		// an SBOMs accessor?
-		remote.WithSignatureSuffix(remote.SBOMTagSuffix))
+		ociremote.WithSignatureSuffix(ociremote.SBOMTagSuffix))
 
-	se, err := remote.SignedEntity(ref, opts...)
+	se, err := ociremote.SignedEntity(ref, ociremoteOpts...)
 	if err != nil {
 		return nil, err
 	}

cmd/cosign/cli/download/signature.go

@@ -30,7 +30,11 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef
 	if err != nil {
 		return err
 	}
-	signatures, err := cosign.FetchSignaturesForReference(ctx, ref, regOpts.ClientOpts(ctx)...)
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return err
+	}
+	signatures, err := cosign.FetchSignaturesForReference(ctx, ref, ociremoteOpts...)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/generate/generate.go

@@ -32,7 +32,11 @@ func GenerateCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef
 	if err != nil {
 		return err
 	}
-	digest, err := ociremote.ResolveDigest(ref, regOpts.ClientOpts(ctx)...)
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return err
+	}
+	digest, err := ociremote.ResolveDigest(ref, ociremoteOpts...)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/options/registry.go

@@ -1,4 +1,3 @@
-//
 // Copyright 2021 The Sigstore Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
@@ -20,6 +19,7 @@ import (
 	"crypto/tls"
 	"net/http"
 
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
 	"github.com/spf13/cobra"
@@ -40,12 +40,19 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) {
 	o.RefOpts.AddFlags(cmd)
 }
 
-func (o *RegistryOptions) ClientOpts(ctx context.Context) []ociremote.Option {
+func (o *RegistryOptions) ClientOpts(ctx context.Context) ([]ociremote.Option, error) {
 	opts := []ociremote.Option{ociremote.WithRemoteOptions(o.GetRegistryClientOpts(ctx)...)}
 	if o.RefOpts.TagPrefix != "" {
 		opts = append(opts, ociremote.WithPrefix(o.RefOpts.TagPrefix))
 	}
-	return opts
+	targetRepoOverride, err := ociremote.GetEnvTargetRepository()
+	if err != nil {
+		return nil, err
+	}
+	if (targetRepoOverride != name.Repository{}) {
+		opts = append(opts, ociremote.WithTargetRepository(targetRepoOverride))
+	}
+	return opts, nil
 }
 
 func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Option {

cmd/cosign/cli/sign/sign.go

@@ -110,12 +110,12 @@ func UploadToTlog(ctx context.Context, sv *CertSignVerifier, rekorURL string, up
 	return Bundle(entry), nil
 }
 
-func GetAttachedImageRef(ref name.Reference, attachment string, remoteOpts ...remote.Option) (name.Reference, error) {
+func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremote.Option) (name.Reference, error) {
 	if attachment == "" {
 		return ref, nil
 	}
 	if attachment == "sbom" {
-		return ociremote.SBOMTag(ref, ociremote.WithRemoteOptions(remoteOpts...))
+		return ociremote.SBOMTag(ref, opts...)
 	}
 	return nil, fmt.Errorf("unknown attachment type %s", attachment)
 }
@@ -133,8 +133,6 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a
 		}
 	}
 
-	remoteOpts := regOpts.GetRegistryClientOpts(ctx)
-
 	sv, err := SignerFromKeyOpts(ctx, certPath, ko)
 	if err != nil {
 		return errors.Wrap(err, "getting signer")
@@ -161,12 +159,16 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a
 		if err != nil {
 			return errors.Wrap(err, "parsing reference")
 		}
-		ref, err = GetAttachedImageRef(ref, attachment, remoteOpts...)
+		opts, err := regOpts.ClientOpts(ctx)
+		if err != nil {
+			return errors.Wrap(err, "constructing client options")
+		}
+		ref, err = GetAttachedImageRef(ref, attachment, opts...)
 		if err != nil {
 			return fmt.Errorf("unable to resolve attachment %s for image %s", attachment, inputImg)
 		}
 
-		se, err := ociremote.SignedEntity(ref, regOpts.ClientOpts(ctx)...)
+		se, err := ociremote.SignedEntity(ref, opts...)
 		if err != nil {
 			return err
 		}
@@ -232,8 +234,13 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a
 				return err
 			}
 
+			walkOpts, err := regOpts.ClientOpts(ctx)
+			if err != nil {
+				return errors.Wrap(err, "constructing client options")
+			}
+
 			// Publish the signatures associated with this entity
-			if err := ociremote.WriteSignatures(digest.Repository, newSE, regOpts.ClientOpts(ctx)...); err != nil {
+			if err := ociremote.WriteSignatures(digest.Repository, newSE, walkOpts...); err != nil {
 				return err
 			}
 			return ErrDone

cmd/cosign/cli/triangulate/triangulate.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/pkg/cosign"
 	ociremote "github.com/sigstore/cosign/pkg/oci/remote"
@@ -31,14 +32,19 @@ func MungeCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef str
 		return err
 	}
 
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "constructing client options")
+	}
+
 	var dstRef name.Tag
 	switch attachmentType {
 	case cosign.Signature:
-		dstRef, err = ociremote.SignatureTag(ref, regOpts.ClientOpts(ctx)...)
+		dstRef, err = ociremote.SignatureTag(ref, ociremoteOpts...)
 	case cosign.SBOM:
-		dstRef, err = ociremote.SBOMTag(ref, regOpts.ClientOpts(ctx)...)
+		dstRef, err = ociremote.SBOMTag(ref, ociremoteOpts...)
 	case cosign.Attestation:
-		dstRef, err = ociremote.AttestationTag(ref, regOpts.ClientOpts(ctx)...)
+		dstRef, err = ociremote.AttestationTag(ref, ociremoteOpts...)
 	default:
 		err = fmt.Errorf("unknown attachment type %s", attachmentType)
 	}

cmd/cosign/cli/verify/verify.go

@@ -68,10 +68,13 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	if !options.OneOf(c.KeyRef, c.Sk) && !options.EnableExperimental() {
 		return &options.KeyParseError{}
 	}
-
+	ociremoteOpts, err := c.ClientOpts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "constructing client options")
+	}
 	co := &cosign.CheckOpts{
 		Annotations:        c.Annotations.Annotations,
-		RegistryClientOpts: c.RegistryOptions.ClientOpts(ctx),
+		RegistryClientOpts: ociremoteOpts,
 		CertEmail:          c.CertEmail,
 	}
 	if c.CheckClaims {
@@ -108,7 +111,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		if err != nil {
 			return errors.Wrap(err, "parsing reference")
 		}
-		ref, err = sign.GetAttachedImageRef(ref, c.Attachment, c.RegistryOptions.GetRegistryClientOpts(ctx)...)
+		ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...)
 		if err != nil {
 			return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img)
 		}

cmd/cosign/cli/verify/verify_attestation.go

@@ -66,8 +66,13 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		return &options.KeyParseError{}
 	}
 
+	ociremoteOpts, err := c.ClientOpts(ctx)
+	if err != nil {
+		return errors.Wrap(err, "constructing client options")
+	}
+
 	co := &cosign.CheckOpts{
-		RegistryClientOpts: c.ClientOpts(ctx),
+		RegistryClientOpts: ociremoteOpts,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier

pkg/oci/remote/digest.go

@@ -23,10 +23,7 @@ import (
 // If the reference is by digest already, it simply extracts the digest.
 // Otherwise, it looks up the digest from the registry.
 func ResolveDigest(ref name.Reference, opts ...Option) (name.Digest, error) {
-	o, err := makeOptions(ref.Context(), opts...)
-	if err != nil {
-		return name.Digest{}, err
-	}
+	o := makeOptions(ref.Context(), opts...)
 	if d, ok := ref.(name.Digest); ok {
 		return d, nil
 	}

pkg/oci/remote/image.go

@@ -23,10 +23,7 @@ import (
 
 // SignedImage provides access to a remote image reference, and its signatures.
 func SignedImage(ref name.Reference, options ...Option) (oci.SignedImage, error) {
-	o, err := makeOptions(ref.Context(), options...)
-	if err != nil {
-		return nil, err
-	}
+	o := makeOptions(ref.Context(), options...)
 	ri, err := remoteImage(ref, o.ROpt...)
 	if err != nil {
 		return nil, err

pkg/oci/remote/index.go

@@ -23,10 +23,7 @@ import (
 
 // SignedImageIndex provides access to a remote index reference, and its signatures.
 func SignedImageIndex(ref name.Reference, options ...Option) (oci.SignedImageIndex, error) {
-	o, err := makeOptions(ref.Context(), options...)
-	if err != nil {
-		return nil, err
-	}
+	o := makeOptions(ref.Context(), options...)
 	ri, err := remoteIndex(ref, o.ROpt...)
 	if err != nil {
 		return nil, err

pkg/oci/remote/options.go

@@ -21,6 +21,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/pkg/errors"
 )
 
 const (
@@ -29,7 +30,7 @@ const (
 	AttestationTagSuffix = "att"
 	CustomTagPrefix      = ""
 
-	RepoOverrideKey = "COSIGN_REPOSITORY"
+	RepoOverrideEnvKey = "COSIGN_REPOSITORY"
 )
 
 // Option is a functional option for remote operations.
@@ -51,7 +52,7 @@ var defaultOptions = []remote.Option{
 	// TODO(mattmoor): Incorporate user agent.
 }
 
-func makeOptions(target name.Repository, opts ...Option) (*options, error) {
+func makeOptions(target name.Repository, opts ...Option) *options {
 	o := &options{
 		SignatureSuffix:   SignatureTagSuffix,
 		AttestationSuffix: AttestationTagSuffix,
@@ -65,20 +66,11 @@ func makeOptions(target name.Repository, opts ...Option) (*options, error) {
 		OriginalOptions: opts,
 	}
 
-	// Before applying options, allow the environment to override things.
-	if ro := os.Getenv(RepoOverrideKey); ro != "" {
-		repo, err := name.NewRepository(ro)
-		if err != nil {
-			return nil, err
-		}
-		o.TargetRepository = repo
-	}
-
 	for _, option := range opts {
 		option(o)
 	}
 
-	return o, nil
+	return o
 }
 
 // WithPrefix is a functional option for overriding the default
@@ -128,3 +120,14 @@ func WithTargetRepository(repo name.Repository) Option {
 		o.TargetRepository = repo
 	}
 }
+
+// GetEnvTargetRepository returns the Repository specified by
+// `os.Getenv(RepoOverrideEnvKey)`, or the empty value if not set.
+// Returns an error if the value is set but cannot be parsed.
+func GetEnvTargetRepository() (name.Repository, error) {
+	if ro := os.Getenv(RepoOverrideEnvKey); ro != "" {
+		repo, err := name.NewRepository(ro)
+		return repo, errors.Wrap(err, "parsing $"+RepoOverrideEnvKey)
+	}
+	return name.Repository{}, nil
+}