implement output-signature and output-certificate flags

This commit breaks with past behavior in favor of two new flags. The `output` flags gets replaced with the new `output-signature` and `output-certificate` flags. Signed-off-by: Christian Rebischke <chris@shibumi.dev>
sigstore · Nov 10, 2021 · 3eaf1e6 · 3eaf1e6
1 parent 88313ee
commit 3eaf1e6
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 17 deletions.
diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go
@@ -22,16 +22,18 @@ import (
 )
 
 // SignBlobOptions is the top level wrapper for the sign-blob command.
+// The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled
 type SignBlobOptions struct {
-	Key          string
-	Base64Output bool
-	Output       string // TODO: this should be the root output file arg.
-	SecurityKey  SecurityKeyOptions
-	Fulcio       FulcioOptions
-	Rekor        RekorOptions
-	OIDC         OIDCOptions
-	Registry     RegistryOptions
-	Timeout      time.Duration
+	Key               string
+	Base64Output      bool
+	OutputSignature   string // TODO: this should be the root output file arg.
+	OutputCertificate string // TODO: this should be the root output file arg.
+	SecurityKey       SecurityKeyOptions
+	Fulcio            FulcioOptions
+	Rekor             RekorOptions
+	OIDC              OIDCOptions
+	Registry          RegistryOptions
+	Timeout           time.Duration
 }
 
 var _ Interface = (*SignBlobOptions)(nil)
@@ -50,9 +52,12 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
 		"whether to base64 encode the output")
 
-	cmd.Flags().StringVar(&o.Output, "output", "",
+	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
 
+	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
+		"write the certificate to FILE")
+
 	cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
 		"HTTP Timeout defaults to 30 seconds")
 }
diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go
@@ -52,9 +52,10 @@ type KeyOpts struct {
 }
 
 // nolint
-func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, output string, timeout time.Duration) ([]byte, error) {
+func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string, timeout time.Duration) ([]byte, error) {
 	var payload []byte
 	var err error
+	var rekorBytes []byte
 
 	if payloadPath == "-" {
 		payload, err = io.ReadAll(os.Stdin)
@@ -79,7 +80,6 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 
 	if options.EnableExperimental() {
 		// TODO: Refactor with sign.go
-		var rekorBytes []byte
 		if sv.Cert != nil {
 			fmt.Fprintf(os.Stderr, "signing with ephemeral certificate:\n%s\n", string(sv.Cert))
 			rekorBytes = sv.Cert
@@ -101,8 +101,8 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
 	}
 
-	if output != "" {
-		f, err := os.Create(output)
+	if outputSignature != "" {
+		f, err := os.Create(outputSignature)
 		if err != nil {
 			return nil, err
 		}
@@ -131,5 +131,25 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		}
 	}
 
+	if outputCertificate != "" {
+		f, err := os.Create(outputCertificate)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+
+		if b64 {
+			_, err = f.Write([]byte(base64.StdEncoding.EncodeToString(rekorBytes)))
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			_, err = f.Write(rekorBytes)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	return sig, nil
 }
diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go
@@ -74,7 +74,7 @@ func SignBlob() *cobra.Command {
 				OIDCClientSecret:         o.OIDC.ClientSecret,
 			}
 			for _, blob := range args {
-				if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.Output, o.Timeout); err != nil {
+				if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.Timeout); err != nil {
 					return errors.Wrapf(err, "signing %s", blob)
 				}
 			}

diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -409,7 +409,7 @@ func TestSignBlob(t *testing.T) {
 		KeyRef:   privKeyPath1,
 		PassFunc: passFunc,
 	}
-	sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", time.Duration(30*time.Second))
+	sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", "", time.Duration(30*time.Second))
 	if err != nil {
 		t.Fatal(err)
 	}