Skip to content

Commit

Permalink
implement output-signature and output-certificate flags
Browse files Browse the repository at this point in the history 
This commit breaks with past behavior in favor of two new flags.
The `output` flags gets replaced with the new `output-signature` and `output-certificate` flags.

Signed-off-by: Christian Rebischke <chris@shibumi.dev>
  • Loading branch information
@naveensrinivasan @shibumi
naveensrinivasan authored and shibumi committed Nov 15, 2021
1 parent 88313ee commit a073b45
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 20 deletions.
29 changes: 19 additions & 10 deletions cmd/cosign/cli/options/signblob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,19 @@ import (
)

// SignBlobOptions is the top level wrapper for the sign-blob command.
// The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled
type SignBlobOptions struct {
Key string
Base64Output bool
Output string // TODO: this should be the root output file arg.
SecurityKey SecurityKeyOptions
Fulcio FulcioOptions
Rekor RekorOptions
OIDC OIDCOptions
Registry RegistryOptions
Timeout time.Duration
Key string
Base64Output bool
Output string // deprecated: TODO remove when the output flag is fully deprecated
OutputSignature string // TODO: this should be the root output file arg.
OutputCertificate string // TODO: this should be the root output file arg.
SecurityKey SecurityKeyOptions
Fulcio FulcioOptions
Rekor RekorOptions
OIDC OIDCOptions
Registry RegistryOptions
Timeout time.Duration
}

var _ Interface = (*SignBlobOptions)(nil)
Expand All @@ -50,9 +53,15 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
"whether to base64 encode the output")

cmd.Flags().StringVar(&o.Output, "output", "",
cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
"write the signature to FILE")

// TODO: remove when output flag is fully deprecated
cmd.Flags().StringVar(&o.Output, "output", "", "write the signature to FILE")

cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
"write the certificate to FILE")

cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
"HTTP Timeout defaults to 30 seconds")
}
4 changes: 2 additions & 2 deletions cmd/cosign/cli/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ package cli

import (
"flag"

"github.com/pkg/errors"
"github.com/spf13/cobra"
"github.com/spf13/viper"

"github.com/sigstore/cosign/cmd/cosign/cli/generate"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
Expand All @@ -28,6 +28,7 @@ import (

func Sign() *cobra.Command {
o := &options.SignOptions{}
viper.RegisterAlias("output", "output-signature")

cmd := &cobra.Command{
Use: "sign",
Expand Down Expand Up @@ -98,7 +99,6 @@ func Sign() *cobra.Command {
return nil
},
}

o.AddFlags(cmd)
return cmd
}
28 changes: 24 additions & 4 deletions cmd/cosign/cli/sign/sign_blob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,10 @@ type KeyOpts struct {
}

// nolint
func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, output string, timeout time.Duration) ([]byte, error) {
func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string, timeout time.Duration) ([]byte, error) {
var payload []byte
var err error
var rekorBytes []byte

if payloadPath == "-" {
payload, err = io.ReadAll(os.Stdin)
Expand All @@ -79,7 +80,6 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption

if options.EnableExperimental() {
// TODO: Refactor with sign.go
var rekorBytes []byte
if sv.Cert != nil {
fmt.Fprintf(os.Stderr, "signing with ephemeral certificate:\n%s\n", string(sv.Cert))
rekorBytes = sv.Cert
Expand All @@ -101,8 +101,8 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
}

if output != "" {
f, err := os.Create(output)
if outputSignature != "" {
f, err := os.Create(outputSignature)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -131,5 +131,25 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
}
}

if outputCertificate != "" {
f, err := os.Create(outputCertificate)
if err != nil {
return nil, err
}
defer f.Close()

if b64 {
_, err = f.Write([]byte(base64.StdEncoding.EncodeToString(rekorBytes)))
if err != nil {
return nil, err
}
} else {
_, err = f.Write(rekorBytes)
if err != nil {
return nil, err
}
}
}

return sig, nil
}
12 changes: 9 additions & 3 deletions cmd/cosign/cli/signblob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@
package cli

import (
"fmt"
"github.com/pkg/errors"
"github.com/spf13/cobra"

"github.com/sigstore/cosign/cmd/cosign/cli/generate"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
"github.com/spf13/cobra"
"os"
)

func SignBlob() *cobra.Command {
Expand Down Expand Up @@ -74,7 +75,12 @@ func SignBlob() *cobra.Command {
OIDCClientSecret: o.OIDC.ClientSecret,
}
for _, blob := range args {
if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.Output, o.Timeout); err != nil {
// TODO: remove when the output flag has been deprecated
if o.Output != "" {
fmt.Fprintln(os.Stderr, "WARNING: the '--output' flag is deprecated and will be removed in the future. Use '--output-signature")
o.OutputSignature = o.Output
}
if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.Timeout); err != nil {
return errors.Wrapf(err, "signing %s", blob)
}
}
Expand Down
2 changes: 2 additions & 0 deletions doc/cosign_sign-blob.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ require (
github.com/miekg/pkcs11 v1.0.3
github.com/onsi/gomega v1.16.0 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/spf13/viper v1.8.1
github.com/urfave/cli v1.22.5 // indirect
go.opentelemetry.io/contrib v1.1.0 // indirect
go.opentelemetry.io/proto/otlp v0.10.0 // indirect
Expand Down
2 changes: 1 addition & 1 deletion test/e2e_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -409,7 +409,7 @@ func TestSignBlob(t *testing.T) {
KeyRef: privKeyPath1,
PassFunc: passFunc,
}
sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", time.Duration(30*time.Second))
sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", "", time.Duration(30*time.Second))
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit a073b45

Please sign in to comment.