implement a new flag for sign-blob subcommand to save certificate to disk or stdout #1016
Conversation
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
from
425f781
to
74a15c9
Compare
cmd/cosign/cli/sign/sign_blob.go
Outdated
| @@ -76,9 +76,9 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption | |||
| return nil, errors.Wrap(err, "signing blob") | |||
| } | |||
|
|
|||
| var rekorBytes []byte | |||
There was a problem hiding this comment.
It seems like this will only pick up the public key when COSIGN_EXPERIMENTAL=1 is enabled. That mostly makes sense to me since otherwise you probably already have the key, but I would caveat in the doc string or somewhere else.
May also be worth adding for the sign subcommand too?
|
we did the same in #1021 |
cmd/cosign/cli/options/signblob.go
Outdated
| @@ -49,4 +50,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { | |||
|
|
|||
| cmd.Flags().StringVar(&o.Output, "output", "", | |||
| "write the signature to FILE") | |||
|
|
|||
| cmd.Flags().StringVar(&o.PubKeyOutput, "pubkey-output", "", | |||
There was a problem hiding this comment.
What about changing this to --output-cert?
There was a problem hiding this comment.
I think it should always be a cert for the keyless modes right?
There was a problem hiding this comment.
Yeah, i think that's more clear.
Yes :D just realized this. I like your PR more, but I am not sure if changing |
I think I'm fine with this breaking change. It's pretty minor and important for usability. If we need to we could always alias it for a release in cobra. |
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
2 times, most recently
from
54280e4
to
77706ed
Compare
| @@ -22,16 +22,18 @@ import ( | |||
| ) | |||
|
|
|||
| // SignBlobOptions is the top level wrapper for the sign-blob command. | |||
| // The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled | |||
There was a problem hiding this comment.
@asraa is this docstring on the right position? I thought about adding it to the SignBlob function, but the SignBlob function has a // nolint on top.. I am not sure if I can have docstrings and nolint at the same time.
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
from
77706ed
to
3eaf1e6
Compare
|
@developer-guy @dlorenc done. Or do you prefer the short form for commands? Right now I chose |
To make it more consistent with the |
|
Good argument @Dentrax |
developer-guy
changed the title
developer-guy
changed the title
|
@developer-guy do you mean editor permissions to this PR? I have no idea if this is possible in Github. I think you can fork my fork and then create a PR against my fork and I could merge it in my fork :D OR You just drop me a patch file via mail. What do you would like to change in this PR? EDIT: or do you mean collab in the cosign repository? I am not involved with cosign, too :D :D |
|
With the new release of goreleaser v1.0.0, I think we can merge this PR and plan to release on the upcoming cosign version. 🙏 Should we create |
|
in addition to the comment above, with this, we will be able to do the following: signs:
- cmd: cosign
certificate: "${artifact}.cert"
signature: "${artifact}.sig"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]For more detail: ko-build/ko#498 |
|
This is amazing! |
|
Once this is out, I'll write a post on how to use it with goreleaser on github actions as well |
|
Looks like this just needs docs to be regenerated! |
|
@dlorenc how do I regenerate the docs? |
|
BTW, this is a breaking change isnt it? As Maybe worth deprecating it first? |
Looks like:
Yeah, we probably should deprecate/alias first. I misunderstood and thought this flag only applied for experimental/keyless stuff, but it's used for normal blob signatures too. Great catch @caarlos0! |
Sounds, good. Let me apply a new patch in the afternoon (that's in 2 hours in my time :D ) |
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
3 times, most recently
from
a1bd513
to
a073b45
Compare
New behavior: |
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
from
a073b45
to
17ad01c
Compare
|
@dlorenc The generate doc command does not seem to be sufficient.. I have generated the docs with it, but the pipeline still fails. |
|
@shibumi I think you should run |
This commit breaks with past behavior in favor of two new flags. The `output` flags gets replaced with the new `output-signature` and `output-certificate` flags. Signed-off-by: Christian Rebischke <chris@shibumi.dev>
shibumi
force-pushed
the
shibumi/implement-pubkey-output
branch
from
17ad01c
to
e0acb0d
Compare
|
@dlorenc IMHO, this PR is ready for merge. |
|
@developer-guy thanks for your hint to goimports. I didn't know that exists :D |
I added two new targets to the makefile: fmt and checkfmt. You can use them now 🙋🏻♂️ |
|
👀 |
Summary
With cosign 1.3.0 it is not possible to store the public certificate generated by the OIDC-issuer in a convenient way.
To store the public key locally on disk, the user has to intercept the cosign stdout, parse it and store it.
This is inconvenient and error-prone. We want to make signing and public key distribution as easy as possible, hence this PR introduces a new
pubkey-outputflag for thesign-blobsub-command.The
pubkey-outputflag respects theb64flag and prints the certificate/key as file in a given file path.Ticket Link
Fixes None
Release Note