implement a new flag for sign-blob subcommand to save certificate to disk or stdout

cmd/cosign/cli/options/signblob.go

@@ -22,16 +22,19 @@ import (
 )
 
 // SignBlobOptions is the top level wrapper for the sign-blob command.
+// The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled
 type SignBlobOptions struct {
-	Key          string
-	Base64Output bool
-	Output       string // TODO: this should be the root output file arg.
-	SecurityKey  SecurityKeyOptions
-	Fulcio       FulcioOptions
-	Rekor        RekorOptions
-	OIDC         OIDCOptions
-	Registry     RegistryOptions
-	Timeout      time.Duration
+	Key               string
+	Base64Output      bool
+	Output            string // deprecated: TODO remove when the output flag is fully deprecated
+	OutputSignature   string // TODO: this should be the root output file arg.
+	OutputCertificate string // TODO: this should be the root output file arg.
+	SecurityKey       SecurityKeyOptions
+	Fulcio            FulcioOptions
+	Rekor             RekorOptions
+	OIDC              OIDCOptions
+	Registry          RegistryOptions
+	Timeout           time.Duration
 }
 
 var _ Interface = (*SignBlobOptions)(nil)
@@ -50,9 +53,15 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
 		"whether to base64 encode the output")
 
-	cmd.Flags().StringVar(&o.Output, "output", "",
+	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
 
+	// TODO: remove when output flag is fully deprecated
+	cmd.Flags().StringVar(&o.Output, "output", "", "write the signature to FILE")
+
+	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
+		"write the certificate to FILE")
+
 	cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
 		"HTTP Timeout defaults to 30 seconds")
 }

cmd/cosign/cli/sign.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 
 	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
@@ -28,6 +29,7 @@ import (
 
 func Sign() *cobra.Command {
 	o := &options.SignOptions{}
+	viper.RegisterAlias("output", "output-signature")
 
 	cmd := &cobra.Command{
 		Use:   "sign",
@@ -98,7 +100,6 @@ func Sign() *cobra.Command {
 			return nil
 		},
 	}
-
 	o.AddFlags(cmd)
 	return cmd
 }

cmd/cosign/cli/sign/sign_blob.go

@@ -52,9 +52,10 @@ type KeyOpts struct {
 }
 
 // nolint
-func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, output string, timeout time.Duration) ([]byte, error) {
+func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string, timeout time.Duration) ([]byte, error) {
 	var payload []byte
 	var err error
+	var rekorBytes []byte
 
 	if payloadPath == "-" {
 		payload, err = io.ReadAll(os.Stdin)
@@ -79,7 +80,6 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 
 	if options.EnableExperimental() {
 		// TODO: Refactor with sign.go
-		var rekorBytes []byte
 		if sv.Cert != nil {
 			fmt.Fprintf(os.Stderr, "signing with ephemeral certificate:\n%s\n", string(sv.Cert))
 			rekorBytes = sv.Cert
@@ -101,8 +101,8 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
 	}
 
-	if output != "" {
-		f, err := os.Create(output)
+	if outputSignature != "" {
+		f, err := os.Create(outputSignature)
 		if err != nil {
 			return nil, err
 		}
@@ -131,5 +131,25 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
 		}
 	}
 
+	if outputCertificate != "" {
+		f, err := os.Create(outputCertificate)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+
+		if b64 {
+			_, err = f.Write([]byte(base64.StdEncoding.EncodeToString(rekorBytes)))
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			_, err = f.Write(rekorBytes)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	return sig, nil
 }

cmd/cosign/cli/signblob.go

@@ -16,12 +16,14 @@
 package cli
 
 import (
-	"github.com/pkg/errors"
-	"github.com/spf13/cobra"
+	"fmt"
+	"os"
 
+	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	"github.com/spf13/cobra"
 )
 
 func SignBlob() *cobra.Command {
@@ -74,7 +76,12 @@ func SignBlob() *cobra.Command {
 				OIDCClientSecret:         o.OIDC.ClientSecret,
 			}
 			for _, blob := range args {
-				if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.Output, o.Timeout); err != nil {
+				// TODO: remove when the output flag has been deprecated
+				if o.Output != "" {
+					fmt.Fprintln(os.Stderr, "WARNING: the '--output' flag is deprecated and will be removed in the future. Use '--output-signature'")
+					o.OutputSignature = o.Output
+				}
+				if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.Timeout); err != nil {
 					return errors.Wrapf(err, "signing %s", blob)
 				}
 			}

go.mod

@@ -49,6 +49,7 @@ require (
 	github.com/miekg/pkcs11 v1.0.3
 	github.com/onsi/gomega v1.16.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/spf13/viper v1.8.1
 	github.com/urfave/cli v1.22.5 // indirect
 	go.opentelemetry.io/contrib v1.1.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.10.0 // indirect

test/e2e_test.go

@@ -409,7 +409,7 @@ func TestSignBlob(t *testing.T) {
 		KeyRef:   privKeyPath1,
 		PassFunc: passFunc,
 	}
-	sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", time.Duration(30*time.Second))
+	sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", "", time.Duration(30*time.Second))
 	if err != nil {
 		t.Fatal(err)
 	}

test/piv_test.go

@@ -12,9 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build resetyubikey
-// +build e2e
-// +build !pivkeydisabled
+//go:build resetyubikey && e2e && !pivkeydisabled
+// +build resetyubikey,e2e,!pivkeydisabled
 
 // DANGER
 // This test requires a yubikey to be present. It WILL reset the yubikey to exercise functionality.