Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing keys via environment variables (env:// refs) #1794

Merged
merged 6 commits into from
Apr 24, 2022

Conversation

znewman01
Copy link
Contributor

Depends on sigstore#407.

Summary

Allow passing keys via environment variables (env:// refs)

Ticket Link

Fixes #1776

Release Note

Added support for providing keys via environment variables: use `--key env://MY_VAR`.

@dlorenc
Copy link
Member

dlorenc commented Apr 23, 2022

Lgtm when the other one lands

Signed-off-by: Zachary Newman <z@znewman.net>
Signed-off-by: Zachary Newman <z@znewman.net>
Signed-off-by: Zachary Newman <z@znewman.net>
Signed-off-by: Zachary Newman <z@znewman.net>
@znewman01 znewman01 marked this pull request as ready for review April 24, 2022 14:46
@codecov-commenter
Copy link

codecov-commenter commented Apr 24, 2022

Codecov Report

Merging #1794 (ac109b2) into main (8cac645) will increase coverage by 0.40%.
The diff coverage is 57.89%.

❗ Current head ac109b2 differs from pull request most recent head ad020e8. Consider uploading reports for the commit ad020e8 to get more accurate results

@@            Coverage Diff             @@
##             main    #1794      +/-   ##
==========================================
+ Coverage   32.16%   32.56%   +0.40%     
==========================================
  Files         146      147       +1     
  Lines        9208     9297      +89     
==========================================
+ Hits         2962     3028      +66     
- Misses       5898     5915      +17     
- Partials      348      354       +6     
Impacted Files Coverage Δ
cmd/cosign/cli/sign.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go 0.00% <0.00%> (ø)
pkg/signature/keys.go 20.98% <33.33%> (+1.49%) ⬆️
pkg/blob/load.go 74.28% <76.92%> (ø)
pkg/cosign/kubernetes/webhook/validator.go 75.22% <0.00%> (+0.78%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8cac645...ad020e8. Read the comment docs.

Tested manually as well:

```shell
$ export COSIGN_PASSWORD=foo
$ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
$ export MYPRIVKEY="$(cat cosign.key)"
$ export MYPUBKEY="$(cat cosign.pub)"
$ cosign verify-blob --key env://MYPUBKEY /dev/null --signature <(cosign sign-blob --key env://MYPRIVKEY /dev/null)
Using payload from: /dev/null
tlog entry created with index: 2095539
tlog entry verified with uuid: dd55086556d7ac0cded8f50961b68f7740e1435fbc5bb47460a8d78321313c7d index: 2095539
Verified OK
```

Signed-off-by: Zachary Newman <z@znewman.net>
@dlorenc
Copy link
Member

dlorenc commented Apr 24, 2022

The windows failure looked like a flake cleaning up tempdirs that we've seen before. Rerunning. We might need a skip.

@znewman01
Copy link
Contributor Author

Windows test failures seem to be caused by: golang/go#51442

I think I'll pull these into a separate test and skip it on Windows for now.

@znewman01
Copy link
Contributor Author

The windows failure looked like a flake cleaning up tempdirs that we've seen before. Rerunning. We might need a skip.

Jinx

Signed-off-by: Zachary Newman <z@znewman.net>
@dlorenc dlorenc merged commit 0c4cf2e into sigstore:main Apr 24, 2022
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 24, 2022
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
…e#1794)

* Bump github.com/sigstore/sigstore

Signed-off-by: Zachary Newman <z@znewman.net>

* test: add test for blob.LoadFileOrURL

Signed-off-by: Zachary Newman <z@znewman.net>

* refactor: break up LoadFileOrURL by scheme

Signed-off-by: Zachary Newman <z@znewman.net>

* feat: add "env://" scheme for blob load

Signed-off-by: Zachary Newman <z@znewman.net>

* feat: add "env://" scheme for key lookup

Tested manually as well:

```shell
$ export COSIGN_PASSWORD=foo
$ cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
$ export MYPRIVKEY="$(cat cosign.key)"
$ export MYPUBKEY="$(cat cosign.pub)"
$ cosign verify-blob --key env://MYPUBKEY /dev/null --signature <(cosign sign-blob --key env://MYPRIVKEY /dev/null)
Using payload from: /dev/null
tlog entry created with index: 2095539
tlog entry verified with uuid: dd55086556d7ac0cded8f50961b68f7740e1435fbc5bb47460a8d78321313c7d index: 2095539
Verified OK
```

Signed-off-by: Zachary Newman <z@znewman.net>

* test: skip test that flakes on Windows

Signed-off-by: Zachary Newman <z@znewman.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow keyed signing without writing to disk
3 participants