Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: error message for verify-attestation command avoid to print help message #877

Closed
wants to merge 1 commit into from
Closed

fix: error message for verify-attestation command avoid to print help message #877

wants to merge 1 commit into from

Conversation

developer-guy
Copy link
Member

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com
Co-authored-by: Erkan Zileli erkan.zileli@trendyol.com
Co-authored-by: Ahmet Avcı ahmet.avci@trendyol.com
Co-authored-by: Yasin Taha Erol yasintaha.erol@trendyol.com
Co-authored-by: Emin Aktaş emin.aktas@trendyol.com

Summary

This error causes to print help message of the command to stdout, so we fixed the error message by returning nil.

Before 
There are 1 number of errors occurred during the validation:
- rego validation failed
Error: 1 validation errors occurred
Usage:
  cosign verify-attestation [flags]

Examples:
  cosign verify-attestation --key <key path>|<key url>|<kms uri> <image uri> [<image uri> ...]

  # verify cosign attestations on the image
  cosign verify-attestation <IMAGE>

  # verify multiple images
  cosign verify-attestation <IMAGE_1> <IMAGE_2> ...

  # additionally verify specified annotations
  cosign verify-attestation -a key1=val1 -a key2=val2 <IMAGE>

  # (experimental) additionally, verify with the transparency log
  COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>

  # verify image with public key
  cosign verify-attestation --key cosign.pub <IMAGE>

  # verify image with public key provided by URL
  cosign verify-attestation --key https://host.for/<FILE> <IMAGE>

  # verify image with public key stored in Google Cloud KMS
  cosign verify-attestation --key gcpkms://projects/<PROJECT>/locations/global/keyRings/<KEYRING>/cryptoKeys/<KEY> <IMAGE>

  # verify image with public key stored in Hashicorp Vault
  cosign verify-attestation --key hashivault:///<KEY> <IMAGE>

Flags:
      --allow-insecure-registry                                                                  whether to allow insecure connections to registries. Don't use this for anything but testing
      --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]   optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
      --check-claims                                                                             whether to check the claims found (default true)
      --fulcio-url string                                                                        [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev")
  -h, --help                                                                                     help for verify-attestation
      --identity-token string                                                                    [EXPERIMENTAL] identity token to use for certificate from fulcio
      --key string                                                                               path to the private key file, KMS URI or Kubernetes Secret
  -o, --output string                                                                            output format for the signing image information (json|text) (default "json")
      --policy strings                                                                           specify CUE or Rego files will be using for validation
      --rekor-url string                                                                         [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
      --sk                                                                                       whether to use a hardware security key
      --slot string                                                                              security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
      --type string                                                                              specify a predicate type (slsaprovenance|link|spdx|custom) or an URI (default "custom")

Global Flags:
      --output-file string   log output to a file
  -d, --verbose              log debug output

main.go:48: error during command execution: 1 validation errors occurred
After 
[policy.rego]
will be validating against Rego policies: [policy.rego]
There are 1 number of errors occurred during the validation:
- rego validation failed

Ticket Link

Fixes

Release Note

fix: error message for verify-attestation command avoid to print help message

@developer-guy @Dentrax
@erkanzileli @ahmetavc
fix: error message for verify-attestation command avoid to print help…
ff8985a 
… message

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Ahmet Avcı <ahmet.avci@trendyol.com>
Co-authored-by: Yasin Taha Erol <yasintaha.erol@trendyol.com>
Co-authored-by: Emin Aktaş <emin.aktas@trendyol.com>
dlorenc
dlorenc approved these changes Oct 11, 2021
View reviewed changes
Copy link
Member

@dlorenc dlorenc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@dlorenc
Copy link
Member

dlorenc commented Oct 11, 2021

Whoops - before merging, do we need the error to make sure we exit with 1?

@dlorenc
Copy link
Member

dlorenc commented Oct 11, 2021

We might want to do something like this instead: spf13/cobra#340

@dlorenc
Copy link
Member

dlorenc commented Oct 11, 2021

Yep, over here: #874

n3wscott
n3wscott reviewed Oct 11, 2021
View reviewed changes
cmd/cosign/cli/verify/verify_attestation.go
@@ -242,7 +242,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
for _, v := range validationErrors {
_, _ = fmt.Fprintf(os.Stderr, "- %v\n", v)
}
return fmt.Errorf("%d validation errors occurred", len(validationErrors))
return nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to os.exit(1) to signal the command was not successful?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think we can actually drop this change entirely and handle suppressing usage correctly in #874

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#878

@n3wscott
Copy link
Contributor

I opened #878 instead of this change.

@dlorenc
Copy link
Member

dlorenc commented Oct 11, 2021

I think this one can get closed now, reopen if I'm missing anything!

@dlorenc dlorenc closed this Oct 11, 2021
@developer-guy
Copy link
Member Author

thank you so much @dlorenc, looks ok 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

@n3wscott n3wscott n3wscott left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@developer-guy @dlorenc @n3wscott