cli: silence usage on errors

[asraa]

Signed-off-by: Asra Ali asraa@google.com

Otherwise, when RunE returns an error, we also print the usage, which is, at that point, correct: e.g.

$ go run ./cli/slsa-verifier verify-image ghcr.io/slsa-framework/example-package.e2e.container.workflow_dispatch.main.default.slsa3@sha256:c8d763cff21aaaee7ae925416ba8627dcb05dd38ecf48683249f4ef5f76f0155 --source-uri github.com/slsa-framework/example-package --print-provenance --source-tag v1.2.3
FAILED: SLSA verification failed: no valid attestations found on OCI registry: expected tag 'refs/tags/v1.2.3', got '': tag used to generate the binary does not match provenance
Usage:
  slsa-verifier verify-image [flags]

Flags:
      --build-workflow-input map[]    [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
      --builder-id string             EXPERIMENTAL: the unique builder ID who created the provenance
  -h, --help                          help for verify-image
      --print-provenance              print the verified provenance to stdout
      --provenance-path string        path to a provenance file
      --source-branch string          [optional] expected branch the binary was compiled from
      --source-tag string             [optional] expected tag the binary was compiled from
      --source-uri string             expected source repository that should have produced the binary, e.g. github.com/some/repo
      --source-versioned-tag string   [optional] expected version the binary was compiled from. Uses semantic version to match the tag

no valid attestations found on OCI registry: expected tag 'refs/tags/v1.2.3', got '': tag used to generate the binary does not match provenance
exit status 1

[ianlewis]

Does this also silence usage when there is actually a flag parsing error? or just when there is an error returned by RunE?

[asraa]

Let me see: so if a flag is parsed incorrectly with this change it'll currently print

$ go run ./cli/slsa-verifier/ verify-artifact --provenance testdata/go/v1.2.0/binary-linux-amd64-workflow_dispatch.intoto.jsonl --source-uri github.com/slsa-framework/example-package testdata/go/v1.2.0/binary-linux-amd64-workflow_dispatch
unknown flag: --provenance

The problem is, that it can't distinguish between error types from flag parsing or generally from RunE. You'll see the usage string only with --help.

This seems like others must have run into this issue. Looking into it.

[asraa]

Update: There's no way to distinguish a flag parsing error from a RunE error, unless we handle them separately: spf13/cobra#340

I think the better thing to do is to switch from RunE to Run and use our own custom error handler. Will update today

[ianlewis]

SG, i think this is what I've done in the past for this reason but my memory was fuzzy.