Skip to content

Commit

Permalink
feat: add output cert for keyless
Browse files Browse the repository at this point in the history
Signed-off-by: Batuhan Apaydın <[email protected]>
Co-authored-by: Furkan Türkal <[email protected]>
  • Loading branch information
developer-guy and Dentrax committed Nov 10, 2021
1 parent 88313ee commit 77ffdfb
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 28 deletions.
24 changes: 14 additions & 10 deletions cmd/cosign/cli/options/signblob.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,16 @@ import (

// SignBlobOptions is the top level wrapper for the sign-blob command.
type SignBlobOptions struct {
Key string
Base64Output bool
Output string // TODO: this should be the root output file arg.
SecurityKey SecurityKeyOptions
Fulcio FulcioOptions
Rekor RekorOptions
OIDC OIDCOptions
Registry RegistryOptions
Timeout time.Duration
Key string
Base64Output bool
OutputSignature string // TODO: this should be the root output file arg.
OutputCert string // TODO: this should be the root output file arg.
SecurityKey SecurityKeyOptions
Fulcio FulcioOptions
Rekor RekorOptions
OIDC OIDCOptions
Registry RegistryOptions
Timeout time.Duration
}

var _ Interface = (*SignBlobOptions)(nil)
Expand All @@ -50,9 +51,12 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
"whether to base64 encode the output")

cmd.Flags().StringVar(&o.Output, "output", "",
cmd.Flags().StringVar(&o.OutputSignature, "output-sig", "",
"write the signature to FILE")

cmd.Flags().StringVar(&o.OutputCert, "output-cert", "",
"write the certificate to FILE")

cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
"HTTP Timeout defaults to 30 seconds")
}
40 changes: 26 additions & 14 deletions cmd/cosign/cli/sign/sign_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ type KeyOpts struct {
}

// nolint
func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, output string, timeout time.Duration) ([]byte, error) {
func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSig string, outputCert string, timeout time.Duration) ([]byte, error) {
var payload []byte
var err error

Expand Down Expand Up @@ -99,37 +99,49 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption
return nil, err
}
fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)

fmt.Fprintln(os.Stderr, "writing certificate to disk:", outputCert)
err = writeToDiskOrStdout(outputCert, b64, rekorBytes)
if err != nil {
return nil, err
}
}

err = writeToDiskOrStdout(outputSig, b64, sig)
if err != nil {
return nil, err
}

return sig, nil
}

func writeToDiskOrStdout(output string, b64 bool, content []byte) error {
if output != "" {
f, err := os.Create(output)
if err != nil {
return nil, err
return err
}
defer f.Close()

if b64 {
_, err = f.Write([]byte(base64.StdEncoding.EncodeToString(sig)))
_, err = f.Write([]byte(base64.StdEncoding.EncodeToString(content)))
if err != nil {
return nil, err
return err
}
} else {
_, err = f.Write(sig)
_, err = f.Write(content)
if err != nil {
return nil, err
return err
}
}

fmt.Printf("Signature wrote in the file %s\n", f.Name())
} else {
if b64 {
sig = []byte(base64.StdEncoding.EncodeToString(sig))
fmt.Println(string(sig))
} else if _, err := os.Stdout.Write(sig); err != nil {
content = []byte(base64.StdEncoding.EncodeToString(content))
fmt.Println(string(content))
} else if _, err := os.Stdout.Write(content); err != nil {
// No newline if using the raw signature
return nil, err
return err
}
}

return sig, nil
return nil
}
2 changes: 1 addition & 1 deletion cmd/cosign/cli/signblob.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func SignBlob() *cobra.Command {
OIDCClientSecret: o.OIDC.ClientSecret,
}
for _, blob := range args {
if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.Output, o.Timeout); err != nil {
if _, err := sign.SignBlobCmd(cmd.Context(), ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCert, o.Timeout); err != nil {
return errors.Wrapf(err, "signing %s", blob)
}
}
Expand Down
3 changes: 2 additions & 1 deletion doc/cosign_sign-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/version/version.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ import (
// This is the fallback data used when version information from git is not
// provided via go ldflags (e.g. via Makefile).
var (
// Output of "git describe". The prerequisite is that the branch should be
// OutputSignature of "git describe". The prerequisite is that the branch should be
// tagged using the correct versioning strategy.
GitVersion = "devel"
// SHA1 from git, output of $(git rev-parse HEAD)
Expand Down
2 changes: 1 addition & 1 deletion test/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -409,7 +409,7 @@ func TestSignBlob(t *testing.T) {
KeyRef: privKeyPath1,
PassFunc: passFunc,
}
sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", time.Duration(30*time.Second))
sig, err := sign.SignBlobCmd(ctx, ko, options.RegistryOptions{}, bp, true, "", "", time.Duration(30*time.Second))
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit 77ffdfb

Please sign in to comment.