-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement a new flag for sign-blob subcommand to save certificate to disk or stdout #1016
implement a new flag for sign-blob subcommand to save certificate to disk or stdout #1016
Conversation
425f781
to
74a15c9
Compare
cmd/cosign/cli/sign/sign_blob.go
Outdated
@@ -76,9 +76,9 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOption | |||
return nil, errors.Wrap(err, "signing blob") | |||
} | |||
|
|||
var rekorBytes []byte |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like this will only pick up the public key when COSIGN_EXPERIMENTAL=1 is enabled. That mostly makes sense to me since otherwise you probably already have the key, but I would caveat in the doc string or somewhere else.
May also be worth adding for the sign subcommand too?
we did the same in #1021 |
cmd/cosign/cli/options/signblob.go
Outdated
@@ -49,4 +50,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { | |||
|
|||
cmd.Flags().StringVar(&o.Output, "output", "", | |||
"write the signature to FILE") | |||
|
|||
cmd.Flags().StringVar(&o.PubKeyOutput, "pubkey-output", "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about changing this to --output-cert
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should always be a cert for the keyless modes right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, i think that's more clear.
Yes :D just realized this. I like your PR more, but I am not sure if changing |
I think I'm fine with this breaking change. It's pretty minor and important for usability. If we need to we could always alias it for a release in cobra. |
54280e4
to
77706ed
Compare
@@ -22,16 +22,18 @@ import ( | |||
) | |||
|
|||
// SignBlobOptions is the top level wrapper for the sign-blob command. | |||
// The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@asraa is this docstring on the right position? I thought about adding it to the SignBlob
function, but the SignBlob function has a // nolint
on top.. I am not sure if I can have docstrings and nolint at the same time.
77706ed
to
3eaf1e6
Compare
@developer-guy @dlorenc done. Or do you prefer the short form for commands? Right now I chose |
To make it more consistent with the |
Good argument @Dentrax |
@developer-guy do you mean editor permissions to this PR? I have no idea if this is possible in Github. I think you can fork my fork and then create a PR against my fork and I could merge it in my fork :D OR You just drop me a patch file via mail. What do you would like to change in this PR? EDIT: or do you mean collab in the cosign repository? I am not involved with cosign, too :D :D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
With the new release of goreleaser v1.0.0, I think we can merge this PR and plan to release on the upcoming cosign version. 🙏 Should we create |
in addition to the comment above, with this, we will be able to do the following: signs:
- cmd: cosign
certificate: "${artifact}.cert"
signature: "${artifact}.sig"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] For more detail: ko-build/ko#498 |
This is amazing! |
Once this is out, I'll write a post on how to use it with goreleaser on github actions as well |
Looks like this just needs docs to be regenerated! |
@dlorenc how do I regenerate the docs? |
BTW, this is a breaking change isnt it? As Maybe worth deprecating it first? |
Looks like:
Yeah, we probably should deprecate/alias first. I misunderstood and thought this flag only applied for experimental/keyless stuff, but it's used for normal blob signatures too. Great catch @caarlos0! |
Sounds, good. Let me apply a new patch in the afternoon (that's in 2 hours in my time :D ) |
a1bd513
to
a073b45
Compare
New behavior:
|
a073b45
to
17ad01c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @shibumi amazing work 👌🙋🏻♂️
@dlorenc The generate doc command does not seem to be sufficient.. I have generated the docs with it, but the pipeline still fails. |
@shibumi I think you should run |
This commit breaks with past behavior in favor of two new flags. The `output` flags gets replaced with the new `output-signature` and `output-certificate` flags. Signed-off-by: Christian Rebischke <[email protected]>
17ad01c
to
e0acb0d
Compare
@dlorenc IMHO, this PR is ready for merge. |
@developer-guy thanks for your hint to goimports. I didn't know that exists :D |
I added two new targets to the makefile: fmt and checkfmt. You can use them now 🙋🏻♂️ |
👀 |
Summary
With cosign 1.3.0 it is not possible to store the public certificate generated by the OIDC-issuer in a convenient way.
To store the public key locally on disk, the user has to intercept the cosign stdout, parse it and store it.
This is inconvenient and error-prone. We want to make signing and public key distribution as easy as possible, hence this PR introduces a new
pubkey-output
flag for thesign-blob
sub-command.The
pubkey-output
flag respects theb64
flag and prints the certificate/key as file in a given file path.Ticket Link
Fixes None
Release Note