-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add 'cosign sign' command-line parameters for mTLS #3052
Conversation
e06f505
to
48cd2e4
Compare
Codecov Report
@@ Coverage Diff @@
## main #3052 +/- ##
==========================================
- Coverage 30.64% 30.55% -0.09%
==========================================
Files 155 155
Lines 9791 9817 +26
==========================================
Hits 3000 3000
- Misses 6341 6367 +26
Partials 450 450
|
615b38a
to
d8c6fbe
Compare
2278f4b
to
6376611
Compare
8e55d74
to
e9ebc25
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. Do you have any thoughts on how we can add some tests?
c9d7da6
to
1b29097
Compare
thanks for the review and sorry for a delayed reply @haydentherapper. I admit finding the automated testing of this feature somewhat hard because it requires rolling out some "test PKI" and also having (or at least mocking) the TSA server that uses certificates and does validation of the certificates in the clients' requests. So far I have been testing this change manually - by starting the https://github.com/sigstore/cosign/blob/main/internal/pkg/cosign/tsa/client/client.go currently doesn't have unit tests - the value of adding them for this change would probably be small without the "full cycle" test (using either the TSA server or mock). Regarding the functional (end-to-end) tests - it should be possible to modify the return value of https://pkg.go.dev/github.com/sigstore/timestamp-authority/pkg/server#NewRestAPIServer (used for example in https://github.com/sigstore/cosign/blob/main/test/e2e_test.go#L755) to set the I wonder if we could maybe merge the PR based on the manual testing - and create an issue to expand the e2e tests to cover this use case which either I myself or possibly someone else could implement 😄 |
82b6509
to
39528b3
Compare
70aeec8
to
85aa387
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work on the tests, thank you for adding this!
Add command-line parameters for key/cert/cacert used for the connection to the TSA server. Fixes sigstore#3006 Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really appreciate all of your work on this!
@znewman01 Any thoughts, otherwise this is good to merge from my side. |
Summary
Add command-line parameters for key/cert/cacert used for the connection to the TSA server. Initially this is done only for the
cosign sign
command - the other will be added in a follow-up PR.Fixes #3006.
Release Note
** Additional command-line options for
cosign
command for mTLS connection to the TSA serverDocumentation
sigstore/docs#192