Add Cosign keyless mode required args for nerdctl pull and run #2185
Conversation
ningziwen
changed the title
| cmd.Flags().String("cosign-certificate-identity", "", "The identity expected in a valid Fulcio certificate for --verify=cosign. Valid values include email address, DNS names, IP addresses, and URIs. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-identity-regexp", "", "A regular expression alternative to --cosign-certificate-identity for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-oidc-issuer", "", "The OIDC issuer expected in a valid Fulcio certificate for --verify=cosign, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-oidc-issuer-regexp", "", "A regular expression alternative to --certificate-oidc-issuer for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows") |
There was a problem hiding this comment.
Can we support compose too?
See #1508
There was a problem hiding this comment.
I wanted to address in a separated PR because there is no integration test for keyless now. I feel it is heavy-handed for both author and reviewer to manually test too many things in one PR. #2185 (comment)
But I'm also ok to add it, so let me know if you really want them to be in same PR.
There was a problem hiding this comment.
I wanted to address in a separated PR because there is no integration test for keyless now. I feel it is heavy-handed for both author and reviewer to manually test too many things in one PR. #2185 (comment)
But I'm also ok to add it, so let me know if you really want them to be in same PR.
LGTM
| @@ -92,6 +95,24 @@ func VerifyCosign(ctx context.Context, rawRef string, keyRef string, hostsDirs [ | |||
| if keyRef != "" { | |||
| cosignCmd.Args = append(cosignCmd.Args, "--key", keyRef) | |||
| } else { | |||
| if certIdentity == "" && certIdentityRegexp == "" { | |||
There was a problem hiding this comment.
this shouldn't block if certOidcIssuer != "" || certOidcIssuerRegexp != ""
There was a problem hiding this comment.
It is blocked in Cosign. https://github.com/sigstore/cosign/blob/v2.0.1/cmd/cosign/cli/options/certificate.go#L94
There was a problem hiding this comment.
this is contradictory with this statement
There was a problem hiding this comment.
I wanted to say
(Either --cosign-certificate-identity or --cosign-certificate-identity-regexp) and (either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp) must be set for keyless flows.
either... or -> ||
and -> &&
There was a problem hiding this comment.
OK could you please make the sentence simpler may be by splitting it
There was a problem hiding this comment.
Reworded to "For keyless flows to work, you need to set either --cosign-certificate-identity or --cosign-certificate-identity-regexp, and either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp."
| cmd.Flags().String("cosign-certificate-identity", "", "The identity expected in a valid Fulcio certificate for --verify=cosign. Valid values include email address, DNS names, IP addresses, and URIs. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-identity-regexp", "", "A regular expression alternative to --cosign-certificate-identity for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-identity or --cosign-certificate-identity-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-oidc-issuer", "", "The OIDC issuer expected in a valid Fulcio certificate for --verify=cosign, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows") | ||
| cmd.Flags().String("cosign-certificate-oidc-issuer-regexp", "", "A regular expression alternative to --certificate-oidc-issuer for --verify=cosign. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp must be set for keyless flows") |
There was a problem hiding this comment.
Could you update docs/command-reference.md as well?
It would be great if we can update tests in /cmd/nerdctl/container_run_verify_linux_test.go. (Is #2184 testable in CI?)
There was a problem hiding this comment.
Updated the doc.
Keyless requires complicated prompt, which includes the third party authentication in website so it is not testable in CI now.
docs/cosign.md
Outdated
| $ nerdctl pull --verify=cosign devopps/hello-world | ||
| $ nerdctl pull --verify=cosign devopps/hello-world --certificate-identity=name@example.com --certificate-oidc-issuer=https://accounts.example.com |
There was a problem hiding this comment.
Flag order should be nerdctl pull [flags] imagename
ningziwen
force-pushed
the
keyless
branch
2 times, most recently
from
d0d107b
to
3c300b7
Compare
docs/cosign.md
Outdated
| @@ -70,9 +70,11 @@ Verify the container image while pulling: | |||
|
|
|||
| > REMINDER: Image won't be pulled if there are no matching signatures in case you passed `--verify` flag. | |||
|
|
|||
| > REMINDER: For keyless flows to work, you need to set either --cosign-certificate-identity or --cosign-certificate-identity-regexp, and either --cosign-certificate-oidc-issuer or --cosign-certificate-oidc-issuer-regexp. The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, and GitHub is https://github.com/login/oauth. | |||
There was a problem hiding this comment.
Can we have the same description as the flag description? e.g. The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth.
Signed-off-by: Ziwen Ning <ningziwe@amazon.com>
#2184
These are some alternatives.
Tested locally.
Compose may also needs to be fixed. Will do in a separated PR to make the PR small.