From f7f7f3dcf7faf561756f1f79d89c0359e17d71c8 Mon Sep 17 00:00:00 2001 From: asraa Date: Tue, 6 Dec 2022 15:04:33 -0600 Subject: [PATCH] sign: remove reg opts from sign blob (#2512) Signed-off-by: Asra Ali --- cmd/cosign/cli/options/signblob.go | 1 - cmd/cosign/cli/sign/sign_blob.go | 2 +- cmd/cosign/cli/signblob.go | 2 +- doc/cosign_sign-blob.md | 50 ++++++++++++++---------------- test/e2e_test.go | 10 +++--- 5 files changed, 30 insertions(+), 35 deletions(-) diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 20a8d1a80b1..fef23b4d9b2 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -47,7 +47,6 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { o.Fulcio.AddFlags(cmd) o.Rekor.AddFlags(cmd) o.OIDC.AddFlags(cmd) - o.Registry.AddFlags(cmd) cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index d8b294b76b1..ebe80351334 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -37,7 +37,7 @@ import ( ) // nolint -func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) { +func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) { var payload internal.HashReader var err error var rekorBytes []byte diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 0ab5d0e3189..e4ee87105a3 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -92,7 +92,7 @@ func SignBlob() *cobra.Command { o.OutputSignature = o.Output } - if _, err := sign.SignBlobCmd(ro, ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil { + if _, err := sign.SignBlobCmd(ro, ko, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil { return fmt.Errorf("signing %s: %w", blob, err) } } diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 7a13a495500..d1c640088d0 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -33,33 +33,29 @@ cosign sign-blob [flags] ### Options ``` - --allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing - --allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing - --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --b64 whether to base64 encode the output (default true) - --bundle string write everything required to verify the blob to a FILE - --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") - -h, --help help for sign-blob - --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio - --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). - --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). - --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. - --output string write the signature to FILE - --output-certificate string write the certificate to FILE - --output-signature string write the signature to FILE - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") - --rfc3161-timestamp-bundle string write everything required to verify the blob to a FILE - --sk whether to use a hardware security key - --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) - --timestamp-server-url string url to the Timestamp RFC3161 server, default none - --tlog-upload whether or not to upload to the tlog - -y, --yes skip confirmation prompts for non-destructive operations + --b64 whether to base64 encode the output (default true) + --bundle string write everything required to verify the blob to a FILE + --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") + -h, --help help for sign-blob + --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio + --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). + --key string path to the private key file, KMS URI or Kubernetes Secret + --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] + --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --output string write the signature to FILE + --output-certificate string write the certificate to FILE + --output-signature string write the signature to FILE + --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rfc3161-timestamp-bundle string write everything required to verify the blob to a FILE + --sk whether to use a hardware security key + --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) + --timestamp-server-url string url to the Timestamp RFC3161 server, default none + --tlog-upload whether or not to upload to the tlog + -y, --yes skip confirmation prompts for non-destructive operations ``` ### Options inherited from parent commands diff --git a/test/e2e_test.go b/test/e2e_test.go index e36b9a4d0db..96f8283678b 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -914,7 +914,7 @@ func TestSignBlob(t *testing.T) { KeyRef: privKeyPath1, PassFunc: passFunc, } - sig, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false) + sig, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false) if err != nil { t.Fatal(err) } @@ -959,7 +959,7 @@ func TestSignBlobBundle(t *testing.T) { BundlePath: bundlePath, RekorURL: rekorURL, } - if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) } // Now verify should work @@ -967,7 +967,7 @@ func TestSignBlobBundle(t *testing.T) { // Now we turn on the tlog and sign again defer setenv(t, env.VariableExperimental.String(), "1")() - if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) } @@ -1039,7 +1039,7 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { RFC3161TimestampPath: bundlePath, TSAServerURL: server.URL, } - if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) } // Now verify should work @@ -1047,7 +1047,7 @@ func TestSignBlobRFC3161TimestampBundle(t *testing.T) { // Now we turn on the tlog and sign again defer setenv(t, env.VariableExperimental.String(), "1")() - if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil { + if _, err := sign.SignBlobCmd(ro, ko, bp, true, "", "", false); err != nil { t.Fatal(err) }