Deprecate --certificate-email flag. Make --certificate-identity and -…

[kpk47]

…-certificate-oidc-issuer required for verification.

--certificate-email is now an alias for --certificate-identity

Signed-off-by: kpk47 kkris@google.com

Summary

Closes #2056

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2411 (820bf93) into main (77206c4) will decrease coverage by 0.62%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main    #2411      +/-   ##
==========================================
- Coverage   30.04%   29.41%   -0.63%     
==========================================
  Files         140      140              
  Lines        8671     8654      -17     
==========================================
- Hits         2605     2546      -59     
- Misses       5687     5745      +58     
+ Partials      379      363      -16     

Impacted Files	Coverage Δ
cmd/cosign/cli/dockerfile.go	0.00% <0.00%> (ø)
cmd/cosign/cli/manifest.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/certificate.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go	22.49% <85.71%> (+3.72%)	⬆️
cmd/cosign/cli/verify/verify_attestation.go	3.43% <85.71%> (+3.43%)	⬆️
cmd/cosign/cli/verify/verify_blob.go	49.59% <100.00%> (+1.04%)	⬆️
pkg/cosign/verify.go	38.56% <100.00%> (-2.31%)	⬇️
pkg/oci/layout/signatures.go	0.00% <0.00%> (-53.85%)	⬇️
pkg/oci/layout/write.go	0.00% <0.00%> (-37.50%)	⬇️
... and 4 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[znewman01]

Overall LGTM. Needs a rebase before we can merge.

I'd be interested in putting this validation all in the same place. Maybe factor out some of these arguments into a new options.VerifyOpts and have a function to parse them into cosign/verify.CheckOpts. But I'm okay doing that later.

[znewman01]

adding approving review so tests run

[znewman01]

approving for tests

[znewman01]

test failure looks related!

[haydentherapper]

Just need to rerun make docgen, this looks great!

[haydentherapper]

@kpk47 Can you update test/testdata/test_blob_cert.pem with the following:

-----BEGIN CERTIFICATE-----
MIIBdDCCARqgAwIBAgIUZw7gQ6T/IgmiMD1AWB2OTIIVH1owCgYIKoZIzj0EAwIw
ADAeFw0yMjEyMjEwMDIwNThaFw0zMjEyMTgwMDIwNThaMAAwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAR1Q4hB1jtagrdsVxygtDa/rli00U7n/1I/NSw8yoMRQ+MO
AjRhg3gtcV0tha34L6150qJirQHbfocsao8X6wFmo3IwcDAdBgNVHQ4EFgQUx3Wb
0LwCWoGsl0FUpeQb3M4MukkwHwYDVR0jBBgwFoAUx3Wb0LwCWoGsl0FUpeQb3M4M
ukkwEgYDVR0TAQH/BAgwBgEB/wIBATAaBgNVHREEEzARgQ9mb29AZXhhbXBsZS5j
b20wCgYIKoZIzj0EAwIDSAAwRQIhALXG7XS5TIFLp+jLSxjuRk1Tj5MfE+y9x92Z
YPMbi9GZAiAmfEe0+q5l3PnI6zliOG5kG6EcS80QQgQmPcFvRZWOvw==
-----END CERTIFICATE-----

And update https://github.com/sigstore/cosign/blob/main/test/testdata/README.md, the openssl command, to be :

openssl req -key test/testdata/test_blob_private_key -x509 -days 3650 -out cert.pem -new -nodes -subj "/" -addext "subjectAltName = email:foo@example.com"

You can remove all the output below the command too, -subj "/" handles that so you aren't prompted.

You may need to update tests to check for this example SAN. Feel free to rerun the command too if you have a preferred email value.

[haydentherapper]

LGTM, thanks so much for working on this!

[haydentherapper]

@znewman01 once tests finish, do you want to merge?

[znewman01]

E2e tests are failing, once we get those fixed I can merge (will take a quick skim today too)

[haydentherapper]

test failure is unrelated

[dmitris]

@kpk47 do you know if the docs on https://docs.sigstore.dev/cosign/keyless/ were updated for this change or not?

[haydentherapper]

Docs are being actively updated for cosign 2.0. Keyless will likely be removed as it’s not duplicated with the verify doc, which has been updated.