Deprecate --certificate-email flag. Make --certificate-identity and -…

.github/workflows/kind-verify-attestation.yaml

@@ -17,6 +17,7 @@ name: Test attest / verify-attestation
 on:
   pull_request:
     branches: [ 'main', 'release-*' ]
+  workflow_dispatch:
 
 defaults:
   run:
@@ -118,12 +119,12 @@ jobs:
 
     - name: Verify with cosign
       run: |
-        ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }}
+        ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Verify custom attestation with cosign, works
       run: |
         echo '::group:: test custom verify-attestation success'
-        if ! ./cosign verify-attestation --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
+        if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
           echo Failed to verify attestation with a valid policy
           exit 1
         else
@@ -134,7 +135,7 @@ jobs:
     - name: Verify custom attestation with cosign, fails
       run: |
         echo '::group:: test custom verify-attestation success'
-        if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
+        if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
           echo custom verify-attestation succeeded with cue policy that should not work
           exit 1
         else
@@ -144,7 +145,7 @@ jobs:
 
     - name: Verify a blob
       run: |
-        ./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig
+        ./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
 
     - name: Collect diagnostics
       if: ${{ failure() }}
@@ -157,7 +158,7 @@ jobs:
     - name: Verify vuln attestation with cosign, works
       run: |
         echo '::group:: test vuln verify-attestation success'
-        if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
+        if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
           echo Failed to verify attestation with a valid policy
           exit 1
         else
@@ -168,7 +169,7 @@ jobs:
     - name: Verify vuln attestation with cosign, fails
       run: |
         echo '::group:: test vuln verify-attestation success'
-        if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
+        if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
           echo verify-attestation succeeded with cue policy that should not work
           exit 1
         else

cmd/cosign/cli/dockerfile.go

@@ -87,11 +87,10 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
 			v := &dockerfile.VerifyDockerfileCommand{
 				VerifyCommand: verify.VerifyCommand{
 					RegistryOptions:              o.Registry,
+					CertVerifyOptions:            o.CertVerify,
 					CheckClaims:                  o.CheckClaims,
 					KeyRef:                       o.Key,
 					CertRef:                      o.CertVerify.Cert,
-					CertEmail:                    o.CertVerify.CertEmail,
-					CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 					CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 					CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
 					CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,

cmd/cosign/cli/manifest.go

@@ -82,11 +82,10 @@ against the transparency log.`,
 			v := &manifest.VerifyManifestCommand{
 				VerifyCommand: verify.VerifyCommand{
 					RegistryOptions:              o.Registry,
+					CertVerifyOptions:            o.CertVerify,
 					CheckClaims:                  o.CheckClaims,
 					KeyRef:                       o.Key,
 					CertRef:                      o.CertVerify.Cert,
-					CertEmail:                    o.CertVerify.CertEmail,
-					CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 					CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 					CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
 					CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,

cmd/cosign/cli/options/certificate.go

@@ -15,15 +15,19 @@
 package options
 
 import (
+	"errors"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/spf13/cobra"
 )
 
 // CertVerifyOptions is the wrapper for certificate verification.
 type CertVerifyOptions struct {
 	Cert                         string
-	CertEmail                    string
 	CertIdentity                 string
+	CertIdentityRegexp           string
 	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
 	CertGithubWorkflowName       string
@@ -42,14 +46,17 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.")
 	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})
 
-	cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "",
-		"the email expected in a valid Fulcio certificate")
-
 	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
-		"the identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs.")
+		"The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.")
+
+	cmd.Flags().StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "",
+		"A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.")
 
 	cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
-		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
+		"The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.")
+
+	cmd.Flags().StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "",
+		"A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.")
 
 	// -- Cert extensions begin --
 	// Source: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
@@ -82,3 +89,13 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"when set, verification will not check that a certificate contains an embedded SCT, a proof of "+
 			"inclusion in a certificate transparency log")
 }
+
+func (o *CertVerifyOptions) Identities() ([]cosign.Identity, error) {
+	if o.CertIdentity == "" && o.CertIdentityRegexp == "" {
+		return nil, errors.New("--certificate-identity or --certificate-identity-regexp is required for verification in keyless mode")
+	}
+	if o.CertOidcIssuer == "" && o.CertOidcIssuerRegexp == "" {
+		return nil, errors.New("--certificate-oidc-issuer or --certificate-oidc-issuer-regexp is required for verification in keyless mode")
+	}
+	return []cosign.Identity{{IssuerRegExp: o.CertOidcIssuerRegexp, Issuer: o.CertOidcIssuer, SubjectRegExp: o.CertIdentityRegexp, Subject: o.CertIdentity}}, nil
+}

cmd/cosign/cli/verify.go

@@ -95,12 +95,10 @@ against the transparency log.`,
 
 			v := &verify.VerifyCommand{
 				RegistryOptions:              o.Registry,
+				CertVerifyOptions:            o.CertVerify,
 				CheckClaims:                  o.CheckClaims,
 				KeyRef:                       o.Key,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
-				CertIdentity:                 o.CertVerify.CertIdentity,
-				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 				CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
 				CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,
@@ -191,10 +189,8 @@ against the transparency log.`,
 			v := &verify.VerifyAttestationCommand{
 				RegistryOptions:              o.Registry,
 				CheckClaims:                  o.CheckClaims,
+				CertVerifyOptions:            o.CertVerify,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
-				CertIdentity:                 o.CertVerify.CertIdentity,
-				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 				CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
@@ -287,10 +283,8 @@ The blob may be specified as a path to a file or - for stdin.`,
 			}
 			verifyBlobCmd := &verify.VerifyBlobCmd{
 				KeyOpts:                      ko,
+				CertVerifyOptions:            o.CertVerify,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
-				CertIdentity:                 o.CertVerify.CertIdentity,
-				CertOIDCIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,
 				SigRef:                       o.Signature,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,

cmd/cosign/cli/verify/verify.go

@@ -51,12 +51,10 @@ import (
 // nolint
 type VerifyCommand struct {
 	options.RegistryOptions
+	options.CertVerifyOptions
 	CheckClaims                  bool
 	KeyRef                       string
 	CertRef                      string
-	CertEmail                    string
-	CertIdentity                 string
-	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
 	CertGithubWorkflowName       string
@@ -99,6 +97,14 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		c.HashAlgorithm = crypto.SHA256
 	}
 
+	var identities []cosign.Identity
+	if c.KeyRef == "" {
+		identities, err = c.Identities()
+		if err != nil {
+			return err
+		}
+	}
+
 	ociremoteOpts, err := c.ClientOpts(ctx)
 	if err != nil {
 		return fmt.Errorf("constructing client options: %w", err)
@@ -107,16 +113,14 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	co := &cosign.CheckOpts{
 		Annotations:                  c.Annotations.Annotations,
 		RegistryClientOpts:           ociremoteOpts,
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		IgnoreSCT:                    c.IgnoreSCT,
 		SignatureRef:                 c.SignatureRef,
+		Identities:                   identities,
 		Offline:                      c.Offline,
 		SkipTlogVerify:               c.SkipTlogVerify,
 	}

cmd/cosign/cli/verify/verify_attestation.go

@@ -43,12 +43,10 @@ import (
 // nolint
 type VerifyAttestationCommand struct {
 	options.RegistryOptions
+	options.CertVerifyOptions
 	CheckClaims                  bool
 	KeyRef                       string
 	CertRef                      string
-	CertEmail                    string
-	CertIdentity                 string
-	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
 	CertGithubWorkflowName       string
@@ -81,21 +79,28 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		return &options.KeyParseError{}
 	}
 
+	var identities []cosign.Identity
+	if c.KeyRef == "" {
+		identities, err = c.Identities()
+		if err != nil {
+			return err
+		}
+	}
+
 	ociremoteOpts, err := c.ClientOpts(ctx)
 	if err != nil {
 		return fmt.Errorf("constructing client options: %w", err)
 	}
+
 	co := &cosign.CheckOpts{
 		RegistryClientOpts:           ociremoteOpts,
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		IgnoreSCT:                    c.IgnoreSCT,
+		Identities:                   identities,
 		Offline:                      c.Offline,
 		SkipTlogVerify:               c.SkipTlogVerify,
 	}

cmd/cosign/cli/verify/verify_attestation_test.go

@@ -0,0 +1,54 @@
+// Copyright 2022 the Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package verify
+
+import (
+	"context"
+	"testing"
+
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+)
+
+func TestVerifyAttestationMissingSubject(t *testing.T) {
+	ctx := context.Background()
+
+	verifyAttestation := VerifyAttestationCommand{
+		CertRef: "cert.pem",
+		CertVerifyOptions: options.CertVerifyOptions{
+			CertOidcIssuer: "issuer",
+		},
+	}
+
+	err := verifyAttestation.Exec(ctx, []string{"foo", "bar", "baz"})
+	if err == nil {
+		t.Fatal("verifyAttestation expected 'need --certificate-identity'")
+	}
+}
+
+func TestVerifyAttestationMissingIssuer(t *testing.T) {
+	ctx := context.Background()
+
+	verifyAttestation := VerifyAttestationCommand{
+		CertRef: "cert.pem",
+		CertVerifyOptions: options.CertVerifyOptions{
+			CertIdentity: "subject",
+		},
+	}
+
+	err := verifyAttestation.Exec(ctx, []string{"foo", "bar", "baz"})
+	if err == nil {
+		t.Fatal("verifyAttestation expected 'need --certificate-oidc-issuer'")
+	}
+}

cmd/cosign/cli/verify/verify_blob.go

@@ -53,10 +53,8 @@ func isb64(data []byte) bool {
 // nolint
 type VerifyBlobCmd struct {
 	options.KeyOpts
+	options.CertVerifyOptions
 	CertRef                      string
-	CertEmail                    string
-	CertIdentity                 string
-	CertOIDCIssuer               string
 	CertChain                    string
 	SigRef                       string
 	CertGithubWorkflowTrigger    string
@@ -85,6 +83,15 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		return &options.KeyParseError{}
 	}
 
+	var identities []cosign.Identity
+	var err error
+	if c.KeyRef == "" {
+		identities, err = c.Identities()
+		if err != nil {
+			return err
+		}
+	}
+
 	sig, err := base64signature(c.SigRef, c.BundlePath)
 	if err != nil {
 		return err
@@ -96,15 +103,13 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	}
 
 	co := &cosign.CheckOpts{
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOIDCIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSHA,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		IgnoreSCT:                    c.IgnoreSCT,
+		Identities:                   identities,
 		Offline:                      c.Offline,
 		SkipTlogVerify:               c.SkipTlogVerify,
 	}