Add sbom and attestations to triangulate (sigstore#628)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
mtrmac · Sep 6, 2021 · a05fb65 · a05fb65
1 parent ff28387
commit a05fb65
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/cmd/cosign/cli/triangulate.go b/cmd/cosign/cli/triangulate.go
@@ -29,22 +29,23 @@ import (
 func Triangulate() *ffcli.Command {
 	var (
 		flagset = flag.NewFlagSet("cosign triangulate", flag.ExitOnError)
+		t       = flagset.String("type", "signature", "related attachment to triangulate (attestation|sbom|signature), default signature")
 	)
 	return &ffcli.Command{
 		Name:       "triangulate",
 		ShortUsage: "cosign triangulate <image uri>",
-		ShortHelp:  "Outputs the located cosign image reference. This is the location cosign stores signatures.",
+		ShortHelp:  "Outputs the located cosign image reference. This is the location cosign stores the specified artifact type.",
 		FlagSet:    flagset,
 		Exec: func(ctx context.Context, args []string) error {
 			if len(args) != 1 {
 				return flag.ErrHelp
 			}
-			return MungeCmd(ctx, args[0])
+			return MungeCmd(ctx, args[0], *t)
 		},
 	}
 }
 
-func MungeCmd(ctx context.Context, imageRef string) error {
+func MungeCmd(ctx context.Context, imageRef string, attachmentType string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
@@ -59,7 +60,17 @@ func MungeCmd(ctx context.Context, imageRef string) error {
 	if err != nil {
 		return err
 	}
-	dstRef := cosign.AttachedImageTag(sigRepo, h, cosign.SignatureTagSuffix)
+	var dstRef name.Tag
+	switch attachmentType {
+	case cosign.Signature:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.SignatureTagSuffix)
+	case cosign.SBOM:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.SBOMTagSuffix)
+	case cosign.Attestation:
+		dstRef = cosign.AttachedImageTag(sigRepo, h, cosign.AttestationTagSuffix)
+	default:
+		return fmt.Errorf("unknown attachment type %s", attachmentType)
+	}
 
 	fmt.Println(dstRef.Name())
 	return nil

diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go
@@ -58,6 +58,12 @@ const (
 	AttestationTagSuffix = ".att"
 )
 
+const (
+	Signature   = "signature"
+	SBOM        = "sbom"
+	Attestation = "attestation"
+)
+
 func AttachedImageTag(repo name.Repository, digest v1.Hash, tagSuffix string) name.Tag {
 	// sha256:d34db33f -> sha256-d34db33f.suffix
 	tagStr := strings.ReplaceAll(digest.String(), ":", "-") + tagSuffix