diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index aabb1c54b4c..ffc30866681 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -22,7 +22,6 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/attest" "github.com/sigstore/cosign/cmd/cosign/cli/generate" "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/cmd/cosign/cli/sign" ) func Attest() *cobra.Command { @@ -63,7 +62,7 @@ func Attest() *cobra.Command { if err != nil { return err } - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index bef095b5ba1..473064b376f 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -74,7 +74,7 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string, } //nolint -func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string, +func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string, noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error { // A key file or token is required unless we're in experimental mode! if options.EnableExperimental() { diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index d7eedabafb8..eed76b39496 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -30,8 +30,9 @@ import ( "golang.org/x/term" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots" - clioptions "github.com/sigstore/cosign/cmd/cosign/cli/options" + "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/cosign" + "github.com/sigstore/cosign/pkg/providers" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" @@ -110,7 +111,21 @@ type Signer struct { *signature.ECDSASignerVerifier } -func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*Signer, error) { +func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { + fClient, err := NewClient(ko.FulcioURL) + if err != nil { + return nil, errors.Wrap(err, "creating Fulcio client") + } + + idToken := ko.IDToken + // If token is not set in the options, get one from the provders + if idToken == "" && providers.Enabled(ctx) { + idToken, err = providers.Provide(ctx, "sigstore") + if err != nil { + return nil, errors.Wrap(err, "fetching ambient OIDC credentials") + } + } + priv, err := cosign.GeneratePrivateKey() if err != nil { return nil, errors.Wrap(err, "generating cert") @@ -131,7 +146,7 @@ func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClien default: flow = FlowNormal } - Resp, err := GetCert(ctx, priv, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient) // TODO, use the chain. + Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain. if err != nil { return nil, errors.Wrap(err, "retrieving cert") } @@ -166,6 +181,6 @@ func NewClient(fulcioURL string) (api.Client, error) { if err != nil { return nil, err } - fClient := api.NewClient(fulcioServer, api.WithUserAgent(clioptions.UserAgent())) + fClient := api.NewClient(fulcioServer, api.WithUserAgent(options.UserAgent())) return fClient, nil } diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index 3687f5db01f..c2905ec12a9 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -24,11 +24,11 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl" - "github.com/sigstore/fulcio/pkg/api" + "github.com/sigstore/cosign/cmd/cosign/cli/options" ) -func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*fulcio.Signer, error) { - fs, err := fulcio.NewSigner(ctx, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient) +func NewSigner(ctx context.Context, ko options.KeyOpts) (*fulcio.Signer, error) { + fs, err := fulcio.NewSigner(ctx, ko) if err != nil { return nil, err } diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go new file mode 100644 index 00000000000..db36e9235b7 --- /dev/null +++ b/cmd/cosign/cli/options/key.go @@ -0,0 +1,37 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package options + +import "github.com/sigstore/cosign/pkg/cosign" + +type KeyOpts struct { + Sk bool + Slot string + KeyRef string + FulcioURL string + RekorURL string + IDToken string + PassFunc cosign.PassFunc + OIDCIssuer string + OIDCClientID string + OIDCClientSecret string + OIDCRedirectURL string + BundlePath string + + // Modeled after InsecureSkipVerify in tls.Config, this disables + // verifying the SCT. + InsecureSkipFulcioVerify bool +} diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go index 9e9c0f0bae0..89e100c36d0 100644 --- a/cmd/cosign/cli/policy_init.go +++ b/cmd/cosign/cli/policy_init.go @@ -179,7 +179,7 @@ func signPolicy() *cobra.Command { if err != nil { return err } - sv, err := sign.SignerFromKeyOpts(ctx, "", "", sign.KeyOpts{ + sv, err := sign.SignerFromKeyOpts(ctx, "", "", options.KeyOpts{ FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 6e3076f566d..3acdc1b2b61 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -79,7 +79,7 @@ func Sign() *cobra.Command { if err != nil { return err } - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 44da104baf8..adff00bad11 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -47,7 +47,6 @@ import ( "github.com/sigstore/cosign/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/walk" - providers "github.com/sigstore/cosign/pkg/providers/all" sigs "github.com/sigstore/cosign/pkg/signature" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -93,7 +92,7 @@ func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremot } // nolint -func SignCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, +func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, imgs []string, certPath string, certChainPath string, upload bool, outputSignature, outputCertificate string, payloadPath string, force bool, recursive bool, attachment string) error { if options.EnableExperimental() { @@ -183,7 +182,7 @@ func SignCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOption return nil } -func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyOpts, +func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, upload bool, outputSignature, outputCertificate string, force bool, recursive bool, dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error { var err error @@ -436,29 +435,18 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin return certSigner, nil } -func keylessSigner(ctx context.Context, ko KeyOpts) (*SignerVerifier, error) { - fClient, err := fulcio.NewClient(ko.FulcioURL) - if err != nil { - return nil, errors.Wrap(err, "creating Fulcio client") - } - - tok := ko.IDToken - // If token is not set in the options, get one from the provders - if tok == "" && providers.Enabled(ctx) { - tok, err = providers.Provide(ctx, "sigstore") - if err != nil { - return nil, errors.Wrap(err, "fetching ambient OIDC credentials") - } - } - - var k *fulcio.Signer +func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, error) { + var ( + k *fulcio.Signer + err error + ) if ko.InsecureSkipFulcioVerify { - if k, err = fulcio.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil { + if k, err = fulcio.NewSigner(ctx, ko); err != nil { return nil, errors.Wrap(err, "getting key from Fulcio") } } else { - if k, err = fulcioverifier.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil { + if k, err = fulcioverifier.NewSigner(ctx, ko); err != nil { return nil, errors.Wrap(err, "getting key from Fulcio") } } @@ -470,7 +458,7 @@ func keylessSigner(ctx context.Context, ko KeyOpts) (*SignerVerifier, error) { }, nil } -func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko KeyOpts) (*SignerVerifier, error) { +func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) { if ko.Sk { return signerFromSecurityKey(ko.Slot) } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index d21799ff9f3..401922b21d1 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -34,27 +34,8 @@ import ( signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) -type KeyOpts struct { - Sk bool - Slot string - KeyRef string - FulcioURL string - RekorURL string - IDToken string - PassFunc cosign.PassFunc - OIDCIssuer string - OIDCClientID string - OIDCClientSecret string - OIDCRedirectURL string - BundlePath string - - // Modeled after InsecureSkipVerify in tls.Config, this disables - // verifying the SCT. - InsecureSkipFulcioVerify bool -} - // nolint -func SignBlobCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) { +func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) { var payload []byte var err error var rekorBytes []byte diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index bb7255fd361..bc0eabcf8a8 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -110,7 +110,7 @@ func generateCertificateFiles(t *testing.T, tmpDir string, pf cosign.PassFunc) ( func TestSignCmdLocalKeyAndSk(t *testing.T) { ro := &options.RootOptions{Timeout: options.DefaultTimeout} - for _, ko := range []KeyOpts{ + for _, ko := range []options.KeyOpts{ // local and sk keys { KeyRef: "testLocalPath", diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index fcb894c8369..e5e14b2cf08 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -68,7 +68,7 @@ func SignBlob() *cobra.Command { if err != nil { return err } - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 5471da9a1b0..e48b4175e6c 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -20,7 +20,6 @@ import ( "github.com/spf13/cobra" "github.com/sigstore/cosign/cmd/cosign/cli/options" - "github.com/sigstore/cosign/cmd/cosign/cli/sign" "github.com/sigstore/cosign/cmd/cosign/cli/verify" ) @@ -246,7 +245,7 @@ The blob may be specified as a path to a file or - for stdin.`, Args: cobra.ExactArgs(1), RunE: func(cmd *cobra.Command, args []string) error { - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: o.Key, Sk: o.SecurityKey.Use, Slot: o.SecurityKey.Slot, diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 0341ed0a025..77bef0e92e1 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -35,7 +35,6 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/cmd/cosign/cli/sign" "github.com/sigstore/cosign/pkg/blob" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/pivkey" @@ -61,7 +60,7 @@ func isb64(data []byte) bool { } // nolint -func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, +func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, certOidcIssuer, certChain, sigRef, blobRef string, enforceSCT bool) error { var verifier signature.Verifier var cert *x509.Certificate @@ -186,7 +185,7 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, return nil } -func verifySigByUUID(ctx context.Context, ko sign.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string, +func verifySigByUUID(ctx context.Context, ko options.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string, uuids []string, blobBytes []byte, enforceSCT bool) error { var validSigExists bool for _, u := range uuids { @@ -289,7 +288,7 @@ func payloadBytes(blobRef string) ([]byte, error) { return blobBytes, nil } -func verifyRekorEntry(ctx context.Context, ko sign.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error { +func verifyRekorEntry(ctx context.Context, ko options.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error { // If we have a bundle with a rekor entry, let's first try to verify offline if ko.BundlePath != "" { if err := verifyRekorBundle(ctx, ko.BundlePath, cert); err == nil { diff --git a/test/e2e_test.go b/test/e2e_test.go index 1302b9d8478..75c7701f864 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -125,7 +125,7 @@ func TestSignVerify(t *testing.T) { mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -160,7 +160,7 @@ func TestSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -189,7 +189,7 @@ func TestImportSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -232,7 +232,7 @@ func TestAttestVerify(t *testing.T) { } // Now attest the image - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(attest.AttestCmd(ctx, ko, options.RegistryOptions{}, imgName, "", "", false, slsaAttestationPath, false, "slsaprovenance", false, 30*time.Second), t) @@ -273,7 +273,7 @@ func TestAttestationReplace(t *testing.T) { defer cleanup() _, privKeyPath, _ := keypair(t, td) - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} ctx := context.Background() @@ -327,7 +327,7 @@ func TestRekorBundle(t *testing.T) { _, privKeyPath, pubKeyPath := keypair(t, td) - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL, @@ -363,7 +363,7 @@ func TestDuplicateSign(t *testing.T) { mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -460,7 +460,7 @@ func TestMultipleSignatures(t *testing.T) { mustErr(verify(pub2, imgName, true, nil, ""), t) // Now sign the image with one key - ko := sign.KeyOpts{KeyRef: priv1, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: priv1, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify should work with that one, but not the other must(verify(pub1, imgName, true, nil, ""), t) @@ -494,10 +494,10 @@ func TestSignBlob(t *testing.T) { ctx := context.Background() - ko1 := sign.KeyOpts{ + ko1 := options.KeyOpts{ KeyRef: pubKeyPath1, } - ko2 := sign.KeyOpts{ + ko2 := options.KeyOpts{ KeyRef: pubKeyPath2, } // Verify should fail on a bad input @@ -505,7 +505,7 @@ func TestSignBlob(t *testing.T) { mustErr(cliverify.VerifyBlobCmd(ctx, ko2, "" /*certRef*/, "" /*certEmail*/, "" /*certOidcIssuer*/, "" /*certChain*/, "badsig", blob, false), t) // Now sign the blob with one key - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: privKeyPath1, PassFunc: passFunc, } @@ -535,7 +535,7 @@ func TestSignBlobBundle(t *testing.T) { ctx := context.Background() - ko1 := sign.KeyOpts{ + ko1 := options.KeyOpts{ KeyRef: pubKeyPath1, BundlePath: bundlePath, } @@ -543,7 +543,7 @@ func TestSignBlobBundle(t *testing.T) { mustErr(cliverify.VerifyBlobCmd(ctx, ko1, "", "", "", "", "", blob, false), t) // Now sign the blob with one key - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: privKeyPath1, PassFunc: passFunc, BundlePath: bundlePath, @@ -849,7 +849,7 @@ func TestSaveLoad(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) must(verify(pubKeyPath, imgName, true, nil, ""), t) @@ -882,7 +882,7 @@ func TestSaveLoadAttestation(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) must(verify(pubKeyPath, imgName, true, nil, ""), t) @@ -894,7 +894,7 @@ func TestSaveLoadAttestation(t *testing.T) { } // Now attest the image - ko = sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko = options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(attest.AttestCmd(ctx, ko, options.RegistryOptions{}, imgName, "", "", false, slsaAttestationPath, false, "custom", false, 30*time.Second), t) @@ -971,7 +971,7 @@ func TestAttachSBOM(t *testing.T) { mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom"), t) // Now sign the sbom with one key - ko1 := sign.KeyOpts{KeyRef: privKeyPath1, PassFunc: passFunc} + ko1 := options.KeyOpts{KeyRef: privKeyPath1, PassFunc: passFunc} must(sign.SignCmd(ro, ko1, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, "sbom"), t) // Now verify should work with that one, but not the other @@ -1004,7 +1004,7 @@ func TestTlog(t *testing.T) { mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) // Now sign the image without the tlog - ko := sign.KeyOpts{ + ko := options.KeyOpts{ KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL, @@ -1182,7 +1182,7 @@ func TestInvalidBundle(t *testing.T) { // (we're just using it for its bundle) defer setenv(t, options.ExperimentalEnv, "1")() remoteOpts := ociremote.WithRemoteOptions(registryClientOpts(ctx)...) - ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL} + ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL} regOpts := options.RegistryOptions{} must(sign.SignCmd(ro, ko, regOpts, nil, []string{img1}, "", "", true, "", "", "", true, false, ""), t)