Merge remote-tracking branch 'upstream/main' into support-alibaba-acr…

…-keychain

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
 
     - name: Utilize Go Module Cache
-      uses: actions/cache@a7c34adf76222e77931dedbf4a45b2e4648ced19 # v3.0.3
+      uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # v3.0.3
       with:
         path: |
           ~/go/pkg/mod
@@ -59,12 +59,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
+      uses: github/codeql-action/init@7fee4ca032ac341c12486c4c06822c5221c76533 # v2.1.18
       with:
         languages: ${{ matrix.language }}
 
     - name: Build cosign for CodeQL
       run: make cosign
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
+      uses: github/codeql-action/analyze@7fee4ca032ac341c12486c4c06822c5221c76533 # v2.1.18

.github/workflows/scorecard_action.yml

@@ -52,6 +52,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f5d217be74900c6ac8fbbe53f3c10376ba4e64da # v2.1.18
+        uses: github/codeql-action/upload-sarif@7fee4ca032ac341c12486c4c06822c5221c76533 # v2.1.18
         with:
           sarif_file: results.sarif

.github/workflows/tests.yaml

@@ -40,7 +40,7 @@ jobs:
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-      - uses: actions/cache@a7c34adf76222e77931dedbf4a45b2e4648ced19 # v3.0.3
+      - uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # v3.0.3
         with:
           # In order:
           # * Module download cache
@@ -82,7 +82,7 @@ jobs:
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-      - uses: actions/cache@a7c34adf76222e77931dedbf4a45b2e4648ced19 # v3.0.3
+      - uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # v3.0.3
         with:
           # In order:
           # * Module download cache
@@ -129,7 +129,7 @@ jobs:
           check-latest: true
 
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-      - uses: actions/cache@a7c34adf76222e77931dedbf4a45b2e4648ced19 # v3.0.3
+      - uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # v3.0.3
         with:
           # In order:
           # * Module download cache

cmd/cosign/cli/commands.go

@@ -26,6 +26,7 @@ import (
 
 	cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	cobracompletefig "github.com/withfig/autocomplete-tools/integrations/cobra"
 )
 
 var (
@@ -118,6 +119,7 @@ func New() *cobra.Command {
 	cmd.AddCommand(cranecmd.NewCmdAuthLogin("cosign"))
 
 	cmd.SetGlobalNormalizationFunc(normalizeCertificateFlags)
+	cmd.AddCommand(cobracompletefig.CreateCompletionSpecCommand())
 
 	return cmd
 }

cmd/cosign/cli/dockerfile/verify_test.go

@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE-2.0
+//	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,

cmd/cosign/cli/fulcio/fulcio.go

@@ -62,7 +62,7 @@ func (rf *realConnector) OIDConnect(url, clientID, secret, redirectURL string) (
 	return oauthflow.OIDConnect(url, clientID, secret, redirectURL, rf.flow)
 }
 
-func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.Client, connector oidcConnector, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (*api.CertificateResponse, error) {
+func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.LegacyClient, connector oidcConnector, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string) (*api.CertificateResponse, error) {
 	pubBytes, err := x509.MarshalPKIXPublicKey(&priv.PublicKey)
 	if err != nil {
 		return nil, err
@@ -92,7 +92,7 @@ func getCertForOauthID(priv *ecdsa.PrivateKey, fc api.Client, connector oidcConn
 }
 
 // GetCert returns the PEM-encoded signature of the OIDC identity returned as part of an interactive oauth2 flow plus the PEM-encoded cert chain.
-func GetCert(ctx context.Context, priv *ecdsa.PrivateKey, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*api.CertificateResponse, error) {
+func GetCert(ctx context.Context, priv *ecdsa.PrivateKey, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) {
 	c := &realConnector{}
 	switch flow {
 	case flowDevice:
@@ -202,7 +202,7 @@ func GetIntermediates() (*x509.CertPool, error) {
 	return fulcioroots.GetIntermediates()
 }
 
-func NewClient(fulcioURL string) (api.Client, error) {
+func NewClient(fulcioURL string) (api.LegacyClient, error) {
 	fulcioServer, err := url.Parse(fulcioURL)
 	if err != nil {
 		return nil, err

cmd/cosign/cli/fulcio/fulcio_test.go

@@ -49,7 +49,7 @@ type testClient struct {
 	err      error
 }
 
-var _ api.Client = (*testClient)(nil)
+var _ api.LegacyClient = (*testClient)(nil)
 
 func (p *testClient) SigningCert(cr api.CertificateRequest, token string) (*api.CertificateResponse, error) {
 	return &p.payload, p.err

cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go

@@ -52,26 +52,26 @@ func LeafHashB64(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp,
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to calculate the leaf hash for a normal X.509
-//       certificate then it is enough to just provide the end entity
-//       certificate in chain. This case assumes that the SCT being provided is
-//       not embedded within the leaf certificate provided, i.e. the certificate
-//       is what was submitted to the Certificate Transparency Log in order to
-//       obtain the SCT.  For this case, set embedded to false.
+//     If using this function to calculate the leaf hash for a normal X.509
+//     certificate then it is enough to just provide the end entity
+//     certificate in chain. This case assumes that the SCT being provided is
+//     not embedded within the leaf certificate provided, i.e. the certificate
+//     is what was submitted to the Certificate Transparency Log in order to
+//     obtain the SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to calculate the leaf hash for a precertificate
-//       then the issuing certificate must also be provided in chain.  The
-//       precertificate should be at chain[0], and its issuer at chain[1].  For
-//       this case, set embedded to false.
+//     If using this function to calculate the leaf hash for a precertificate
+//     then the issuing certificate must also be provided in chain.  The
+//     precertificate should be at chain[0], and its issuer at chain[1].  For
+//     this case, set embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If using this function to calculate the leaf hash for a certificate
-//       where the SCT provided is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  LeafHash will
-//       calculate the leaf hash by building the corresponding precertificate.
-//       LeafHash will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If using this function to calculate the leaf hash for a certificate
+//     where the SCT provided is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  LeafHash will
+//     calculate the leaf hash by building the corresponding precertificate.
+//     LeafHash will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 //
 // Note: LeafHash doesn't check that the provided SCT verifies for the given
 // chain.  It simply calculates what the leaf hash would be for the given
@@ -91,25 +91,25 @@ func LeafHash(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, emb
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to verify an SCT for a normal X.509 certificate
-//       then it is enough to just provide the end entity certificate in chain.
-//       This case assumes that the SCT being provided is not embedded within
-//       the leaf certificate provided, i.e. the certificate is what was
-//       submitted to the Certificate Transparency Log in order to obtain the
-//       SCT.  For this case, set embedded to false.
+//     If using this function to verify an SCT for a normal X.509 certificate
+//     then it is enough to just provide the end entity certificate in chain.
+//     This case assumes that the SCT being provided is not embedded within
+//     the leaf certificate provided, i.e. the certificate is what was
+//     submitted to the Certificate Transparency Log in order to obtain the
+//     SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to verify an SCT for a precertificate then the
-//       issuing certificate must also be provided in chain.  The precertificate
-//       should be at chain[0], and its issuer at chain[1].  For this case, set
-//       embedded to false.
+//     If using this function to verify an SCT for a precertificate then the
+//     issuing certificate must also be provided in chain.  The precertificate
+//     should be at chain[0], and its issuer at chain[1].  For this case, set
+//     embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If the SCT you wish to verify is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  VerifySCT will
-//       verify the provided SCT by building the corresponding precertificate.
-//       VerifySCT will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If the SCT you wish to verify is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  VerifySCT will
+//     verify the provided SCT by building the corresponding precertificate.
+//     VerifySCT will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
 	s, err := ct.NewSignatureVerifier(pubKey)
 	if err != nil {
@@ -126,25 +126,25 @@ func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.Signe
 //
 // This function can be used with three different types of leaf certificate:
 //   - X.509 Certificate:
-//       If using this function to verify an SCT for a normal X.509 certificate
-//       then it is enough to just provide the end entity certificate in chain.
-//       This case assumes that the SCT being provided is not embedded within
-//       the leaf certificate provided, i.e. the certificate is what was
-//       submitted to the Certificate Transparency Log in order to obtain the
-//       SCT.  For this case, set embedded to false.
+//     If using this function to verify an SCT for a normal X.509 certificate
+//     then it is enough to just provide the end entity certificate in chain.
+//     This case assumes that the SCT being provided is not embedded within
+//     the leaf certificate provided, i.e. the certificate is what was
+//     submitted to the Certificate Transparency Log in order to obtain the
+//     SCT.  For this case, set embedded to false.
 //   - Precertificate:
-//       If using this function to verify an SCT for a precertificate then the
-//       issuing certificate must also be provided in chain.  The precertificate
-//       should be at chain[0], and its issuer at chain[1].  For this case, set
-//       embedded to false.
+//     If using this function to verify an SCT for a precertificate then the
+//     issuing certificate must also be provided in chain.  The precertificate
+//     should be at chain[0], and its issuer at chain[1].  For this case, set
+//     embedded to false.
 //   - X.509 Certificate containing the SCT embedded within it:
-//       If the SCT you wish to verify is embedded within the certificate you
-//       are providing at chain[0], set embedded to true.  VerifySCT will
-//       verify the provided SCT by building the corresponding precertificate.
-//       VerifySCT will return an error if the provided SCT cannot be found
-//       embedded within chain[0].  As with the precertificate case, the issuing
-//       certificate must also be provided in chain.  The certificate containing
-//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//     If the SCT you wish to verify is embedded within the certificate you
+//     are providing at chain[0], set embedded to true.  VerifySCT will
+//     verify the provided SCT by building the corresponding precertificate.
+//     VerifySCT will return an error if the provided SCT cannot be found
+//     embedded within chain[0].  As with the precertificate case, the issuing
+//     certificate must also be provided in chain.  The certificate containing
+//     the embedded SCT should be at chain[0], and its issuer at chain[1].
 func VerifySCTWithVerifier(sv *ct.SignatureVerifier, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
 	if sv == nil {
 		return errors.New("ct.SignatureVerifier is nil")

cmd/cosign/cli/options/registry.go

@@ -17,7 +17,7 @@ package options
 import (
 	"context"
 	"crypto/tls"
-	"io/ioutil"
+	"io"
 	"net/http"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
@@ -84,7 +84,7 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op
 		kc := authn.NewMultiKeychain(
 			authn.DefaultKeychain,
 			google.Keychain,
-			authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(ioutil.Discard))),
+			authn.NewKeychainFromHelper(ecr.NewECRHelper(ecr.WithLogger(io.Discard))),
 			authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
 			authn.NewKeychainFromHelper(alibabaacr.NewACRHelper().WithLoggerOut(ioutil.Discard)),
 			github.Keychain,

cmd/cosign/cli/verify/verify_blob_test.go

@@ -17,7 +17,7 @@ package verify
 import (
 	"encoding/base64"
 	"encoding/json"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -80,7 +80,7 @@ func TestSignaturesBundle(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err := ioutil.WriteFile(fp, contents, 0644); err != nil {
+	if err := os.WriteFile(fp, contents, 0644); err != nil {
 		t.Fatal(err)
 	}