From 1a145c159999fb8569e448c752124190c98239f3 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Mon, 25 Apr 2022 09:41:02 -0400 Subject: [PATCH] Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" This reverts commit 8368baddf688c6eac4a47adee1ed42a4fcd0f83d. Signed-off-by: Billy Lynch --- cmd/cosign/cli/attest.go | 3 +- cmd/cosign/cli/attest/attest.go | 2 +- cmd/cosign/cli/fulcio/fulcio.go | 23 ++--------- .../fulcio/fulcioverifier/fulcioverifier.go | 6 +-- cmd/cosign/cli/options/key.go | 37 ------------------ cmd/cosign/cli/policy_init.go | 2 +- cmd/cosign/cli/sign.go | 2 +- cmd/cosign/cli/sign/sign.go | 32 +++++++++++----- cmd/cosign/cli/sign/sign_blob.go | 21 +++++++++- cmd/cosign/cli/sign/sign_test.go | 2 +- cmd/cosign/cli/signblob.go | 2 +- cmd/cosign/cli/verify.go | 3 +- cmd/cosign/cli/verify/verify_blob.go | 7 ++-- test/e2e_test.go | 38 +++++++++---------- 14 files changed, 81 insertions(+), 99 deletions(-) delete mode 100644 cmd/cosign/cli/options/key.go diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index ffc30866681..aabb1c54b4c 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -22,6 +22,7 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/attest" "github.com/sigstore/cosign/cmd/cosign/cli/generate" "github.com/sigstore/cosign/cmd/cosign/cli/options" + "github.com/sigstore/cosign/cmd/cosign/cli/sign" ) func Attest() *cobra.Command { @@ -62,7 +63,7 @@ func Attest() *cobra.Command { if err != nil { return err } - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 473064b376f..bef095b5ba1 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -74,7 +74,7 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string, } //nolint -func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string, +func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string, noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error { // A key file or token is required unless we're in experimental mode! if options.EnableExperimental() { diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index eed76b39496..d7eedabafb8 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -30,9 +30,8 @@ import ( "golang.org/x/term" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots" - "github.com/sigstore/cosign/cmd/cosign/cli/options" + clioptions "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/cosign" - "github.com/sigstore/cosign/pkg/providers" "github.com/sigstore/fulcio/pkg/api" "github.com/sigstore/sigstore/pkg/oauthflow" "github.com/sigstore/sigstore/pkg/signature" @@ -111,21 +110,7 @@ type Signer struct { *signature.ECDSASignerVerifier } -func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { - fClient, err := NewClient(ko.FulcioURL) - if err != nil { - return nil, errors.Wrap(err, "creating Fulcio client") - } - - idToken := ko.IDToken - // If token is not set in the options, get one from the provders - if idToken == "" && providers.Enabled(ctx) { - idToken, err = providers.Provide(ctx, "sigstore") - if err != nil { - return nil, errors.Wrap(err, "fetching ambient OIDC credentials") - } - } - +func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*Signer, error) { priv, err := cosign.GeneratePrivateKey() if err != nil { return nil, errors.Wrap(err, "generating cert") @@ -146,7 +131,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { default: flow = FlowNormal } - Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain. + Resp, err := GetCert(ctx, priv, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient) // TODO, use the chain. if err != nil { return nil, errors.Wrap(err, "retrieving cert") } @@ -181,6 +166,6 @@ func NewClient(fulcioURL string) (api.Client, error) { if err != nil { return nil, err } - fClient := api.NewClient(fulcioServer, api.WithUserAgent(options.UserAgent())) + fClient := api.NewClient(fulcioServer, api.WithUserAgent(clioptions.UserAgent())) return fClient, nil } diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index c2905ec12a9..3687f5db01f 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -24,11 +24,11 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl" - "github.com/sigstore/cosign/cmd/cosign/cli/options" + "github.com/sigstore/fulcio/pkg/api" ) -func NewSigner(ctx context.Context, ko options.KeyOpts) (*fulcio.Signer, error) { - fs, err := fulcio.NewSigner(ctx, ko) +func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*fulcio.Signer, error) { + fs, err := fulcio.NewSigner(ctx, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient) if err != nil { return nil, err } diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go deleted file mode 100644 index db36e9235b7..00000000000 --- a/cmd/cosign/cli/options/key.go +++ /dev/null @@ -1,37 +0,0 @@ -// -// Copyright 2022 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package options - -import "github.com/sigstore/cosign/pkg/cosign" - -type KeyOpts struct { - Sk bool - Slot string - KeyRef string - FulcioURL string - RekorURL string - IDToken string - PassFunc cosign.PassFunc - OIDCIssuer string - OIDCClientID string - OIDCClientSecret string - OIDCRedirectURL string - BundlePath string - - // Modeled after InsecureSkipVerify in tls.Config, this disables - // verifying the SCT. - InsecureSkipFulcioVerify bool -} diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go index 89e100c36d0..9e9c0f0bae0 100644 --- a/cmd/cosign/cli/policy_init.go +++ b/cmd/cosign/cli/policy_init.go @@ -179,7 +179,7 @@ func signPolicy() *cobra.Command { if err != nil { return err } - sv, err := sign.SignerFromKeyOpts(ctx, "", "", options.KeyOpts{ + sv, err := sign.SignerFromKeyOpts(ctx, "", "", sign.KeyOpts{ FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index f0f2ea19129..a039fe3402a 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -82,7 +82,7 @@ func Sign() *cobra.Command { if err != nil { return err } - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index adff00bad11..44da104baf8 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -47,6 +47,7 @@ import ( "github.com/sigstore/cosign/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/pkg/oci/remote" "github.com/sigstore/cosign/pkg/oci/walk" + providers "github.com/sigstore/cosign/pkg/providers/all" sigs "github.com/sigstore/cosign/pkg/signature" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -92,7 +93,7 @@ func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremot } // nolint -func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, +func SignCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, imgs []string, certPath string, certChainPath string, upload bool, outputSignature, outputCertificate string, payloadPath string, force bool, recursive bool, attachment string) error { if options.EnableExperimental() { @@ -182,7 +183,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist return nil } -func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, +func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{}, upload bool, outputSignature, outputCertificate string, force bool, recursive bool, dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error { var err error @@ -435,18 +436,29 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin return certSigner, nil } -func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, error) { - var ( - k *fulcio.Signer - err error - ) +func keylessSigner(ctx context.Context, ko KeyOpts) (*SignerVerifier, error) { + fClient, err := fulcio.NewClient(ko.FulcioURL) + if err != nil { + return nil, errors.Wrap(err, "creating Fulcio client") + } + + tok := ko.IDToken + // If token is not set in the options, get one from the provders + if tok == "" && providers.Enabled(ctx) { + tok, err = providers.Provide(ctx, "sigstore") + if err != nil { + return nil, errors.Wrap(err, "fetching ambient OIDC credentials") + } + } + + var k *fulcio.Signer if ko.InsecureSkipFulcioVerify { - if k, err = fulcio.NewSigner(ctx, ko); err != nil { + if k, err = fulcio.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil { return nil, errors.Wrap(err, "getting key from Fulcio") } } else { - if k, err = fulcioverifier.NewSigner(ctx, ko); err != nil { + if k, err = fulcioverifier.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil { return nil, errors.Wrap(err, "getting key from Fulcio") } } @@ -458,7 +470,7 @@ func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, er }, nil } -func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) { +func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko KeyOpts) (*SignerVerifier, error) { if ko.Sk { return signerFromSecurityKey(ko.Slot) } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 401922b21d1..d21799ff9f3 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -34,8 +34,27 @@ import ( signatureoptions "github.com/sigstore/sigstore/pkg/signature/options" ) +type KeyOpts struct { + Sk bool + Slot string + KeyRef string + FulcioURL string + RekorURL string + IDToken string + PassFunc cosign.PassFunc + OIDCIssuer string + OIDCClientID string + OIDCClientSecret string + OIDCRedirectURL string + BundlePath string + + // Modeled after InsecureSkipVerify in tls.Config, this disables + // verifying the SCT. + InsecureSkipFulcioVerify bool +} + // nolint -func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) { +func SignBlobCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) { var payload []byte var err error var rekorBytes []byte diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go index bc0eabcf8a8..bb7255fd361 100644 --- a/cmd/cosign/cli/sign/sign_test.go +++ b/cmd/cosign/cli/sign/sign_test.go @@ -110,7 +110,7 @@ func generateCertificateFiles(t *testing.T, tmpDir string, pf cosign.PassFunc) ( func TestSignCmdLocalKeyAndSk(t *testing.T) { ro := &options.RootOptions{Timeout: options.DefaultTimeout} - for _, ko := range []options.KeyOpts{ + for _, ko := range []KeyOpts{ // local and sk keys { KeyRef: "testLocalPath", diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index e5e14b2cf08..fcb894c8369 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -68,7 +68,7 @@ func SignBlob() *cobra.Command { if err != nil { return err } - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: o.Key, PassFunc: generate.GetPass, Sk: o.SecurityKey.Use, diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 6f180e7c549..dc75b8e3f45 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -20,6 +20,7 @@ import ( "github.com/spf13/cobra" "github.com/sigstore/cosign/cmd/cosign/cli/options" + "github.com/sigstore/cosign/cmd/cosign/cli/sign" "github.com/sigstore/cosign/cmd/cosign/cli/verify" ) @@ -248,7 +249,7 @@ The blob may be specified as a path to a file or - for stdin.`, Args: cobra.ExactArgs(1), RunE: func(cmd *cobra.Command, args []string) error { - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: o.Key, Sk: o.SecurityKey.Use, Slot: o.SecurityKey.Slot, diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index 77bef0e92e1..0341ed0a025 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -35,6 +35,7 @@ import ( "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/rekor" + "github.com/sigstore/cosign/cmd/cosign/cli/sign" "github.com/sigstore/cosign/pkg/blob" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/pivkey" @@ -60,7 +61,7 @@ func isb64(data []byte) bool { } // nolint -func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, +func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, certOidcIssuer, certChain, sigRef, blobRef string, enforceSCT bool) error { var verifier signature.Verifier var cert *x509.Certificate @@ -185,7 +186,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, return nil } -func verifySigByUUID(ctx context.Context, ko options.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string, +func verifySigByUUID(ctx context.Context, ko sign.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string, uuids []string, blobBytes []byte, enforceSCT bool) error { var validSigExists bool for _, u := range uuids { @@ -288,7 +289,7 @@ func payloadBytes(blobRef string) ([]byte, error) { return blobBytes, nil } -func verifyRekorEntry(ctx context.Context, ko options.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error { +func verifyRekorEntry(ctx context.Context, ko sign.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error { // If we have a bundle with a rekor entry, let's first try to verify offline if ko.BundlePath != "" { if err := verifyRekorBundle(ctx, ko.BundlePath, cert); err == nil { diff --git a/test/e2e_test.go b/test/e2e_test.go index 75c7701f864..1302b9d8478 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -125,7 +125,7 @@ func TestSignVerify(t *testing.T) { mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -160,7 +160,7 @@ func TestSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -189,7 +189,7 @@ func TestImportSignVerifyClean(t *testing.T) { ctx := context.Background() // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -232,7 +232,7 @@ func TestAttestVerify(t *testing.T) { } // Now attest the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(attest.AttestCmd(ctx, ko, options.RegistryOptions{}, imgName, "", "", false, slsaAttestationPath, false, "slsaprovenance", false, 30*time.Second), t) @@ -273,7 +273,7 @@ func TestAttestationReplace(t *testing.T) { defer cleanup() _, privKeyPath, _ := keypair(t, td) - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} ctx := context.Background() @@ -327,7 +327,7 @@ func TestRekorBundle(t *testing.T) { _, privKeyPath, pubKeyPath := keypair(t, td) - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL, @@ -363,7 +363,7 @@ func TestDuplicateSign(t *testing.T) { mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t) // Now sign the image - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify and download should work! @@ -460,7 +460,7 @@ func TestMultipleSignatures(t *testing.T) { mustErr(verify(pub2, imgName, true, nil, ""), t) // Now sign the image with one key - ko := options.KeyOpts{KeyRef: priv1, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: priv1, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) // Now verify should work with that one, but not the other must(verify(pub1, imgName, true, nil, ""), t) @@ -494,10 +494,10 @@ func TestSignBlob(t *testing.T) { ctx := context.Background() - ko1 := options.KeyOpts{ + ko1 := sign.KeyOpts{ KeyRef: pubKeyPath1, } - ko2 := options.KeyOpts{ + ko2 := sign.KeyOpts{ KeyRef: pubKeyPath2, } // Verify should fail on a bad input @@ -505,7 +505,7 @@ func TestSignBlob(t *testing.T) { mustErr(cliverify.VerifyBlobCmd(ctx, ko2, "" /*certRef*/, "" /*certEmail*/, "" /*certOidcIssuer*/, "" /*certChain*/, "badsig", blob, false), t) // Now sign the blob with one key - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: privKeyPath1, PassFunc: passFunc, } @@ -535,7 +535,7 @@ func TestSignBlobBundle(t *testing.T) { ctx := context.Background() - ko1 := options.KeyOpts{ + ko1 := sign.KeyOpts{ KeyRef: pubKeyPath1, BundlePath: bundlePath, } @@ -543,7 +543,7 @@ func TestSignBlobBundle(t *testing.T) { mustErr(cliverify.VerifyBlobCmd(ctx, ko1, "", "", "", "", "", blob, false), t) // Now sign the blob with one key - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: privKeyPath1, PassFunc: passFunc, BundlePath: bundlePath, @@ -849,7 +849,7 @@ func TestSaveLoad(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) must(verify(pubKeyPath, imgName, true, nil, ""), t) @@ -882,7 +882,7 @@ func TestSaveLoadAttestation(t *testing.T) { ctx := context.Background() // Now sign the image and verify it - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(sign.SignCmd(ro, ko, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, ""), t) must(verify(pubKeyPath, imgName, true, nil, ""), t) @@ -894,7 +894,7 @@ func TestSaveLoadAttestation(t *testing.T) { } // Now attest the image - ko = options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} + ko = sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc} must(attest.AttestCmd(ctx, ko, options.RegistryOptions{}, imgName, "", "", false, slsaAttestationPath, false, "custom", false, 30*time.Second), t) @@ -971,7 +971,7 @@ func TestAttachSBOM(t *testing.T) { mustErr(verify(pubKeyPath2, imgName, true, nil, "sbom"), t) // Now sign the sbom with one key - ko1 := options.KeyOpts{KeyRef: privKeyPath1, PassFunc: passFunc} + ko1 := sign.KeyOpts{KeyRef: privKeyPath1, PassFunc: passFunc} must(sign.SignCmd(ro, ko1, options.RegistryOptions{}, nil, []string{imgName}, "", "", true, "", "", "", false, false, "sbom"), t) // Now verify should work with that one, but not the other @@ -1004,7 +1004,7 @@ func TestTlog(t *testing.T) { mustErr(verify(pubKeyPath, imgName, true, nil, ""), t) // Now sign the image without the tlog - ko := options.KeyOpts{ + ko := sign.KeyOpts{ KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL, @@ -1182,7 +1182,7 @@ func TestInvalidBundle(t *testing.T) { // (we're just using it for its bundle) defer setenv(t, options.ExperimentalEnv, "1")() remoteOpts := ociremote.WithRemoteOptions(registryClientOpts(ctx)...) - ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL} + ko := sign.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc, RekorURL: rekorURL} regOpts := options.RegistryOptions{} must(sign.SignCmd(ro, ko, regOpts, nil, []string{img1}, "", "", true, "", "", "", true, false, ""), t)