From e2b62ca682439863d7443b5b00ae6c78952446e7 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Wed, 11 May 2022 21:19:00 +0000 Subject: [PATCH 1/2] Normalize certificate flag names This changes the flag names to use certificate instead of the abbreviated cert. To avoid breaking clients, we add a global alias that translates between the two. Signed-off-by: Hayden Blauzvern --- cmd/cosign/cli/commands.go | 20 ++++++++++++++++++++ cmd/cosign/cli/options/attest.go | 4 ++-- cmd/cosign/cli/options/certificate.go | 8 ++++---- cmd/cosign/cli/options/sign.go | 4 ++-- doc/cosign_attest.md | 4 ++-- doc/cosign_dockerfile_verify.md | 8 ++++---- doc/cosign_manifest_verify.md | 8 ++++---- doc/cosign_sign.md | 4 ++-- doc/cosign_verify-attestation.md | 8 ++++---- doc/cosign_verify-blob.md | 8 ++++---- doc/cosign_verify.md | 8 ++++---- 11 files changed, 52 insertions(+), 32 deletions(-) diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go index 2b483e71f4e..22ae98a9c7c 100644 --- a/cmd/cosign/cli/commands.go +++ b/cmd/cosign/cli/commands.go @@ -21,6 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/logs" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/spf13/pflag" "sigs.k8s.io/release-utils/version" cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd" @@ -31,6 +32,22 @@ var ( ro = &options.RootOptions{} ) +func normalizeCertificateFlags(_ *pflag.FlagSet, name string) pflag.NormalizedName { + switch name { + case "cert": + name = "certificate" + case "cert-email": + name = "certificate-email" + case "cert-chain": + name = "certificate-chain" + case "cert-oidc-issuer": + name = "certificate-oidc-issuer" + case "output-cert": + name = "output-certificate" + } + return pflag.NormalizedName(name) +} + func New() *cobra.Command { var ( out, stdout *os.File @@ -97,5 +114,8 @@ func New() *cobra.Command { cmd.AddCommand(version.WithFont("starwars")) cmd.AddCommand(cranecmd.NewCmdAuthLogin("cosign")) + + cmd.SetGlobalNormalizationFunc(normalizeCertificateFlags) + return cmd } diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index caa1db52133..fee88d048c5 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -51,10 +51,10 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go index 615842c810e..d383857c1fe 100644 --- a/cmd/cosign/cli/options/certificate.go +++ b/cmd/cosign/cli/options/certificate.go @@ -31,16 +31,16 @@ var _ Interface = (*RekorOptions)(nil) // AddFlags implements Interface func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) { - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the public certificate") - cmd.Flags().StringVar(&o.CertEmail, "cert-email", "", + cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "", "the email expected in a valid Fulcio certificate") - cmd.Flags().StringVar(&o.CertOidcIssuer, "cert-oidc-issuer", "", + cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index a4a1df779fb..e22482b67a6 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -55,10 +55,10 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 014ad4f680c..e5f1d033da5 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -41,8 +41,8 @@ cosign attest [flags] ``` --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the X.509 certificate in PEM format to include in the OCI Signature - --cert-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature + --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -f, --force skip warnings and confirmations --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index fa6ec41bfe3..e852a0c96c3 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -57,10 +57,10 @@ cosign dockerfile verify [flags] --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --base-image-only only verify the base image (the last FROM image in the Dockerfile) - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index 81f314d83f8..042b6c7d652 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -51,10 +51,10 @@ cosign manifest verify [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 61e1ea5a2b8..4cb379bdde6 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -59,8 +59,8 @@ cosign sign [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the X.509 certificate in PEM format to include in the OCI Signature - --cert-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature + --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -f, --force skip warnings and confirmations --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 65ca6994699..7349a7c27bc 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -61,10 +61,10 @@ cosign verify-attestation [flags] ``` --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify-attestation diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 894e46afde6..ef9c7acc549 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -64,10 +64,10 @@ cosign verify-blob [flags] --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --bundle string path to bundle FILE - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify-blob --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 9de4dbad45f..a5cbb988a64 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -70,10 +70,10 @@ cosign verify [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify From a7be2af51e21f61a36dc19296c1f5cfbe7ff58ff Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Wed, 11 May 2022 21:37:27 +0000 Subject: [PATCH 2/2] Update go.mod Signed-off-by: Hayden Blauzvern --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 2224063985e..ee4a523f2af 100644 --- a/go.mod +++ b/go.mod @@ -40,6 +40,7 @@ require ( github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5 github.com/spf13/cobra v1.4.0 + github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.11.0 github.com/spiffe/go-spiffe/v2 v2.1.0 github.com/stretchr/testify v1.7.1 @@ -260,7 +261,6 @@ require ( github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/cast v1.4.1 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect - github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.2.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect