New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add COSIGN_EXPERIMENTAL=1 for verify-bloba #2254
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -218,22 +218,19 @@ You may specify either a key, a certificate or a kms reference to verify against | |
|
||
The signature may be specified as a path to a file or a base64 encoded string. | ||
The blob may be specified as a path to a file or - for stdin.`, | ||
Example: ` cosign verify-blob (--key <key path>|<key url>|<kms uri>)|(--cert <cert>) --signature <sig> <blob> | ||
Example: ` cosign verify-blob (--key <key path>|<key url>|<kms uri>)|(--certificate <cert>) --signature <sig> <blob> | ||
|
||
# Verify a simple blob and message | ||
cosign verify-blob --key cosign.pub --signature sig msg | ||
|
||
# Verify a simple blob with remote signature URL, both http and https schemes are supported | ||
cosign verify-blob --key cosign.pub --signature http://host/my.sig | ||
cosign verify-blob --key cosign.pub (--signature <sig path>|<sig url> msg) | ||
|
||
# Verify a signature from an environment variable | ||
cosign verify-blob --key cosign.pub --signature $sig msg | ||
|
||
# verify a signature with public key provided by URL | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we combine this with the "signature from URL" example? |
||
cosign verify-blob --key https://host.for/<FILE> --signature $sig msg | ||
|
||
# Verify a signature against a payload from another process using process redirection | ||
cosign verify-blob --key cosign.pub --signature $sig <(git rev-parse HEAD) | ||
# verify a signature with signature and key provided by URL | ||
cosign verify-blob --key https://host.for/<FILE> --signature https://example.com/<SIG> | ||
|
||
# Verify a signature against Azure Key Vault | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would like to combine all the KMS examples. It'd be nice to list the syntax for each, but I don't need it in the full context. |
||
cosign verify-blob --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] --signature $sig <blob> | ||
|
@@ -254,7 +251,7 @@ The blob may be specified as a path to a file or - for stdin.`, | |
cosign verify-blob --key gitlab://[PROJECT_ID] --signature $sig <blob> | ||
|
||
# Verify a signature against a certificate | ||
cosign verify-blob --cert <cert> --signature $sig <blob> | ||
COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate <cert> --signature $sig <blob> | ||
`, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @asraa Should we use the list you made of all possible flag combos (cert/key, experimental/no experimental, bundle, expired/unexpired cert) and have an example for each of these with more explanation? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1 Further, I'd like to see some organization and explanation. Right now, the text is just a laundry list of "if X, then Y" We should explain Here's a braindump, maybe should move into Google Doc (feel free to copy it) no experimentalCheck the signature on a blob against the given key or certificate. Keysblah Certificates
Bundles
experimentalKeysSame as above, but we check that signatures are in Rekor (I think?) If Certs
Bundles
|
||
|
||
Args: cobra.ExactArgs(1), | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's axe this example? it's just explaining how the environment variables work in a shell, I think