feat: improve the verification message #2268
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2268 +/- ##
=======================================
Coverage 28.57% 28.57%
=======================================
Files 131 131
Lines 7866 7866
=======================================
Hits 2248 2248
Misses 5311 5311
Partials 307 307
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
This looks great!
Three points:
-
It's technically a backwards-incompatible change. If you were relying on the output of Cosign, which should stay relatively stable, using
jqor similar and looking for the OIDs, this will break that.I think we should do both: set
ss.Optional[cosign.CertExtensionGitHubWorkflowTrigger]andss.Optional[cosign.CertExtensionMap[...]]. -
Is there a good way to test this? I know there's no
verify_test.goright now. Can you make a (very simple!) one for the JSON output? -
cosign verify-blobdoesn't usePrintVerificationlikecosign verifyandcosign verify-attestation! It may or may not make sense to usePrintVerificationthere, but we should at least improve the output. You don't need to fix this, but it'd be great if you could file a bug.
|
Oh, and can you make the release note a little more detailed? Something like:
|
developer-guy
force-pushed
the
feature/2216
branch
2 times, most recently
from
8cf81ab
to
25381b2
Compare
Done 🕺🏻
Done 🥳 Thx for the really valuable comments and feedbacks ! 🫶 |
| ) | ||
|
|
||
| func TestPrintVerification(t *testing.T) { | ||
| wantPayload := ` |
There was a problem hiding this comment.
Can you add a comment about how we want both the OIDs and the cleaned up names for backwards compatibility?
| "testing" | ||
| ) | ||
|
|
||
| func TestPrintVerification(t *testing.T) { |
There was a problem hiding this comment.
If you really want, you can add a test for the text-style output (not JSON). But that's totally optional for this PR
There was a problem hiding this comment.
maybe we can do this later, wdyt?
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
developer-guy
force-pushed
the
feature/2216
branch
from
25381b2
to
8a40e2c
Compare
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/sigstore/cosign](https://togithub.com/sigstore/cosign) | require | minor | `v1.12.1` -> `v1.13.0` | --- ### Release Notes <details> <summary>sigstore/cosign</summary> ### [`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0) > # Highlights > > - For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version." #### Enhancements - Add support for Fulcio username identity in SAN ([sigstore/cosign#2291) - Data race in FetchSignaturesForReference ([sigstore/cosign#2283) - Check error on chain verification failure ([sigstore/cosign#2284) - feat: improve the verification message ([sigstore/cosign#2268) - feat: use stdin as an input for predicate ([sigstore/cosign#2269) #### Bug Fixes - fix: make tlog entry lookups for online verification shard-aware ([sigstore/cosign#2297) - Fix: Create a static copy of signatures as part of verification. ([sigstore/cosign#2287) - Fix: Remove an extra registry request from verification path. ([sigstore/cosign#2285) - fix pivtool generate key touch policy ([sigstore/cosign#2282) #### Others - use scaffolding 0.4.8 for tests. ([sigstore/cosign#2280) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - Matt Moore ([@​mattmoor](https://togithub.com/mattmoor)) - Ross Tannenbaum ([@​RTann](https://togithub.com/RTann)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4yMjIuMyIsInVwZGF0ZWRJblZlciI6IjMyLjIyMi4zIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/sigstore/cosign](https://togithub.com/sigstore/cosign) | require | minor | `v1.12.1` -> `v1.13.0` | --- ### Release Notes <details> <summary>sigstore/cosign</summary> ### [`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0) > # Highlights > > - For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version." #### Enhancements - Add support for Fulcio username identity in SAN ([sigstore/cosign#2291) - Data race in FetchSignaturesForReference ([sigstore/cosign#2283) - Check error on chain verification failure ([sigstore/cosign#2284) - feat: improve the verification message ([sigstore/cosign#2268) - feat: use stdin as an input for predicate ([sigstore/cosign#2269) #### Bug Fixes - fix: make tlog entry lookups for online verification shard-aware ([sigstore/cosign#2297) - Fix: Create a static copy of signatures as part of verification. ([sigstore/cosign#2287) - Fix: Remove an extra registry request from verification path. ([sigstore/cosign#2285) - fix pivtool generate key touch policy ([sigstore/cosign#2282) #### Others - use scaffolding 0.4.8 for tests. ([sigstore/cosign#2280) #### Contributors - Asra Ali ([@​asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@​developer-guy](https://togithub.com/developer-guy)) - Carlos Tadeu Panato Junior ([@​cpanato](https://togithub.com/cpanato)) - Hayden Blauzvern ([@​haydentherapper](https://togithub.com/haydentherapper)) - Matt Moore ([@​mattmoor](https://togithub.com/mattmoor)) - Ross Tannenbaum ([@​RTann](https://togithub.com/RTann)) - Ville Aikas ([@​vaikas](https://togithub.com/vaikas)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4yMjIuMyIsInVwZGF0ZWRJblZlciI6IjMyLjIyMi4zIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Fixes #2216
Summary
Release Note
feat: print the names of custom extensions (like "GitHub Workflow Trigger") rather than OIDs (like 1.3.6.1.4.1.57264.1.2) in the human-readable output of cosign verify{,-attestation}, and use field names (githubWorkflowTrigger) in keys of the JSON output of these commands (the old OID keys are kept for backwards compatibility, but they are deprecated and their use is discouraged).
Documentation
/cc @znewman01