-
Notifications
You must be signed in to change notification settings - Fork 553
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Scott Nichols <[email protected]>
- Loading branch information
Showing
6 changed files
with
260 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package options | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/spf13/cobra" | ||
|
||
sigs "github.com/sigstore/cosign/pkg/signature" | ||
fulcioclient "github.com/sigstore/fulcio/pkg/client" | ||
) | ||
|
||
// SignOptions is the top level wrapper for the sign command. | ||
type SignOptions struct { | ||
Key string | ||
Cert string | ||
Upload bool | ||
SecurityKey bool | ||
SecurityKeySlot string | ||
PayloadPath string | ||
Force bool | ||
Recursive bool | ||
FulcioURL string | ||
RektorURL string | ||
IdentityToken string | ||
OIDCIssuer string | ||
OIDCClientID string | ||
OIDCClientSecret string | ||
Attachment string | ||
|
||
Annotations []string | ||
RegistryOpts RegistryOpts | ||
} | ||
|
||
func (s *SignOptions) AnnotationsMap() (sigs.AnnotationsMap, error) { | ||
ann := sigs.AnnotationsMap{} | ||
for _, a := range s.Annotations { | ||
kv := strings.Split(a, "=") | ||
if len(kv) != 2 { | ||
return ann, fmt.Errorf("unable to parse annotation: %s", a) | ||
} | ||
ann.Annotations[kv[0]] = kv[1] | ||
} | ||
return ann, nil | ||
} | ||
|
||
func AddSignOptions(cmd *cobra.Command, o *SignOptions) { | ||
cmd.Flags().StringVar(&o.Key, "key", "", | ||
"path to the private key file, KMS URI or Kubernetes Secret") | ||
|
||
cmd.Flags().StringVar(&o.Cert, "cert", "", | ||
"path to the x509 certificate to include in the Signature") | ||
|
||
cmd.Flags().BoolVar(&o.Upload, "upload", true, | ||
"whether to upload the signature") | ||
|
||
cmd.Flags().BoolVar(&o.SecurityKey, "sk", false, | ||
"whether to use a hardware security key") | ||
|
||
cmd.Flags().StringVar(&o.SecurityKeySlot, "slot", "", | ||
"security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)") | ||
|
||
cmd.Flags().StringVar(&o.PayloadPath, "payload", "", | ||
"path to a payload file to use rather than generating one") | ||
|
||
cmd.Flags().BoolVarP(&o.Force, "force", "f", false, | ||
"skip warnings and confirmations") | ||
|
||
cmd.Flags().BoolVarP(&o.Recursive, "recursive", "r", false, | ||
"if a multi-arch image is specified, additionally sign each discrete image") | ||
|
||
cmd.Flags().StringVar(&o.OIDCIssuer, "attachment", "", | ||
"related image attachment to sign (sbom), default none") | ||
|
||
cmd.Flags().StringSliceVarP(&o.Annotations, "annotations", "a", nil, | ||
"extra key=value pairs to sign") | ||
|
||
cmd.Flags().BoolVar(&o.RegistryOpts.AllowInsecure, "allow-insecure-registry", false, | ||
"whether to allow insecure connections to registries. Don't use this for anything but testing") | ||
|
||
// TODO: an interesting idea? This hides the flags that are experimental | ||
// unless experimental is enabled. | ||
if EnableExperimental() { | ||
cmd.Flags().StringVar(&o.FulcioURL, "fulcio-url", fulcioclient.SigstorePublicServerURL, | ||
"[EXPERIMENTAL] address of sigstore PKI server") | ||
|
||
cmd.Flags().StringVar(&o.RektorURL, "rekor-url", "https://rekor.sigstore.dev", | ||
"[EXPERIMENTAL] address of rekor STL server") | ||
|
||
cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "", | ||
"[EXPERIMENTAL] identity token to use for certificate from fulcio") | ||
|
||
cmd.Flags().StringVar(&o.OIDCIssuer, "oidc-issuer", "https://oauth2.sigstore.dev/auth", | ||
"[EXPERIMENTAL] OIDC provider to be used to issue ID token") | ||
|
||
cmd.Flags().StringVar(&o.OIDCClientID, "oidc-client-id", "sigstore", | ||
"[EXPERIMENTAL] OIDC client ID for application") | ||
|
||
cmd.Flags().StringVar(&o.OIDCClientSecret, "oidc-client-secret", "", | ||
"[EXPERIMENTAL] OIDC client secret for application") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package cli | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
|
||
"github.com/pkg/errors" | ||
"github.com/spf13/cobra" | ||
|
||
"github.com/sigstore/cosign/cmd/cosign/cli/generate" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/options" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/sign" | ||
) | ||
|
||
func addSign(topLevel *cobra.Command) { | ||
so := &options.SignOptions{} | ||
|
||
cmd := &cobra.Command{ | ||
Use: "sign", | ||
Short: "Sign the supplied container image.\ncosign sign --key <key path>|<kms uri> [--payload <path>] [-a key=value] [--upload=true|false] [-f] [-r] <image uri>", | ||
Long: "Sign the supplied container image.", | ||
Example: ` | ||
# sign a container image with Google sign-in (experimental) | ||
COSIGN_EXPERIMENTAL=1 cosign sign <IMAGE> | ||
# sign a container image with a local key pair file | ||
cosign sign --key cosign.key <IMAGE> | ||
# sign a multi-arch container image AND all referenced, discrete images | ||
cosign sign --key cosign.key --r <MULTI-ARCH IMAGE> | ||
# sign a container image and add annotations | ||
cosign sign --key cosign.key -a key1=value1 -a key2=value2 <IMAGE> | ||
# sign a container image with a key pair stored in Azure Key Vault | ||
cosign sign --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] <IMAGE> | ||
# sign a container image with a key pair stored in AWS KMS | ||
cosign sign --key awskms://[ENDPOINT]/[ID/ALIAS/ARN] <IMAGE> | ||
# sign a container image with a key pair stored in Google Cloud KMS | ||
cosign sign --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]/versions/[VERSION] <IMAGE> | ||
# sign a container image with a key pair stored in Hashicorp Vault | ||
cosign sign --key hashivault://[KEY] <IMAGE> | ||
# sign a container image with a key pair stored in a Kubernetes secret | ||
cosign sign --key k8s://[NAMESPACE]/[KEY] <IMAGE> | ||
# sign a container in a registry which does not fully support OCI media types | ||
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image | ||
`, | ||
RunE: func(cmd *cobra.Command, args []string) error { | ||
if len(args) == 0 { | ||
return flag.ErrHelp | ||
} | ||
switch so.Attachment { | ||
case "sbom", "": | ||
break | ||
default: | ||
return flag.ErrHelp | ||
} | ||
ko := sign.KeyOpts{ | ||
KeyRef: so.Key, | ||
PassFunc: generate.GetPass, | ||
Sk: so.SecurityKey, | ||
Slot: so.SecurityKeySlot, | ||
FulcioURL: so.FulcioURL, | ||
RekorURL: so.RektorURL, | ||
IDToken: so.IdentityToken, | ||
OIDCIssuer: so.OIDCIssuer, | ||
OIDCClientID: so.OIDCClientID, | ||
OIDCClientSecret: so.OIDCClientSecret, | ||
} | ||
annotationsMap, err := so.AnnotationsMap() | ||
if err != nil { | ||
return err | ||
} | ||
if err := sign.SignCmd(context.Background(), ko, so.RegistryOpts, annotationsMap.Annotations, args, so.Cert, so.Upload, so.PayloadPath, so.Force, so.Recursive, so.Attachment); err != nil { | ||
if so.Attachment == "" { | ||
return errors.Wrapf(err, "signing %v", args) | ||
} | ||
return errors.Wrapf(err, "signing attachement %s for image %v", so.Attachment, args) | ||
} | ||
return nil | ||
}, | ||
} | ||
|
||
options.AddSignOptions(cmd, so) | ||
topLevel.AddCommand(cmd) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters