Skip to content

Commit

Permalink
bump cosign to v1.12.1 for releasing v0.4.1 (#93)
Browse files Browse the repository at this point in the history
* add some cli options that were added in cosign v1.12.1

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update release doc

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>
  • Loading branch information
hirokuni-kitahara authored Oct 3, 2022
1 parent 7a2d417 commit d812952
Show file tree
Hide file tree
Showing 17 changed files with 227 additions and 90 deletions.
16 changes: 14 additions & 2 deletions cmd/kubectl-sigstore/cli/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ func NewCmdSign() *cobra.Command {
var applySignatureConfigMap bool
var updateAnnotation bool
var tarballOpt string
var allowInsecure bool
var force bool
var imageAnnotations []string
var rekorURL string
var noTlogUpload bool
Expand All @@ -54,7 +56,7 @@ func NewCmdSign() *cobra.Command {

makeTarball := (tarballOpt == "yes")

err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, noTlogUpload, imageAnnotations)
err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, allowInsecure, force, noTlogUpload, imageAnnotations)
if err != nil {
log.Fatalf("error occurred during signing: %s", err.Error())
return nil
Expand All @@ -72,14 +74,18 @@ func NewCmdSign() *cobra.Command {
cmd.PersistentFlags().BoolVar(&applySignatureConfigMap, "apply-signature-configmap", false, "whether to apply a generated signature configmap only when \"output\" is k8s configmap")
cmd.PersistentFlags().BoolVar(&updateAnnotation, "annotation-metadata", true, "whether to update annotation and generate signed yaml file")
cmd.PersistentFlags().StringVar(&tarballOpt, "tarball", "yes", "whether to make a tarball for signing (this will be default to \"no\" in v0.5.0+)")

// cosign cli options
cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
cmd.PersistentFlags().BoolVar(&force, "force", false, "skip warnings and confirmations")
cmd.PersistentFlags().StringArrayVarP(&imageAnnotations, "annotation", "a", []string{}, "extra key=value pairs to sign")
cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
cmd.PersistentFlags().BoolVar(&noTlogUpload, "no-tlog-upload", false, "whether to not upload the transparency log")

return cmd
}

func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball, noTlogUpload bool, annotations []string) error {
func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball, allowInsecure, noTlogUpload, force bool, annotations []string) error {
if output == "" && updateAnnotation {
if isDir, _ := k8smnfutil.IsDir(inputDir); isDir {
// e.g.) "./yamls/" --> "./yamls/manifest.yaml.signed"
Expand Down Expand Up @@ -114,6 +120,12 @@ func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignat
if noTlogUpload {
so.NoTlogUpload = true
}
if allowInsecure {
so.AllowInsecure = true
}
if force {
so.Force = true
}

if applySignatureConfigMap && strings.HasPrefix(output, kubeutil.InClusterObjectPrefix) {
so.ApplySigConfigMap = true
Expand Down
4 changes: 2 additions & 2 deletions cmd/kubectl-sigstore/cli/sign_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func TestSign(t *testing.T) {

fpath := "testdata/sample-configmap.yaml"
outPath := filepath.Join(tmpDir, "sample-configmap.yaml.signed")
err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, false, nil)
err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, false, false, false, nil)
if err != nil {
t.Errorf("failed to sign the test file: %s", err.Error())
return
Expand All @@ -64,7 +64,7 @@ func TestSign(t *testing.T) {

fpath2 := "testdata/sample-configmap-concat.yaml"
outPath2 := filepath.Join(tmpDir, "sample-configmap-concat.yaml.signed")
err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, false, nil)
err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, false, false, false, nil)
if err != nil {
t.Errorf("failed to sign the test file: %s", err.Error())
return
Expand Down
9 changes: 7 additions & 2 deletions cmd/kubectl-sigstore/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,13 @@ func NewCmdVerify() *cobra.Command {
var certChain string
var rekorURL string
var oidcIssuer string
var allowInsecure bool
cmd := &cobra.Command{
Use: "verify -f FILENAME [-i IMAGE]",
Short: "A command to verify Kubernetes YAML manifests",
RunE: func(cmd *cobra.Command, args []string) error {

err := verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer)
err := verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer, allowInsecure)
if err != nil {
return err
}
Expand All @@ -62,11 +63,12 @@ func NewCmdVerify() *cobra.Command {
cmd.PersistentFlags().StringVar(&certChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate")
cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
cmd.PersistentFlags().StringVar(&oidcIssuer, "oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")

return cmd
}

func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer string) error {
func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer string, allowInsecure bool) error {
manifest, err := os.ReadFile(filename)
if err != nil {
fmt.Fprintln(os.Stderr, err.Error())
Expand Down Expand Up @@ -98,6 +100,9 @@ func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rek
if keyPath != "" {
vo.KeyPath = keyPath
}
if allowInsecure {
vo.AllowInsecure = true
}
vo.Certificate = certRef
vo.CertificateChain = certChain
vo.RekorURL = rekorURL
Expand Down
15 changes: 10 additions & 5 deletions cmd/kubectl-sigstore/cli/verify_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ func NewCmdVerifyResource() *cobra.Command {
var certChain string
var rekorURL string
var oidcIssuer string
var allowInsecure bool
cmd := &cobra.Command{
Use: "verify-resource (RESOURCE/NAME | -f FILENAME | -i IMAGE)",
Short: "A command to verify Kubernetes manifests of resources on cluster",
Expand Down Expand Up @@ -135,7 +136,7 @@ func NewCmdVerifyResource() *cobra.Command {
provResRef = manifestBundleResRef
}

allVerified, err := verifyResource(manifestYAMLs, kubeGetArgs, resBundleRef, sigResRef, keyPath, configPath, configField, configType, disableDefaultConfig, provenance, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat, concurrencyNum)
allVerified, err := verifyResource(manifestYAMLs, kubeGetArgs, resBundleRef, sigResRef, keyPath, configPath, configField, configType, disableDefaultConfig, provenance, allowInsecure, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat, concurrencyNum)
if err != nil {
log.Fatalf("error occurred during verify-resource: %s", err.Error())
}
Expand Down Expand Up @@ -168,12 +169,13 @@ func NewCmdVerifyResource() *cobra.Command {
cmd.PersistentFlags().StringVar(&certChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate")
cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
cmd.PersistentFlags().StringVar(&oidcIssuer, "oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")

KOptions.ConfigFlags.AddFlags(cmd.PersistentFlags())
return cmd
}

func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRef, keyPath, configPath, configField, configType string, disableDefaultConfig, provenance bool, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat string, concurrencyNum int64) (bool, error) {
func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRef, keyPath, configPath, configField, configType string, disableDefaultConfig, provenance, allowInsecure bool, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat string, concurrencyNum int64) (bool, error) {
var err error
start := time.Now().UTC()
if outputFormat != "" {
Expand Down Expand Up @@ -218,7 +220,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
} else if yamls != nil {
objs, err = getObjsFromManifests(yamls, vo.IgnoreFields)
} else if resBundleRef != "" {
manifestFetcher := k8smanifest.NewManifestFetcher(resBundleRef, "", vo.AnnotationConfig, nil, vo.MaxResourceManifestNum)
manifestFetcher := k8smanifest.NewManifestFetcher(resBundleRef, "", vo.AnnotationConfig, nil, vo.MaxResourceManifestNum, vo.AllowInsecure)
imageManifestFetcher := manifestFetcher.(*k8smanifest.ImageManifestFetcher)
var yamlsInImage [][]byte
if yamlsInImage, err = imageManifestFetcher.FetchAll(); err == nil {
Expand All @@ -244,6 +246,9 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
if provResRef != "" {
vo.ProvenanceResourceRef = validateConfigMapRef(provResRef)
}
if allowInsecure {
vo.AllowInsecure = true
}
vo.Certificate = certRef
vo.CertificateChain = certChain
vo.RekorURL = rekorURL
Expand All @@ -260,7 +265,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
img := imagesToBeused[i]
// manifest fetch functions
if img.imageType == k8smanifest.ArtifactManifestImage {
manifestFetcher := k8smanifest.NewManifestFetcher(img.ResourceBundleRef, "", vo.AnnotationConfig, nil, 0)
manifestFetcher := k8smanifest.NewManifestFetcher(img.ResourceBundleRef, "", vo.AnnotationConfig, nil, 0, vo.AllowInsecure)
if fetcher, ok := manifestFetcher.(*k8smanifest.ImageManifestFetcher); ok {
prepareFuncs = append(prepareFuncs, reflect.ValueOf(fetcher.FetchAll))
}
Expand Down Expand Up @@ -288,7 +293,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe

if vo.Provenance {
// provenance functions
provGetter := k8smanifest.NewProvenanceGetter(nil, img.ResourceBundleRef, img.Digest, "")
provGetter := k8smanifest.NewProvenanceGetter(nil, img.ResourceBundleRef, img.Digest, "", allowInsecure)
if getter, ok := provGetter.(*k8smanifest.ImageProvenanceGetter); ok {
prepareFuncs = append(prepareFuncs, reflect.ValueOf(getter.Get))
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/kubectl-sigstore/cli/verify_resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ var _ = Describe("Test Kubeutil Sigstore Functions", func() {
return err
}

verified, err := verifyResource(nil, []string{"cm", "sample-cm"}, "", "", "", "", "", "", false, false, "", "", "", "", "", "", 4)
verified, err := verifyResource(nil, []string{"cm", "sample-cm"}, "", "", "", "", "", "", false, false, false, "", "", "", "", "", "", 4)
if err != nil {
return err
}
Expand All @@ -227,7 +227,7 @@ var _ = Describe("Test Kubeutil Sigstore Functions", func() {
}

pubkeyPath := filepath.Join(testTempDir, "testpub")
verified, err := verifyResource(nil, []string{"cm", "sample-cm-signed"}, "", "", pubkeyPath, "", "", "", false, false, "", "", "", "", "", "json", 4)
verified, err := verifyResource(nil, []string{"cm", "sample-cm-signed"}, "", "", pubkeyPath, "", "", "", false, false, false, "", "", "", "", "", "json", 4)
if err != nil {
return err
}
Expand Down
55 changes: 53 additions & 2 deletions docs/LATEST_RELEASE.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,56 @@

# What's new in v0.4.1

In this release, we updated cosign version to v1.12.1 and added some CLI options as well as cosign.

## Add `--allow-insecure-registry` for sign/verify commands

Using cosign v1.12.0 and later, an insecure container registry must be accessed intentionally with `--allow-insecure-registry` option.

We have added the same CLi option to sign/verify command in this project too.

(Note: If you use images on ghcr.io, basically need to specify this option.)

## Add `--force` for sign command

Now cosign has `--force` option for sign command, and we have added it to this project too.

If you want to skip some validations/checks using interactive CLI input while cosign signing, this option works for it.

It is also used when the signing steps are automated and when you cannot input anything while the signing.

---

# Backlog

---

What's new in v0.4.0

In this release, a new signing method is added to `kubectl sigstore sign` command. It is not a default signing option yet, but we are planning the method will be default on the release v0.5.0 and later. The detail is described below.

## Add a new signing method and the original signing method will be non-default soon

The original signing method (`--tarball=yes`) creates a tarball of YAML files before signing.

However, this may cause verification error when multiple signatures are provided.

So we have added a new signing method (`--tarball=no`) that can solve this issue.

The original method is still the default option now, but the new one will be default on v0.5.0 and later.

## Support multiple signatures both for signing & verification

A new signing option `--append-signature` (or `-A`) has been added for users to generate a signed YAML manifest that have multiple signatures.

Users don't need to manually add them anymore.

## Update cosign version to v1.10.1

We updated the version of cosign on which k8s-manifest-sigstore depends, and added some new command options to be consistent with cosign

---

# What's new in v0.3.0

In this release, we mainly updated verification functions so that users can easily & flexibly use `k8s-manifest-sigstore`.
Expand Down Expand Up @@ -76,9 +129,7 @@ The following 2 options are added as verify-resource options to enable flexible
The dependency version of cosign is updated to v1.8.0.
---
# Backlog
---
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ require (
github.com/spf13/cobra v1.5.0
github.com/tektoncd/chains v0.3.0
github.com/theupdateframework/go-tuf v0.5.0
github.com/transparency-dev/merkle v0.0.1
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.23.5
Expand Down Expand Up @@ -234,7 +235,6 @@ require (
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tjfoc/gmsm v1.3.2 // indirect
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
github.com/transparency-dev/merkle v0.0.1 // indirect
github.com/urfave/cli v1.22.7 // indirect
github.com/vbatts/tar-split v0.11.2 // indirect
github.com/xanzy/go-gitlab v0.73.1 // indirect
Expand Down
Loading

0 comments on commit d812952

Please sign in to comment.