Add signing-config create command (#4280)

This introduces a new command `cosign signing-config create` to generate
a SigningConfig message. This will first be used by our testing
infrastructure to create a SigningConfig, and then by users adopting the
bundle format in Cosign v2 and eventually as a requirement for v3 when
signing with private deployments.

Signed-off-by: Hayden B <[email protected]>

Author: haydentherapper

.golangci.yml

@@ -68,6 +68,16 @@ linters:
           - forbidigo
           - gosec
         path: _test\.go
+      - linters:
+          - staticcheck
+        path: pkg/cosign/tlog.go
+        # NewEntry used for Rekor v1, will update to NewTlogEntry for Rekor v2 support
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: pkg/cosign/verify.go
+        # NewEntry used for Rekor v1, will update to NewTlogEntry for Rekor v2 support
+        text: SA1019
     paths:
       - third_party$
       - builtin$

cmd/cosign/cli/commands.go

@@ -121,6 +121,7 @@ func New() *cobra.Command {
 	cmd.AddCommand(VerifyBlobAttestation())
 	cmd.AddCommand(Triangulate())
 	cmd.AddCommand(TrustedRoot())
+	cmd.AddCommand(SigningConfig())
 	cmd.AddCommand(Env())
 	cmd.AddCommand(version.WithFont("starwars"))
 

cmd/cosign/cli/initialize/init_test.go

@@ -169,7 +169,7 @@ func TestDoInitialize(t *testing.T) {
 			targets:    map[string][]byte{"ctfe.pub": []byte(`-----BEGIN PUBLIC KEY-----\n-----END PUBLIC KEY-----`)},
 			root:       "1.root.json",
 			wantStdOut: "ctfe.pub",
-			wantStdErr: "WARNING: Could not fetch trusted_root.json from the TUF mirror (encountered error: getting info for target \"trusted_root.json\": target trusted_root.json not found), falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.",
+			wantStdErr: "WARNING: Could not fetch trusted_root.json from the TUF mirror (encountered error: failed to get target from TUF client getting info for target \"trusted_root.json\": target trusted_root.json not found), falling back to individual targets. It is recommended to update your TUF metadata repository to include trusted_root.json.",
 			wantErr:    false,
 			wantFiles:  []string{filepath.Join("targets", "ctfe.pub")},
 			expectV2:   false,

cmd/cosign/cli/options/signingconfig.go

@@ -0,0 +1,49 @@
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package options
+
+import (
+	"github.com/spf13/cobra"
+)
+
+type SigningConfigCreateOptions struct {
+	Fulcio       []string
+	Rekor        []string
+	OIDCProvider []string
+	TSA          []string
+	TSAConfig    string
+	RekorConfig  string
+	Out          string
+}
+
+var _ Interface = (*SigningConfigCreateOptions)(nil)
+
+func (o *SigningConfigCreateOptions) AddFlags(cmd *cobra.Command) {
+	cmd.Flags().StringArrayVar(&o.Fulcio, "fulcio", nil,
+		"fulcio service specification, as a comma-separated key-value list.\nRequired keys: url, api-version (integer), start-time, operator. Optional keys: end-time.")
+	cmd.Flags().StringArrayVar(&o.Rekor, "rekor", nil,
+		"rekor service specification, as a comma-separated key-value list.\nRequired keys: url, api-version (integer), start-time, operator. Optional keys: end-time.")
+	cmd.Flags().StringArrayVar(&o.OIDCProvider, "oidc-provider", nil,
+		"oidc provider specification, as a comma-separated key-value list.\nRequired keys: url, api-version (integer), start-time, operator. Optional keys: end-time.")
+	cmd.Flags().StringArrayVar(&o.TSA, "tsa", nil,
+		"timestamping authority specification, as a comma-separated key-value list.\nRequired keys: url, api-version (integer), start-time, operator. Optional keys: end-time.")
+
+	cmd.Flags().StringVar(&o.TSAConfig, "tsa-config", "",
+		"timestamping authority configuration. Required if --tsa is provided. One of: ANY, ALL, EXACT:<count>")
+	cmd.Flags().StringVar(&o.RekorConfig, "rekor-config", "",
+		"rekor configuration. Required if --rekor is provided. One of: ANY, ALL, EXACT:<count>")
+
+	cmd.Flags().StringVar(&o.Out, "out", "", "path to output signing config")
+}

cmd/cosign/cli/signingconfig.go

@@ -0,0 +1,73 @@
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"context"
+
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/signingconfig"
+	"github.com/spf13/cobra"
+)
+
+func SigningConfig() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "signing-config",
+		Short: "Interact with a Sigstore protobuf signing config",
+		Long:  "Tool for interacting with a Sigstore protobuf signing config",
+	}
+
+	cmd.AddCommand(signingConfigCreate())
+
+	return cmd
+}
+
+func signingConfigCreate() *cobra.Command {
+	o := &options.SigningConfigCreateOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "create",
+		Short: "Create a Sigstore protobuf signing config",
+		Long: `Create a Sigstore protobuf signing config by supplying verification material for Fulcio, Rekor, OIDC, and TSA services.
+Each service is specified via a repeatable flag (--fulcio, --rekor, --oidc-provider, --tsa) that takes a comma-separated list of key-value pairs.`,
+		Example: `cosign signing-config create \
+    --fulcio="url=https://fulcio.sigstore.dev,api-version=1,start-time=2024-01-01T00:00:00Z,end-time=2025-01-01T00:00:00Z,operator=sigstore.dev" \
+    --rekor="url=https://rekor.sigstore.dev,api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \
+    --rekor-config="ANY" \
+    --oidc-provider="url=https://oauth2.sigstore.dev/auth,api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \
+    --tsa="url=https://timestamp.sigstore.dev/api/v1/timestamp,api-version=1,start-time=2024-01-01T00:00:00Z,operator=sigstore.dev" \
+    --tsa-config="EXACT:1" \
+    --out signing-config.json`,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			scCreateCmd := &signingconfig.CreateCmd{
+				FulcioSpecs:       o.Fulcio,
+				RekorSpecs:        o.Rekor,
+				OIDCProviderSpecs: o.OIDCProvider,
+				TSASpecs:          o.TSA,
+				TSAConfig:         o.TSAConfig,
+				RekorConfig:       o.RekorConfig,
+				Out:               o.Out,
+			}
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), ro.Timeout)
+			defer cancel()
+
+			return scCreateCmd.Exec(ctx)
+		},
+	}
+
+	o.AddFlags(cmd)
+	return cmd
+}

cmd/cosign/cli/signingconfig/signingconfig.go

@@ -0,0 +1,211 @@
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package signingconfig
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	prototrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"
+	"github.com/sigstore/sigstore-go/pkg/root"
+)
+
+type CreateCmd struct {
+	FulcioSpecs       []string
+	RekorSpecs        []string
+	OIDCProviderSpecs []string
+	TSASpecs          []string
+	TSAConfig         string
+	RekorConfig       string
+	Out               string
+}
+
+func (c *CreateCmd) Exec(_ context.Context) error {
+	if len(c.RekorSpecs) > 0 && c.RekorConfig == "" {
+		return fmt.Errorf("--rekor-config must be provided when --rekor is specified")
+	}
+	if len(c.TSASpecs) > 0 && c.TSAConfig == "" {
+		return fmt.Errorf("--tsa-config must be provided when --tsa is specified")
+	}
+
+	fulcioServices := make([]root.Service, 0, len(c.FulcioSpecs))
+	rekorServices := make([]root.Service, 0, len(c.RekorSpecs))
+	oidcProviders := make([]root.Service, 0, len(c.OIDCProviderSpecs))
+	tsaServices := make([]root.Service, 0, len(c.TSASpecs))
+
+	rekorConfig, err := parseServiceConfig(c.RekorConfig)
+	if err != nil {
+		return fmt.Errorf("parsing rekor-config: %w", err)
+	}
+
+	tsaConfig, err := parseServiceConfig(c.TSAConfig)
+	if err != nil {
+		return fmt.Errorf("parsing tsa-config: %w", err)
+	}
+
+	for _, spec := range c.FulcioSpecs {
+		svc, err := parseService(spec)
+		if err != nil {
+			return fmt.Errorf("parsing fulcio spec: %w", err)
+		}
+		fulcioServices = append(fulcioServices, svc)
+	}
+
+	for _, spec := range c.RekorSpecs {
+		svc, err := parseService(spec)
+		if err != nil {
+			return fmt.Errorf("parsing rekor spec: %w", err)
+		}
+		rekorServices = append(rekorServices, svc)
+	}
+
+	for _, spec := range c.OIDCProviderSpecs {
+		svc, err := parseService(spec)
+		if err != nil {
+			return fmt.Errorf("parsing oidc-provider spec: %w", err)
+		}
+		oidcProviders = append(oidcProviders, svc)
+	}
+
+	for _, spec := range c.TSASpecs {
+		svc, err := parseService(spec)
+		if err != nil {
+			return fmt.Errorf("parsing tsa spec: %w", err)
+		}
+		tsaServices = append(tsaServices, svc)
+	}
+
+	signingConfig, err := root.NewSigningConfig(
+		root.SigningConfigMediaType02,
+		fulcioServices,
+		oidcProviders,
+		rekorServices,
+		rekorConfig,
+		tsaServices,
+		tsaConfig,
+	)
+	if err != nil {
+		return fmt.Errorf("creating signing config: %w", err)
+	}
+
+	scBytes, err := signingConfig.MarshalJSON()
+	if err != nil {
+		return err
+	}
+
+	if c.Out != "" {
+		err = os.WriteFile(c.Out, scBytes, 0600)
+		if err != nil {
+			return err
+		}
+	} else {
+		fmt.Println(string(scBytes))
+	}
+
+	return nil
+}
+
+func parseService(spec string) (root.Service, error) {
+	kvs, err := parseKVs(spec)
+	if err != nil {
+		return root.Service{}, err
+	}
+
+	// Validate required keys
+	requiredKeys := []string{"url", "api-version", "start-time", "operator"}
+	for _, key := range requiredKeys {
+		if val, ok := kvs[key]; !ok || val == "" {
+			return root.Service{}, fmt.Errorf("missing required key '%s' in service spec", key)
+		}
+	}
+
+	apiVersion, err := strconv.ParseUint(kvs["api-version"], 10, 32)
+	if err != nil {
+		return root.Service{}, fmt.Errorf("parsing api-version: %w", err)
+	}
+
+	startTime, err := time.Parse(time.RFC3339, kvs["start-time"])
+	if err != nil {
+		return root.Service{}, fmt.Errorf("parsing start-time: %w", err)
+	}
+
+	svc := root.Service{
+		URL:                 kvs["url"],
+		MajorAPIVersion:     uint32(apiVersion),
+		Operator:            kvs["operator"],
+		ValidityPeriodStart: startTime,
+	}
+
+	if et, ok := kvs["end-time"]; ok && et != "" {
+		endTime, err := time.Parse(time.RFC3339, et)
+		if err != nil {
+			return root.Service{}, fmt.Errorf("parsing end-time: %w", err)
+		}
+		svc.ValidityPeriodEnd = endTime
+	}
+	return svc, nil
+}
+
+func parseKVs(spec string) (map[string]string, error) {
+	kvs := make(map[string]string)
+	pairs := strings.Split(spec, ",")
+	for _, pair := range pairs {
+		parts := strings.SplitN(pair, "=", 2)
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("invalid key-value pair: %s", pair)
+		}
+		kvs[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
+	}
+	return kvs, nil
+}
+
+func parseServiceConfig(config string) (root.ServiceConfiguration, error) {
+	if config == "" {
+		return root.ServiceConfiguration{}, nil
+	}
+	parts := strings.SplitN(config, ":", 2)
+	mode := strings.ToUpper(parts[0])
+	var selector prototrustroot.ServiceSelector
+	switch mode {
+	case "ANY":
+		selector = prototrustroot.ServiceSelector_ANY
+		if len(parts) > 1 {
+			return root.ServiceConfiguration{}, fmt.Errorf("mode %s does not accept a count", mode)
+		}
+		return root.ServiceConfiguration{Selector: selector}, nil
+	case "ALL":
+		selector = prototrustroot.ServiceSelector_ALL
+		if len(parts) > 1 {
+			return root.ServiceConfiguration{}, fmt.Errorf("mode %s does not accept a count", mode)
+		}
+		return root.ServiceConfiguration{Selector: selector}, nil
+	case "EXACT":
+		selector = prototrustroot.ServiceSelector_EXACT
+		if len(parts) != 2 {
+			return root.ServiceConfiguration{}, fmt.Errorf("mode EXACT requires a count, e.g. EXACT:2")
+		}
+		count, err := strconv.ParseUint(parts[1], 10, 32)
+		if err != nil {
+			return root.ServiceConfiguration{}, fmt.Errorf("invalid count for EXACT mode: %w", err)
+		}
+		return root.ServiceConfiguration{Selector: selector, Count: uint32(count)}, nil
+	default:
+		return root.ServiceConfiguration{}, fmt.Errorf("invalid service config mode: %s", mode)
+	}
+}