bump cosign version to v1.10.1 (add --no-tlog-upload option to sign c…

…md) (#90) Signed-off-by: Hirokuni-Kitahara1 <[email protected]>
sigstore · Aug 10, 2022 · 14f7cab · 14f7cab
1 parent f8596c1
commit 14f7cab
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 81 deletions.
diff --git a/cmd/kubectl-sigstore/cli/sign.go b/cmd/kubectl-sigstore/cli/sign.go
@@ -43,6 +43,7 @@ func NewCmdSign() *cobra.Command {
 	var tarballOpt string
 	var imageAnnotations []string
 	var rekorURL string
+	var noTlogUpload bool
 	cmd := &cobra.Command{
 		Use:   "sign -f FILENAME [-i IMAGE]",
 		Short: "A command to sign Kubernetes YAML manifests",
@@ -53,7 +54,7 @@ func NewCmdSign() *cobra.Command {
 
 			makeTarball := (tarballOpt == "yes")
 
-			err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, imageAnnotations)
+			err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, noTlogUpload, imageAnnotations)
 			if err != nil {
 				log.Fatalf("error occurred during signing: %s", err.Error())
 				return nil
@@ -73,11 +74,12 @@ func NewCmdSign() *cobra.Command {
 	cmd.PersistentFlags().StringVar(&tarballOpt, "tarball", "yes", "whether to make a tarball for signing (this will be default to \"no\" in v0.5.0+)")
 	cmd.PersistentFlags().StringArrayVarP(&imageAnnotations, "annotation", "a", []string{}, "extra key=value pairs to sign")
 	cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
+	cmd.PersistentFlags().BoolVar(&noTlogUpload, "no-tlog-upload", false, "whether to not upload the transparency log")
 
 	return cmd
 }
 
-func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball bool, annotations []string) error {
+func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball, noTlogUpload bool, annotations []string) error {
 	if output == "" && updateAnnotation {
 		if isDir, _ := k8smnfutil.IsDir(inputDir); isDir {
 			// e.g.) "./yamls/" --> "./yamls/manifest.yaml.signed"
@@ -109,6 +111,9 @@ func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignat
 	if rekorURL != "" {
 		so.RekorURL = rekorURL
 	}
+	if noTlogUpload {
+		so.NoTlogUpload = true
+	}
 
 	if applySignatureConfigMap && strings.HasPrefix(output, kubeutil.InClusterObjectPrefix) {
 		so.ApplySigConfigMap = true

diff --git a/cmd/kubectl-sigstore/cli/sign_test.go b/cmd/kubectl-sigstore/cli/sign_test.go
@@ -50,7 +50,7 @@ func TestSign(t *testing.T) {
 
 	fpath := "testdata/sample-configmap.yaml"
 	outPath := filepath.Join(tmpDir, "sample-configmap.yaml.signed")
-	err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, nil)
+	err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, false, nil)
 	if err != nil {
 		t.Errorf("failed to sign the test file: %s", err.Error())
 		return
@@ -64,7 +64,7 @@ func TestSign(t *testing.T) {
 
 	fpath2 := "testdata/sample-configmap-concat.yaml"
 	outPath2 := filepath.Join(tmpDir, "sample-configmap-concat.yaml.signed")
-	err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, nil)
+	err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, false, nil)
 	if err != nil {
 		t.Errorf("failed to sign the test file: %s", err.Error())
 		return

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/djherbis/times v1.5.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-openapi/runtime v0.24.1
-	github.com/google/go-containerregistry v0.10.0
+	github.com/google/go-containerregistry v0.11.0
 	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
 	github.com/jinzhu/copier v0.3.2
 	github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852
@@ -18,11 +18,11 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/r3labs/diff v1.1.0
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
-	github.com/sigstore/cosign v1.10.0
+	github.com/sigstore/cosign v1.10.1
 	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7
 	github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3
 	github.com/sigstore/sigstore v1.2.1-0.20220614141825-9c0e2e247545
-	github.com/sirupsen/logrus v1.8.1
+	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/afero v1.8.2
 	github.com/spf13/cobra v1.5.0
 	github.com/tektoncd/chains v0.3.0

diff --git a/go.sum b/go.sum
diff --git a/pkg/cosign/sign.go b/pkg/cosign/sign.go
@@ -51,7 +51,7 @@ const (
 	defaultKeylessTlogUploadTimeout = 90 // set to 90s for keyless as cosign recommends it in the help message
 )
 
-func SignImage(resBundleRef string, keyPath, certPath *string, rekorURL string, pf cosign.PassFunc, imageAnnotations map[string]interface{}) error {
+func SignImage(resBundleRef string, keyPath, certPath *string, rekorURL string, noTlogUpload bool, pf cosign.PassFunc, imageAnnotations map[string]interface{}) error {
 	// TODO: add support for sk (security key) and idToken (identity token for cert from fulcio)
 	sk := false
 	idToken := ""
@@ -93,10 +93,10 @@ func SignImage(resBundleRef string, keyPath, certPath *string, rekorURL string,
 	outputSignaturePath := ""
 	outputCertificatePath := ""
 
-	return clisign.SignCmd(rootOpt, opt, regOpt, imageAnnotations, []string{resBundleRef}, certPathStr, "", true, outputSignaturePath, outputCertificatePath, "", false, false, "")
+	return clisign.SignCmd(rootOpt, opt, regOpt, imageAnnotations, []string{resBundleRef}, certPathStr, "", true, outputSignaturePath, outputCertificatePath, "", false, false, "", noTlogUpload)
 }
 
-func SignBlob(blobPath string, keyPath, certPath *string, rekorURL string, pf cosign.PassFunc) (map[string][]byte, error) {
+func SignBlob(blobPath string, keyPath, certPath *string, rekorURL string, noTlogUpload bool, pf cosign.PassFunc) (map[string][]byte, error) {
 	// TODO: add support for sk (security key) and idToken (identity token for cert from fulcio)
 	sk := false
 	idToken := ""
@@ -167,7 +167,7 @@ func SignBlob(blobPath string, keyPath, certPath *string, rekorURL string, pf co
 	b64Sig := []byte(base64.StdEncoding.EncodeToString(rawSig))
 	m["signature"] = b64Sig
 
-	uploadTlog := cliopt.EnableExperimental()
+	uploadTlog := cliopt.EnableExperimental() && !noTlogUpload
 
 	var rawCert []byte
 	var rawBundle []byte

diff --git a/pkg/cosign/sign_test.go b/pkg/cosign/sign_test.go
@@ -60,7 +60,7 @@ func TestSignBlob(t *testing.T) {
 	blobPath := files["blob"].fpath
 	keyPath := files["key"].fpath
 
-	sigMap, err := SignBlob(blobPath, &keyPath, nil, "", passFuncForTest)
+	sigMap, err := SignBlob(blobPath, &keyPath, nil, "", false, passFuncForTest)
 	if err != nil {
 		t.Errorf("failed to load test files: %s", err.Error())
 		return

diff --git a/pkg/k8smanifest/option.go b/pkg/k8smanifest/option.go
@@ -131,7 +131,8 @@ type commonOption struct {
 
 // cosign sign option
 type cosignSignOption struct {
-	RekorURL string `json:"-"`
+	RekorURL     string `json:"-"`
+	NoTlogUpload bool   `json:"-"`
 }
 
 // cosign verify option

diff --git a/pkg/k8smanifest/sign.go b/pkg/k8smanifest/sign.go
@@ -76,7 +76,8 @@ func Sign(inputDir string, so *SignOption) ([]byte, error) {
 	}
 
 	cosignSignConfig := CosignSignConfig{
-		RekorURL: so.RekorURL,
+		RekorURL:     so.RekorURL,
+		NoTlogUpload: so.NoTlogUpload,
 	}
 
 	signedBytes, err := NewSigner(so.ResourceBundleRef, so.KeyPath, so.CertPath, output, so.AppendSignature, so.ApplySigConfigMap, makeTarball, cosignSignConfig, so.AnnotationConfig, so.PassFunc).Sign(inputDir, output, so.ImageAnnotations)
@@ -92,7 +93,8 @@ type Signer interface {
 }
 
 type CosignSignConfig struct {
-	RekorURL string
+	RekorURL     string
+	NoTlogUpload bool
 }
 
 func NewSigner(resBundleRef, keyPath, certPath, output string, appendSig, doApply, tarball bool, cosignSignConfig CosignSignConfig, AnnotationConfig AnnotationConfig, pf cosign.PassFunc) Signer {
@@ -170,7 +172,7 @@ func (s *ImageSigner) Sign(inputDir, output string, imageAnnotations map[string]
 		return nil, errors.Wrap(err, "failed to upload image with manifest")
 	}
 	// sign the image
-	err = k8scosign.SignImage(s.resBundleRef, s.prikeyPath, s.certPath, s.RekorURL, s.passFunc, imageAnnotations)
+	err = k8scosign.SignImage(s.resBundleRef, s.prikeyPath, s.certPath, s.RekorURL, s.NoTlogUpload, s.passFunc, imageAnnotations)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to sign image")
 	}
@@ -233,7 +235,7 @@ func (s *BlobSigner) Sign(inputDir, output string, imageAnnotations map[string]i
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create a temporary blob file")
 	}
-	sigMaps, err = k8scosign.SignBlob(tmpBlobFile, s.prikeyPath, s.certPath, s.RekorURL, s.passFunc)
+	sigMaps, err = k8scosign.SignBlob(tmpBlobFile, s.prikeyPath, s.certPath, s.RekorURL, s.NoTlogUpload, s.passFunc)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to sign a blob file")
 	}