bump cosign to v1.12.1 for releasing v0.4.1 (#93)

* add some cli options that were added in cosign v1.12.1

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update release doc

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

cmd/kubectl-sigstore/cli/sign.go

@@ -41,6 +41,8 @@ func NewCmdSign() *cobra.Command {
 	var applySignatureConfigMap bool
 	var updateAnnotation bool
 	var tarballOpt string
+	var allowInsecure bool
+	var force bool
 	var imageAnnotations []string
 	var rekorURL string
 	var noTlogUpload bool
@@ -54,7 +56,7 @@ func NewCmdSign() *cobra.Command {
 
 			makeTarball := (tarballOpt == "yes")
 
-			err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, noTlogUpload, imageAnnotations)
+			err := sign(inputDir, resBundleRef, keyPath, rekorURL, output, appendSignature, applySignatureConfigMap, updateAnnotation, makeTarball, allowInsecure, force, noTlogUpload, imageAnnotations)
 			if err != nil {
 				log.Fatalf("error occurred during signing: %s", err.Error())
 				return nil
@@ -72,14 +74,18 @@ func NewCmdSign() *cobra.Command {
 	cmd.PersistentFlags().BoolVar(&applySignatureConfigMap, "apply-signature-configmap", false, "whether to apply a generated signature configmap only when \"output\" is k8s configmap")
 	cmd.PersistentFlags().BoolVar(&updateAnnotation, "annotation-metadata", true, "whether to update annotation and generate signed yaml file")
 	cmd.PersistentFlags().StringVar(&tarballOpt, "tarball", "yes", "whether to make a tarball for signing (this will be default to \"no\" in v0.5.0+)")
+
+	// cosign cli options
+	cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
+	cmd.PersistentFlags().BoolVar(&force, "force", false, "skip warnings and confirmations")
 	cmd.PersistentFlags().StringArrayVarP(&imageAnnotations, "annotation", "a", []string{}, "extra key=value pairs to sign")
 	cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
 	cmd.PersistentFlags().BoolVar(&noTlogUpload, "no-tlog-upload", false, "whether to not upload the transparency log")
 
 	return cmd
 }
 
-func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball, noTlogUpload bool, annotations []string) error {
+func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignature, applySignatureConfigMap, updateAnnotation, tarball, allowInsecure, noTlogUpload, force bool, annotations []string) error {
 	if output == "" && updateAnnotation {
 		if isDir, _ := k8smnfutil.IsDir(inputDir); isDir {
 			// e.g.) "./yamls/" --> "./yamls/manifest.yaml.signed"
@@ -114,6 +120,12 @@ func sign(inputDir, resBundleRef, keyPath, rekorURL, output string, appendSignat
 	if noTlogUpload {
 		so.NoTlogUpload = true
 	}
+	if allowInsecure {
+		so.AllowInsecure = true
+	}
+	if force {
+		so.Force = true
+	}
 
 	if applySignatureConfigMap && strings.HasPrefix(output, kubeutil.InClusterObjectPrefix) {
 		so.ApplySigConfigMap = true

cmd/kubectl-sigstore/cli/sign_test.go

@@ -50,7 +50,7 @@ func TestSign(t *testing.T) {
 
 	fpath := "testdata/sample-configmap.yaml"
 	outPath := filepath.Join(tmpDir, "sample-configmap.yaml.signed")
-	err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, false, nil)
+	err = sign(fpath, "", keyPath, "", outPath, false, false, true, true, false, false, false, nil)
 	if err != nil {
 		t.Errorf("failed to sign the test file: %s", err.Error())
 		return
@@ -64,7 +64,7 @@ func TestSign(t *testing.T) {
 
 	fpath2 := "testdata/sample-configmap-concat.yaml"
 	outPath2 := filepath.Join(tmpDir, "sample-configmap-concat.yaml.signed")
-	err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, false, nil)
+	err = sign(fpath2, "", keyPath, "", outPath2, false, false, true, true, false, false, false, nil)
 	if err != nil {
 		t.Errorf("failed to sign the test file: %s", err.Error())
 		return

cmd/kubectl-sigstore/cli/verify.go

@@ -39,12 +39,13 @@ func NewCmdVerify() *cobra.Command {
 	var certChain string
 	var rekorURL string
 	var oidcIssuer string
+	var allowInsecure bool
 	cmd := &cobra.Command{
 		Use:   "verify -f FILENAME [-i IMAGE]",
 		Short: "A command to verify Kubernetes YAML manifests",
 		RunE: func(cmd *cobra.Command, args []string) error {
 
-			err := verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer)
+			err := verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer, allowInsecure)
 			if err != nil {
 				return err
 			}
@@ -62,11 +63,12 @@ func NewCmdVerify() *cobra.Command {
 	cmd.PersistentFlags().StringVar(&certChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate")
 	cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
 	cmd.PersistentFlags().StringVar(&oidcIssuer, "oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
+	cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
 
 	return cmd
 }
 
-func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer string) error {
+func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rekorURL, oidcIssuer string, allowInsecure bool) error {
 	manifest, err := os.ReadFile(filename)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err.Error())
@@ -98,6 +100,9 @@ func verify(filename, resBundleRef, keyPath, configPath, certRef, certChain, rek
 	if keyPath != "" {
 		vo.KeyPath = keyPath
 	}
+	if allowInsecure {
+		vo.AllowInsecure = true
+	}
 	vo.Certificate = certRef
 	vo.CertificateChain = certChain
 	vo.RekorURL = rekorURL

cmd/kubectl-sigstore/cli/verify_resource.go

@@ -105,6 +105,7 @@ func NewCmdVerifyResource() *cobra.Command {
 	var certChain string
 	var rekorURL string
 	var oidcIssuer string
+	var allowInsecure bool
 	cmd := &cobra.Command{
 		Use:   "verify-resource (RESOURCE/NAME | -f FILENAME | -i IMAGE)",
 		Short: "A command to verify Kubernetes manifests of resources on cluster",
@@ -135,7 +136,7 @@ func NewCmdVerifyResource() *cobra.Command {
 				provResRef = manifestBundleResRef
 			}
 
-			allVerified, err := verifyResource(manifestYAMLs, kubeGetArgs, resBundleRef, sigResRef, keyPath, configPath, configField, configType, disableDefaultConfig, provenance, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat, concurrencyNum)
+			allVerified, err := verifyResource(manifestYAMLs, kubeGetArgs, resBundleRef, sigResRef, keyPath, configPath, configField, configType, disableDefaultConfig, provenance, allowInsecure, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat, concurrencyNum)
 			if err != nil {
 				log.Fatalf("error occurred during verify-resource: %s", err.Error())
 			}
@@ -168,12 +169,13 @@ func NewCmdVerifyResource() *cobra.Command {
 	cmd.PersistentFlags().StringVar(&certChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate")
 	cmd.PersistentFlags().StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "URL of rekor STL server (default \"https://rekor.sigstore.dev\")")
 	cmd.PersistentFlags().StringVar(&oidcIssuer, "oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
+	cmd.PersistentFlags().BoolVar(&allowInsecure, "allow-insecure-registry", false, "whether to allow insecure connections to registries. Don't use this for anything but testing")
 
 	KOptions.ConfigFlags.AddFlags(cmd.PersistentFlags())
 	return cmd
 }
 
-func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRef, keyPath, configPath, configField, configType string, disableDefaultConfig, provenance bool, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat string, concurrencyNum int64) (bool, error) {
+func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRef, keyPath, configPath, configField, configType string, disableDefaultConfig, provenance, allowInsecure bool, provResRef, certRef, certChain, rekorURL, oidcIssuer, outputFormat string, concurrencyNum int64) (bool, error) {
 	var err error
 	start := time.Now().UTC()
 	if outputFormat != "" {
@@ -218,7 +220,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
 	} else if yamls != nil {
 		objs, err = getObjsFromManifests(yamls, vo.IgnoreFields)
 	} else if resBundleRef != "" {
-		manifestFetcher := k8smanifest.NewManifestFetcher(resBundleRef, "", vo.AnnotationConfig, nil, vo.MaxResourceManifestNum)
+		manifestFetcher := k8smanifest.NewManifestFetcher(resBundleRef, "", vo.AnnotationConfig, nil, vo.MaxResourceManifestNum, vo.AllowInsecure)
 		imageManifestFetcher := manifestFetcher.(*k8smanifest.ImageManifestFetcher)
 		var yamlsInImage [][]byte
 		if yamlsInImage, err = imageManifestFetcher.FetchAll(); err == nil {
@@ -244,6 +246,9 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
 	if provResRef != "" {
 		vo.ProvenanceResourceRef = validateConfigMapRef(provResRef)
 	}
+	if allowInsecure {
+		vo.AllowInsecure = true
+	}
 	vo.Certificate = certRef
 	vo.CertificateChain = certChain
 	vo.RekorURL = rekorURL
@@ -260,7 +265,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
 		img := imagesToBeused[i]
 		// manifest fetch functions
 		if img.imageType == k8smanifest.ArtifactManifestImage {
-			manifestFetcher := k8smanifest.NewManifestFetcher(img.ResourceBundleRef, "", vo.AnnotationConfig, nil, 0)
+			manifestFetcher := k8smanifest.NewManifestFetcher(img.ResourceBundleRef, "", vo.AnnotationConfig, nil, 0, vo.AllowInsecure)
 			if fetcher, ok := manifestFetcher.(*k8smanifest.ImageManifestFetcher); ok {
 				prepareFuncs = append(prepareFuncs, reflect.ValueOf(fetcher.FetchAll))
 			}
@@ -288,7 +293,7 @@ func verifyResource(yamls [][]byte, kubeGetArgs []string, resBundleRef, sigResRe
 
 		if vo.Provenance {
 			// provenance functions
-			provGetter := k8smanifest.NewProvenanceGetter(nil, img.ResourceBundleRef, img.Digest, "")
+			provGetter := k8smanifest.NewProvenanceGetter(nil, img.ResourceBundleRef, img.Digest, "", allowInsecure)
 			if getter, ok := provGetter.(*k8smanifest.ImageProvenanceGetter); ok {
 				prepareFuncs = append(prepareFuncs, reflect.ValueOf(getter.Get))
 			}

cmd/kubectl-sigstore/cli/verify_resource_test.go

@@ -207,7 +207,7 @@ var _ = Describe("Test Kubeutil Sigstore Functions", func() {
 				return err
 			}
 
-			verified, err := verifyResource(nil, []string{"cm", "sample-cm"}, "", "", "", "", "", "", false, false, "", "", "", "", "", "", 4)
+			verified, err := verifyResource(nil, []string{"cm", "sample-cm"}, "", "", "", "", "", "", false, false, false, "", "", "", "", "", "", 4)
 			if err != nil {
 				return err
 			}
@@ -227,7 +227,7 @@ var _ = Describe("Test Kubeutil Sigstore Functions", func() {
 			}
 
 			pubkeyPath := filepath.Join(testTempDir, "testpub")
-			verified, err := verifyResource(nil, []string{"cm", "sample-cm-signed"}, "", "", pubkeyPath, "", "", "", false, false, "", "", "", "", "", "json", 4)
+			verified, err := verifyResource(nil, []string{"cm", "sample-cm-signed"}, "", "", pubkeyPath, "", "", "", false, false, false, "", "", "", "", "", "json", 4)
 			if err != nil {
 				return err
 			}

docs/LATEST_RELEASE.md

@@ -1,3 +1,56 @@
+
+# What's new in v0.4.1
+
+In this release, we updated cosign version to v1.12.1 and added some CLI options as well as cosign.
+
+## Add `--allow-insecure-registry` for sign/verify commands
+
+Using cosign v1.12.0 and later, an insecure container registry must be accessed intentionally with `--allow-insecure-registry` option.
+
+We have added the same CLi option to sign/verify command in this project too.
+
+(Note: If you use images on ghcr.io, basically need to specify this option.)
+
+## Add `--force` for sign command
+
+Now cosign has `--force` option for sign command, and we have added it to this project too.
+
+If you want to skip some validations/checks using interactive CLI input while cosign signing, this option works for it.
+
+It is also used when the signing steps are automated and when you cannot input anything while the signing.
+
+---
+
+# Backlog 
+
+---
+
+What's new in v0.4.0
+
+In this release, a new signing method is added to `kubectl sigstore sign` command. It is not a default signing option yet, but we are planning the method will be default on the release v0.5.0 and later. The detail is described below.
+
+## Add a new signing method and the original signing method will be non-default soon
+
+The original signing method (`--tarball=yes`) creates a tarball of YAML files before signing.
+
+However, this may cause verification error when multiple signatures are provided.
+
+So we have added a new signing method (`--tarball=no`) that can solve this issue.
+
+The original method is still the default option now, but the new one will be default on v0.5.0 and later.
+
+## Support multiple signatures both for signing & verification
+
+A new signing option `--append-signature` (or `-A`) has been added for users to generate a signed YAML manifest that have multiple signatures.
+
+Users don't need to manually add them anymore.
+
+## Update cosign version to v1.10.1
+
+We updated the version of cosign on which k8s-manifest-sigstore depends, and added some new command options to be consistent with cosign
+
+---
+
 # What's new in v0.3.0
 
 In this release, we mainly updated verification functions so that users can easily & flexibly use `k8s-manifest-sigstore`.
@@ -76,9 +129,7 @@ The following 2 options are added as verify-resource options to enable flexible
 
 The dependency version of cosign is updated to v1.8.0.
 
----
 
-# Backlog 
 
 ---
 

go.mod

@@ -27,6 +27,7 @@ require (
 	github.com/spf13/cobra v1.5.0
 	github.com/tektoncd/chains v0.3.0
 	github.com/theupdateframework/go-tuf v0.5.0
+	github.com/transparency-dev/merkle v0.0.1
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.23.5
@@ -234,7 +235,6 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.3.2 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
-	github.com/transparency-dev/merkle v0.0.1 // indirect
 	github.com/urfave/cli v1.22.7 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/go-gitlab v0.73.1 // indirect