forked from in-toto/witness
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Checking attestors for duplicates (in-toto#361)
* prevents duplicate attestors * adding tests * modified help for attestations flag --------- Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
- Loading branch information
1 parent
604b6b4
commit 8c7b796
Showing
7 changed files
with
205 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
## witness run | ||
|
||
Runs the provided command and records attestations about the execution | ||
|
||
``` | ||
witness run [cmd] [flags] | ||
``` | ||
|
||
### Options | ||
|
||
``` | ||
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io") | ||
-a, --attestations strings Attestations to record ('product' and 'material' are always recorded) (default [environment,git]) | ||
--attestor-product-exclude-glob string Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation. | ||
--attestor-product-include-glob string Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*") | ||
--enable-archivista Use Archivista to store or retrieve attestations | ||
--hashes strings Hashes selected for digest calculation. Defaults to SHA256 (default [sha256]) | ||
-h, --help help for run | ||
-o, --outfile string File to which to write signed data. Defaults to stdout | ||
--signer-file-cert-path string Path to the file containing the certificate for the private key | ||
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root | ||
-k, --signer-file-key-path string Path to the file containing the private key | ||
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication | ||
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication | ||
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. | ||
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path) | ||
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token) | ||
--signer-fulcio-url string Fulcio address to sign with | ||
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket | ||
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy | ||
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy | ||
--signer-vault-namespace string Vault namespace to use | ||
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki") | ||
--signer-vault-role string Name of the Vault role to generate the certificate for | ||
--signer-vault-token string Token to use to connect to Vault | ||
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided | ||
--signer-vault-url string Base url of the Vault instance to connect to | ||
-s, --step string Name of the step being run | ||
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope | ||
--trace Enable tracing for the command | ||
-d, --workingdir string Directory from which commands will run | ||
``` | ||
|
||
### Options inherited from parent commands | ||
|
||
``` | ||
-c, --config string Path to the witness config file (default ".witness.yaml") | ||
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info") | ||
``` | ||
|
||
### SEE ALSO | ||
|
||
* [witness](witness.md) - Collect and verify attestations about your build environments | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
## witness sign | ||
|
||
Signs a file | ||
|
||
### Synopsis | ||
|
||
Signs a file with the provided key source and outputs the signed file to the specified destination | ||
|
||
``` | ||
witness sign [file] [flags] | ||
``` | ||
|
||
### Options | ||
|
||
``` | ||
-t, --datatype string The URI reference to the type of data being signed. Defaults to the Witness policy type (default "https://witness.testifysec.com/policy/v0.1") | ||
-h, --help help for sign | ||
-f, --infile string Witness policy file to sign | ||
-o, --outfile string File to write signed data. Defaults to stdout | ||
--signer-file-cert-path string Path to the file containing the certificate for the private key | ||
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root | ||
-k, --signer-file-key-path string Path to the file containing the private key | ||
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication | ||
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication | ||
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. | ||
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path) | ||
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token) | ||
--signer-fulcio-url string Fulcio address to sign with | ||
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket | ||
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy | ||
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy | ||
--signer-vault-namespace string Vault namespace to use | ||
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki") | ||
--signer-vault-role string Name of the Vault role to generate the certificate for | ||
--signer-vault-token string Token to use to connect to Vault | ||
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided | ||
--signer-vault-url string Base url of the Vault instance to connect to | ||
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope | ||
``` | ||
|
||
### Options inherited from parent commands | ||
|
||
``` | ||
-c, --config string Path to the witness config file (default ".witness.yaml") | ||
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info") | ||
``` | ||
|
||
### SEE ALSO | ||
|
||
* [witness](witness.md) - Collect and verify attestations about your build environments | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters