Skip to content

Commit

Permalink
Add sign --docker-reference CLI
Browse files Browse the repository at this point in the history 
The `--docker-reference` flag allows setting the
`critical.identity.docker-reference` field in the signature to a
different container image reference. This is particularly useful when
using proxy mirrors like `registry.k8s.io`, where end-users have no
chance to actually assume the underlying registry. This change allows
signing images using the mirror/proxy identifier, while validation can
then happen without requiring any additional remapping.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
  • Loading branch information
@saschagrunert
saschagrunert committed May 16, 2023
1 parent 95ae338 commit 8f3c197
Show file tree
Hide file tree
Showing 5 changed files with 10 additions and 3 deletions.
4 changes: 4 additions & 0 deletions cmd/cosign/cli/options/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type SignOptions struct {
TlogUpload bool
TSAServerURL string
IssueCertificate bool
DockerReference string

Rekor RekorOptions
Fulcio FulcioOptions
Expand Down Expand Up @@ -108,4 +109,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {

cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false,
"issue a code signing certificate from Fulcio, even if a key is provided")

cmd.Flags().StringVar(&o.DockerReference, "docker-reference", "",
"override the docker-reference for the identity, useful when image proxies are being used")
}
2 changes: 1 addition & 1 deletion cmd/cosign/cli/sign/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
payload, err = (&sigPayload.Cosign{
Image: digest,
Annotations: annotations,
}).MarshalJSON()
}).MarshalJSONForDockerReference(signOpts.DockerReference)
if err != nil {
return fmt.Errorf("payload: %w", err)
}
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_sign.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ require (
sigs.k8s.io/release-utils v0.7.3
)

replace github.com/sigstore/sigstore => github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d

require (
cloud.google.com/go/compute v1.19.1 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d h1:c9m4wDwdtKu7iEhGKVHLtg9bTejMCS56NEFitAVHjxo=
github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d/go.mod h1:pjR64lBxnjoSrAr+Ydye/FV73IfrgtoYlAI11a8xMfA=
github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=
github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk=
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
Expand All @@ -793,8 +795,6 @@ github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y
github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU=
github.com/sigstore/rekor v1.1.1 h1:JCeSss+qUHnCATmwAZh4zT9k0Frdyq0BjmRwewSfEy4=
github.com/sigstore/rekor v1.1.1/go.mod h1:x/xK+HK08MiuJv+v4OxY/Oo3bhuz1DtJXNJrV7hrzvs=
github.com/sigstore/sigstore v1.6.4 h1:jH4AzR7qlEH/EWzm+opSpxCfuUcjHL+LJPuQE7h40WE=
github.com/sigstore/sigstore v1.6.4/go.mod h1:pjR64lBxnjoSrAr+Ydye/FV73IfrgtoYlAI11a8xMfA=
github.com/sigstore/timestamp-authority v1.1.1 h1:EldrdeBED0edNzDMvYZDf5CyWgtSchtR9DKYyksNR8M=
github.com/sigstore/timestamp-authority v1.1.1/go.mod h1:cEDLEHl/L3ppqKDaiZ3Cg4ikcaYleuq90I/BFNePzF0=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
Expand Down

0 comments on commit 8f3c197

Please sign in to comment.