From 8f3c19750329dbf75170f7e061c3d704faa13906 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Tue, 16 May 2023 11:57:39 +0200 Subject: [PATCH] Add `sign --docker-reference` CLI The `--docker-reference` flag allows setting the `critical.identity.docker-reference` field in the signature to a different container image reference. This is particularly useful when using proxy mirrors like `registry.k8s.io`, where end-users have no chance to actually assume the underlying registry. This change allows signing images using the mirror/proxy identifier, while validation can then happen without requiring any additional remapping. Signed-off-by: Sascha Grunert --- cmd/cosign/cli/options/sign.go | 4 ++++ cmd/cosign/cli/sign/sign.go | 2 +- doc/cosign_sign.md | 1 + go.mod | 2 ++ go.sum | 4 ++-- 5 files changed, 10 insertions(+), 3 deletions(-) diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index d2cda047c510..f0f1502c4974 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -36,6 +36,7 @@ type SignOptions struct { TlogUpload bool TSAServerURL string IssueCertificate bool + DockerReference string Rekor RekorOptions Fulcio FulcioOptions @@ -108,4 +109,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") + + cmd.Flags().StringVar(&o.DockerReference, "docker-reference", "", + "override the docker-reference for the identity, useful when image proxies are being used") } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index a09bc339e7a4..ccc79ffc9e57 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -223,7 +223,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti payload, err = (&sigPayload.Cosign{ Image: digest, Annotations: annotations, - }).MarshalJSON() + }).MarshalJSONForDockerReference(signOpts.DockerReference) if err != nil { return fmt.Errorf("payload: %w", err) } diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 655f3ae49d29..71764bf74c8e 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -73,6 +73,7 @@ cosign sign [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --docker-reference string override the docker-reference for the identity, useful when image proxies are being used --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/go.mod b/go.mod index dd1f8ed8841c..168ae0aca661 100644 --- a/go.mod +++ b/go.mod @@ -53,6 +53,8 @@ require ( sigs.k8s.io/release-utils v0.7.3 ) +replace github.com/sigstore/sigstore => github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d + require ( cloud.google.com/go/compute v1.19.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect diff --git a/go.sum b/go.sum index 0bae4bbcf57c..182ba6dff3af 100644 --- a/go.sum +++ b/go.sum @@ -779,6 +779,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d h1:c9m4wDwdtKu7iEhGKVHLtg9bTejMCS56NEFitAVHjxo= +github.com/saschagrunert/sigstore v0.0.0-20230516095522-16ae0983694d/go.mod h1:pjR64lBxnjoSrAr+Ydye/FV73IfrgtoYlAI11a8xMfA= github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A= github.com/sassoftware/relic v7.2.1+incompatible/go.mod h1:CWfAxv73/iLZ17rbyhIEq3K9hs5w6FpNMdUT//qR+zk= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= @@ -793,8 +795,6 @@ github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU= github.com/sigstore/rekor v1.1.1 h1:JCeSss+qUHnCATmwAZh4zT9k0Frdyq0BjmRwewSfEy4= github.com/sigstore/rekor v1.1.1/go.mod h1:x/xK+HK08MiuJv+v4OxY/Oo3bhuz1DtJXNJrV7hrzvs= -github.com/sigstore/sigstore v1.6.4 h1:jH4AzR7qlEH/EWzm+opSpxCfuUcjHL+LJPuQE7h40WE= -github.com/sigstore/sigstore v1.6.4/go.mod h1:pjR64lBxnjoSrAr+Ydye/FV73IfrgtoYlAI11a8xMfA= github.com/sigstore/timestamp-authority v1.1.1 h1:EldrdeBED0edNzDMvYZDf5CyWgtSchtR9DKYyksNR8M= github.com/sigstore/timestamp-authority v1.1.1/go.mod h1:cEDLEHl/L3ppqKDaiZ3Cg4ikcaYleuq90I/BFNePzF0= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=