Make the warning around TUF roots a little less scary. (#590)

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
sigstore · Aug 28, 2021 · b1c033d · b1c033d
1 parent 36fa588
commit b1c033d
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 6 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go
@@ -214,7 +214,7 @@ func initRoots() *x509.CertPool {
 		err := tuf.GetTarget(ctx, fulcioTargetStr, &buf)
 		if err != nil {
 			// The user may not have initialized the local root metadata. Log the error and use the embedded root.
-			fmt.Fprintln(os.Stderr, "using embedded fulcio certificate. did you run `cosign init`? error retrieving target: ", err)
+			fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded CA certificate.")
 			if !cp.AppendCertsFromPEM([]byte(rootPem)) {
 				panic("error creating root cert pool")
 			}

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -116,15 +116,14 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {
 
 	co := &cosign.CheckOpts{
 		Annotations:        *c.Annotations,
-		RootCerts:          fulcio.GetRoots(),
 		RegistryClientOpts: DefaultRegistryClientOpts(ctx),
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
 	}
 	if EnableExperimental() {
 		co.RekorURL = c.RekorURL
-
+		co.RootCerts = fulcio.GetRoots()
 	}
 	keyRef := c.KeyRef
 

diff --git a/cmd/cosign/cli/verify_attestation.go b/cmd/cosign/cli/verify_attestation.go
@@ -116,7 +116,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 	}
 
 	co := &cosign.CheckOpts{
-		RootCerts:            fulcio.GetRoots(),
 		RegistryClientOpts:   DefaultRegistryClientOpts(ctx),
 		SigTagSuffixOverride: cosign.AttestationTagSuffix,
 	}
@@ -125,6 +124,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
 	}
 	if EnableExperimental() {
 		co.RekorURL = c.RekorURL
+		co.RootCerts = fulcio.GetRoots()
+
 	}
 	keyRef := c.KeyRef
 

diff --git a/cmd/sget/cli/sget.go b/cmd/sget/cli/sget.go
@@ -43,7 +43,6 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error
 	co := &cosign.CheckOpts{
 		ClaimVerifier: cosign.SimpleClaimVerifier,
 		VerifyBundle:  true,
-		RootCerts:     fulcio.GetRoots(),
 		RegistryClientOpts: []remote.Option{
 			remote.WithAuthFromKeychain(authn.DefaultKeychain),
 			remote.WithContext(ctx),
@@ -58,6 +57,7 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error
 	}
 
 	if co.SigVerifier != nil || cli.EnableExperimental() {
+		co.RootCerts = fulcio.GetRoots()
 		sigRepo, err := cli.TargetRepositoryForImage(ref)
 		if err != nil {
 			return nil, err

diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go
@@ -53,7 +53,7 @@ func GetRekorPub() string {
 	err := tuf.GetTarget(ctx, rekorTargetStr, &buf)
 	if err != nil {
 		// The user may not have initialized the local root metadata. Log the error and use the embedded root.
-		fmt.Fprintln(os.Stderr, "using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err)
+		fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded rekor key")
 		return rekorPub
 	}
 	return buf.String()