Skip to content

Commit 936b111

Browse files
haydentherapperhaydentherapper
committed
Refactor TR and SC initialization into common method
The one difference between sign/attest and sign/attest-blob is whether a bundle output flag is present, so the error message has been adjusted. Signed-off-by: Hayden <[email protected]>
1 parent 2914197 commit 936b111

File tree

5 files changed

+72
-185
lines changed

5 files changed

+72
-185
lines changed

cmd/cosign/cli/attest.go

Lines changed: 5 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -22,10 +22,7 @@ import (
2222
"github.com/sigstore/cosign/v3/cmd/cosign/cli/attest"
2323
"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
2424
"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
25-
"github.com/sigstore/cosign/v3/internal/ui"
26-
"github.com/sigstore/cosign/v3/pkg/cosign"
27-
"github.com/sigstore/cosign/v3/pkg/cosign/env"
28-
"github.com/sigstore/sigstore-go/pkg/root"
25+
"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
2926
"github.com/spf13/cobra"
3027
)
3128

@@ -102,48 +99,10 @@ func Attest() *cobra.Command {
10299
IssueCertificateForExistingKey: o.IssueCertificate,
103100
NewBundleFormat: o.NewBundleFormat,
104101
}
105-
// If a signing config is used, then service URLs cannot be specified
106-
if (o.UseSigningConfig || o.SigningConfigPath != "") &&
107-
((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
108-
(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
109-
(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
110-
o.TSAServerURL != "") {
111-
return fmt.Errorf("cannot specify service URLs and use signing config")
112-
}
113-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.TlogUpload {
114-
return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
115-
}
116-
// Signing config requires a bundle as output for verification materials since sigstore-go is used
117-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
118-
return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
119-
}
120-
// Fetch a trusted root when:
121-
// * requesting a certificate and no CT log key is provided to verify an SCT
122-
// * using a signing config and signing using sigstore-go
123-
if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
124-
(o.UseSigningConfig || o.SigningConfigPath != "") {
125-
if o.TrustedRootPath != "" {
126-
ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
127-
if err != nil {
128-
return fmt.Errorf("loading trusted root: %w", err)
129-
}
130-
} else {
131-
ko.TrustedMaterial, err = cosign.TrustedRoot()
132-
if err != nil {
133-
ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
134-
}
135-
}
136-
}
137-
if o.SigningConfigPath != "" {
138-
ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
139-
if err != nil {
140-
return fmt.Errorf("error reading signing config from file: %w", err)
141-
}
142-
} else if o.UseSigningConfig {
143-
ko.SigningConfig, err = cosign.SigningConfig()
144-
if err != nil {
145-
return fmt.Errorf("error getting signing config from TUF: %w", err)
146-
}
102+
if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
103+
o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
104+
o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil {
105+
return err
147106
}
148107

149108
attestCommand := attest.AttestCommand{

cmd/cosign/cli/attest_blob.go

Lines changed: 5 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -16,15 +16,11 @@ package cli
1616

1717
import (
1818
"context"
19-
"fmt"
2019

2120
"github.com/sigstore/cosign/v3/cmd/cosign/cli/attest"
2221
"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
2322
"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
24-
"github.com/sigstore/cosign/v3/internal/ui"
25-
"github.com/sigstore/cosign/v3/pkg/cosign"
26-
"github.com/sigstore/cosign/v3/pkg/cosign/env"
27-
"github.com/sigstore/sigstore-go/pkg/root"
23+
"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
2824
"github.com/spf13/cobra"
2925
)
3026

@@ -90,48 +86,10 @@ func AttestBlob() *cobra.Command {
9086
BundlePath: o.BundlePath,
9187
NewBundleFormat: o.NewBundleFormat,
9288
}
93-
// If a signing config is used, then service URLs cannot be specified
94-
if (o.UseSigningConfig || o.SigningConfigPath != "") &&
95-
((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
96-
(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
97-
(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
98-
o.TSAServerURL != "") {
99-
return fmt.Errorf("cannot specify service URLs and use signing config")
100-
}
101-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.TlogUpload {
102-
return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
103-
}
104-
// Signing config requires a bundle as output for verification materials since sigstore-go is used
105-
if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
106-
return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
107-
}
108-
// Fetch a trusted root when:
109-
// * requesting a certificate and no CT log key is provided to verify an SCT
110-
// * using a signing config and signing using sigstore-go
111-
if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
112-
(o.UseSigningConfig || o.SigningConfigPath != "") {
113-
if o.TrustedRootPath != "" {
114-
ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
115-
if err != nil {
116-
return fmt.Errorf("loading trusted root: %w", err)
117-
}
118-
} else {
119-
ko.TrustedMaterial, err = cosign.TrustedRoot()
120-
if err != nil {
121-
ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
122-
}
123-
}
124-
}
125-
if o.SigningConfigPath != "" {
126-
ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
127-
if err != nil {
128-
return fmt.Errorf("error reading signing config from file: %w", err)
129-
}
130-
} else if o.UseSigningConfig {
131-
ko.SigningConfig, err = cosign.SigningConfig()
132-
if err != nil {
133-
return fmt.Errorf("error getting signing config from TUF: %w", err)
134-
}
89+
if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
90+
o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
91+
o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil {
92+
return err
13593
}
13694

13795
v := attest.AttestBlobCommand{

cmd/cosign/cli/sign.go

Lines changed: 5 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,7 @@ import (
2323
"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
2424
"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
2525
"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
26-
"github.com/sigstore/cosign/v3/internal/ui"
27-
"github.com/sigstore/cosign/v3/pkg/cosign"
28-
"github.com/sigstore/cosign/v3/pkg/cosign/env"
29-
"github.com/sigstore/sigstore-go/pkg/root"
26+
"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
3027
"github.com/spf13/cobra"
3128
)
3229

@@ -132,48 +129,10 @@ race conditions or (worse) malicious tampering.
132129
TSAServerURL: o.TSAServerURL,
133130
IssueCertificateForExistingKey: o.IssueCertificate,
134131
}
135-
// If a signing config is used, then service URLs cannot be specified
136-
if (o.UseSigningConfig || o.SigningConfigPath != "") &&
137-
((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
138-
(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
139-
(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
140-
o.TSAServerURL != "") {
141-
return fmt.Errorf("cannot specify service URLs and use signing config")
142-
}
143-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.TlogUpload {
144-
return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
145-
}
146-
// Signing config requires a bundle as output for verification materials since sigstore-go is used
147-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
148-
return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
149-
}
150-
// Fetch a trusted root when:
151-
// * requesting a certificate and no CT log key is provided to verify an SCT
152-
// * using a signing config and signing using sigstore-go
153-
if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
154-
(o.UseSigningConfig || o.SigningConfigPath != "") {
155-
if o.TrustedRootPath != "" {
156-
ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
157-
if err != nil {
158-
return fmt.Errorf("loading trusted root: %w", err)
159-
}
160-
} else {
161-
ko.TrustedMaterial, err = cosign.TrustedRoot()
162-
if err != nil {
163-
ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
164-
}
165-
}
166-
}
167-
if o.SigningConfigPath != "" {
168-
ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
169-
if err != nil {
170-
return fmt.Errorf("error reading signing config from file: %w", err)
171-
}
172-
} else if o.UseSigningConfig {
173-
ko.SigningConfig, err = cosign.SigningConfig()
174-
if err != nil {
175-
return fmt.Errorf("error getting signing config from TUF: %w", err)
176-
}
132+
if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
133+
o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
134+
o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil {
135+
return err
177136
}
178137

179138
if err := sign.SignCmd(ro, ko, *o, args); err != nil {

cmd/cosign/cli/signblob.go

Lines changed: 5 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,7 @@ import (
2323
"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
2424
"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
2525
"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
26-
"github.com/sigstore/cosign/v3/internal/ui"
27-
"github.com/sigstore/cosign/v3/pkg/cosign"
28-
"github.com/sigstore/cosign/v3/pkg/cosign/env"
29-
"github.com/sigstore/sigstore-go/pkg/root"
26+
"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
3027
"github.com/spf13/cobra"
3128
"github.com/spf13/viper"
3229
)
@@ -100,48 +97,10 @@ func SignBlob() *cobra.Command {
10097
RFC3161TimestampPath: o.RFC3161TimestampPath,
10198
IssueCertificateForExistingKey: o.IssueCertificate,
10299
}
103-
// If a signing config is used, then service URLs cannot be specified
104-
if (o.UseSigningConfig || o.SigningConfigPath != "") &&
105-
((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
106-
(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
107-
(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
108-
o.TSAServerURL != "") {
109-
return fmt.Errorf("cannot specify service URLs and use signing config")
110-
}
111-
if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.TlogUpload {
112-
return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
113-
}
114-
// Signing config requires a bundle as output for verification materials since sigstore-go is used
115-
if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
116-
return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
117-
}
118-
// Fetch a trusted root when:
119-
// * requesting a certificate and no CT log key is provided to verify an SCT
120-
// * using a signing config and signing using sigstore-go
121-
if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
122-
(o.UseSigningConfig || o.SigningConfigPath != "") {
123-
if o.TrustedRootPath != "" {
124-
ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
125-
if err != nil {
126-
return fmt.Errorf("loading trusted root: %w", err)
127-
}
128-
} else {
129-
ko.TrustedMaterial, err = cosign.TrustedRoot()
130-
if err != nil {
131-
ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
132-
}
133-
}
134-
}
135-
if o.SigningConfigPath != "" {
136-
ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
137-
if err != nil {
138-
return fmt.Errorf("error reading signing config from file: %w", err)
139-
}
140-
} else if o.UseSigningConfig {
141-
ko.SigningConfig, err = cosign.SigningConfig()
142-
if err != nil {
143-
return fmt.Errorf("error getting signing config from TUF: %w", err)
144-
}
100+
if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
101+
o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
102+
o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil {
103+
return err
145104
}
146105

147106
for _, blob := range args {

cmd/cosign/cli/signcommon/common.go

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ import (
3939
"github.com/sigstore/cosign/v3/internal/ui"
4040
"github.com/sigstore/cosign/v3/pkg/cosign"
4141
cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle"
42+
"github.com/sigstore/cosign/v3/pkg/cosign/env"
4243
"github.com/sigstore/cosign/v3/pkg/cosign/pivkey"
4344
"github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key"
4445
ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote"
@@ -581,3 +582,54 @@ func ParseOCIReference(ctx context.Context, refStr string, opts ...name.Option)
581582
}
582583
return ref, nil
583584
}
585+
586+
// LoadTrustedMaterialAndSigningConfig loads the trusted material and signing config from the given options.
587+
func LoadTrustedMaterialAndSigningConfig(ctx context.Context, ko *options.KeyOpts, useSigningConfig bool, signingConfigPath string,
588+
rekorURL, fulcioURL, oidcIssuer, tsaServerURL, trustedRootPath string,
589+
tlogUpload bool, newBundleFormat bool, bundlePath string, keyRef string, issueCertificate bool) error {
590+
var err error
591+
// If a signing config is used, then service URLs cannot be specified
592+
if (useSigningConfig || signingConfigPath != "") &&
593+
((rekorURL != "" && rekorURL != options.DefaultRekorURL) ||
594+
(fulcioURL != "" && fulcioURL != options.DefaultFulcioURL) ||
595+
(oidcIssuer != "" && oidcIssuer != options.DefaultOIDCIssuerURL) ||
596+
tsaServerURL != "") {
597+
return fmt.Errorf("cannot specify service URLs and use signing config")
598+
}
599+
if (useSigningConfig || signingConfigPath != "") && !tlogUpload {
600+
return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
601+
}
602+
// Signing config requires a bundle as output for verification materials since sigstore-go is used
603+
if (useSigningConfig || signingConfigPath != "") && !newBundleFormat && bundlePath == "" {
604+
return fmt.Errorf("must provide --new-bundle-format or --bundle where applicable with --signing-config or --use-signing-config")
605+
}
606+
// Fetch a trusted root when:
607+
// * requesting a certificate and no CT log key is provided to verify an SCT
608+
// * using a signing config and signing using sigstore-go
609+
if ((keyRef == "" || issueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
610+
(useSigningConfig || signingConfigPath != "") {
611+
if trustedRootPath != "" {
612+
ko.TrustedMaterial, err = root.NewTrustedRootFromPath(trustedRootPath)
613+
if err != nil {
614+
return fmt.Errorf("loading trusted root: %w", err)
615+
}
616+
} else {
617+
ko.TrustedMaterial, err = cosign.TrustedRoot()
618+
if err != nil {
619+
ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
620+
}
621+
}
622+
}
623+
if signingConfigPath != "" {
624+
ko.SigningConfig, err = root.NewSigningConfigFromPath(signingConfigPath)
625+
if err != nil {
626+
return fmt.Errorf("error reading signing config from file: %w", err)
627+
}
628+
} else if useSigningConfig {
629+
ko.SigningConfig, err = cosign.SigningConfig()
630+
if err != nil {
631+
return fmt.Errorf("error getting signing config from TUF: %w", err)
632+
}
633+
}
634+
return nil
635+
}

0 commit comments

Comments
 (0)