fixes from review

Signed-off-by: Josh Dolitsky <[email protected]>
sigstore · Feb 13, 2023 · 2ce0564 · 2ce0564
1 parent 4bd1d04
commit 2ce0564
Show file tree

Hide file tree

Showing 11 changed files with 73 additions and 40 deletions.
diff --git a/cmd/cosign/cli/attach.go b/cmd/cosign/cli/attach.go
@@ -73,7 +73,7 @@ func attachSBOM() *cobra.Command {
 				return err
 			}
 			fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest --predicate %s --key <key path>' or 'cosign sign --key <key path> --attachment sbom <image uri>'.\n", o.SBOM)
-			return attach.SBOMCmd(cmd.Context(), o.Registry, o.SBOM, mediaType, args[0])
+			return attach.SBOMCmd(cmd.Context(), o.Registry, o.RegistryExperimental, o.SBOM, mediaType, args[0])
 		},
 	}
 

diff --git a/cmd/cosign/cli/attach/sbom.go b/cmd/cosign/cli/attach/sbom.go
@@ -40,8 +40,8 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
 )
 
-func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, sbomRef string, sbomType ocitypes.MediaType, imageRef string) error {
-	if options.EnableOCIExperimental() {
+func SBOMCmd(ctx context.Context, regOpts options.RegistryOptions, regExpOpts options.RegistryExperimentalOptions, sbomRef string, sbomType ocitypes.MediaType, imageRef string) error {
+	if regExpOpts.RegistryReferrersMode == options.RegistryReferrersModeOCI11 {
 		return sbomCmdOCIExperimental(ctx, regOpts, sbomRef, sbomType, imageRef)
 	}
 

diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go
@@ -47,17 +47,19 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
 
 // AttachSBOMOptions is the top level wrapper for the attach sbom command.
 type AttachSBOMOptions struct {
-	SBOM            string
-	SBOMType        string
-	SBOMInputFormat string
-	Registry        RegistryOptions
+	SBOM                 string
+	SBOMType             string
+	SBOMInputFormat      string
+	Registry             RegistryOptions
+	RegistryExperimental RegistryExperimentalOptions
 }
 
 var _ Interface = (*AttachSBOMOptions)(nil)
 
 // AddFlags implements Interface
 func (o *AttachSBOMOptions) AddFlags(cmd *cobra.Command) {
 	o.Registry.AddFlags(cmd)
+	o.RegistryExperimental.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.SBOM, "sbom", "",
 		"path to the sbom, or {-} for stdin")

diff --git a/cmd/cosign/cli/options/experimental.go b/cmd/cosign/cli/options/experimental.go
@@ -26,10 +26,3 @@ func EnableExperimental() bool {
 	}
 	return false
 }
-
-func EnableOCIExperimental() bool {
-	if b, err := strconv.ParseBool(env.Getenv(env.VariableOCIExperimental)); err == nil {
-		return b
-	}
-	return false
-}
diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go
@@ -17,6 +17,8 @@ package options
 import (
 	"context"
 	"crypto/tls"
+	"errors"
+	"fmt"
 	"io"
 	"net/http"
 
@@ -111,3 +113,47 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op
 	}
 	return opts
 }
+
+type RegistryReferrersMode string
+
+const (
+	RegistryReferrersModeLegacy RegistryReferrersMode = "legacy"
+	RegistryReferrersModeOCI11  RegistryReferrersMode = "oci-1-1"
+)
+
+func (e *RegistryReferrersMode) String() string {
+	return string(*e)
+}
+
+func (e *RegistryReferrersMode) Set(v string) error {
+	switch v {
+	case "legacy":
+		*e = RegistryReferrersMode(v)
+		return nil
+	case "oci-1-1":
+		if !EnableExperimental() {
+			return fmt.Errorf(`in order to use  mode "%s", you must set COSIGN_EXPERIMENTAL=1`, v)
+		}
+		*e = RegistryReferrersMode(v)
+		return nil
+	default:
+		return errors.New(`must be one of "legacy", "oci-1-1"`)
+	}
+}
+
+func (e *RegistryReferrersMode) Type() string {
+	return "registryReferrersMode"
+}
+
+// RegistryExperimentalOptions is the wrapper for the registry experimental options.
+type RegistryExperimentalOptions struct {
+	RegistryReferrersMode RegistryReferrersMode
+}
+
+var _ Interface = (*RegistryExperimentalOptions)(nil)
+
+// AddFlags implements Interface
+func (o *RegistryExperimentalOptions) AddFlags(cmd *cobra.Command) {
+	cmd.Flags().Var(&o.RegistryReferrersMode, "registry-referrers-mode",
+		"mode for fetching references from the registry. allowed: legacy, oci-1-1")
+}
diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go
@@ -41,7 +41,8 @@ type SignOptions struct {
 	OIDC        OIDCOptions
 	SecurityKey SecurityKeyOptions
 	AnnotationOptions
-	Registry RegistryOptions
+	Registry             RegistryOptions
+	RegistryExperimental RegistryExperimentalOptions
 }
 
 var _ Interface = (*SignOptions)(nil)
@@ -54,6 +55,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 	o.SecurityKey.AddFlags(cmd)
 	o.AnnotationOptions.AddFlags(cmd)
 	o.Registry.AddFlags(cmd)
+	o.RegistryExperimental.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")

diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -44,7 +43,6 @@ import (
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa"
 	"github.com/sigstore/cosign/v2/internal/ui"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
 	cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote"
@@ -160,6 +158,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO
 		ErrDone = mutate.ErrSkipChildren
 	}
 	regOpts := signOpts.Registry
+	regExpOpts := signOpts.RegistryExperimental
 	opts, err := regOpts.ClientOpts(ctx)
 	if err != nil {
 		return fmt.Errorf("constructing client options: %w", err)
@@ -184,7 +183,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO
 			if err != nil {
 				return fmt.Errorf("accessing image: %w", err)
 			}
-			err = signDigest(ctx, digest, staticPayload, ko, regOpts, annotations, signOpts.Upload, signOpts.OutputSignature, signOpts.OutputCertificate, signOpts.Recursive, signOpts.TlogUpload, dd, sv, se)
+			err = signDigest(ctx, digest, staticPayload, ko, regOpts, regExpOpts, annotations, signOpts.Upload, signOpts.OutputSignature, signOpts.OutputCertificate, signOpts.Recursive, signOpts.TlogUpload, dd, sv, se)
 			if err != nil {
 				return fmt.Errorf("signing digest: %w", err)
 			}
@@ -203,7 +202,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO
 				return fmt.Errorf("computing digest: %w", err)
 			}
 			digest := ref.Context().Digest(d.String())
-			err = signDigest(ctx, digest, staticPayload, ko, regOpts, annotations, signOpts.Upload, signOpts.OutputSignature, signOpts.OutputCertificate, signOpts.Recursive, signOpts.TlogUpload, dd, sv, se)
+			err = signDigest(ctx, digest, staticPayload, ko, regOpts, regExpOpts, annotations, signOpts.Upload, signOpts.OutputSignature, signOpts.OutputCertificate, signOpts.Recursive, signOpts.TlogUpload, dd, sv, se)
 			if err != nil {
 				return fmt.Errorf("signing digest: %w", err)
 			}
@@ -217,7 +216,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO
 }
 
 func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts,
-	regOpts options.RegistryOptions, annotations map[string]interface{}, upload bool, outputSignature, outputCertificate string, recursive bool, tlogUpload bool,
+	regOpts options.RegistryOptions, regExpOpts options.RegistryExperimentalOptions, annotations map[string]interface{}, upload bool, outputSignature, outputCertificate string, recursive bool, tlogUpload bool,
 	dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error {
 	var err error
 	// The payload can be passed to skip generation.
@@ -315,7 +314,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
 	}
 
 	// Publish the signatures associated with this entity (using OCI 1.1+ behavior)
-	if b, err := strconv.ParseBool(env.Getenv(env.VariableOCIExperimental)); err == nil && b {
+	if regExpOpts.RegistryReferrersMode == options.RegistryReferrersModeOCI11 {
 		return ociremote.WriteSignaturesExperimentalOCI(digest, newSE, walkOpts...)
 	}
 

diff --git a/pkg/cosign/env/env.go b/pkg/cosign/env/env.go
@@ -50,7 +50,6 @@ const (
 	VariablePKCS11Pin        Variable = "COSIGN_PKCS11_PIN"
 	VariablePKCS11ModulePath Variable = "COSIGN_PKCS11_MODULE_PATH"
 	VariableRepository       Variable = "COSIGN_REPOSITORY"
-	VariableOCIExperimental  Variable = "COSIGN_OCI_EXPERIMENTAL"
 
 	// Sigstore environment variables
 	VariableSigstoreCTLogPublicKeyFile Variable = "SIGSTORE_CT_LOG_PUBLIC_KEY_FILE"
@@ -77,11 +76,6 @@ var (
 			Expects:     "1 if experimental features should be enabled (0 by default)",
 			Sensitive:   false,
 		},
-		VariableOCIExperimental: {
-			Description: "enables experimental cosign features for OCI (1.1+)",
-			Expects:     "1 if experimental OCI features should be enabled (0 by default)",
-			Sensitive:   false,
-		},
 		VariableDockerMediaTypes: {
 			Description: "to be used with registries that do not support OCI media types",
 			Expects:     "1 to fallback to legacy OCI media types equivalents (0 by default)",

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -30,13 +30,11 @@ import (
 	"fmt"
 	"os"
 	"regexp"
-	"strconv"
 	"strings"
 	"time"
 
 	"github.com/digitorus/timestamp"
 	cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle"
-	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/sigstore/sigstore/pkg/tuf"
 
 	"github.com/sigstore/cosign/v2/pkg/blob"
@@ -471,11 +469,10 @@ func (fos *fakeOCISignatures) Get() ([]oci.Signature, error) {
 // VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures.
 // If there were no valid signatures, we return an error.
 func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) {
-	if b, err := strconv.ParseBool(env.Getenv(env.VariableOCIExperimental)); err == nil && b {
-		verified, bundleVerified, err := verifyImageSignaturesExperimentalOCI(ctx, signedImgRef, co)
-		if err == nil {
-			return verified, bundleVerified, nil
-		}
+	// Try first using OCI 1.1 behavior
+	verified, bundleVerified, err := verifyImageSignaturesExperimentalOCI(ctx, signedImgRef, co)
+	if err == nil {
+		return verified, bundleVerified, nil
 	}
 
 	// Enforce this up front.

diff --git a/pkg/oci/remote/remote.go b/pkg/oci/remote/remote.go
@@ -20,15 +20,13 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"strconv"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	ociexperimental "github.com/sigstore/cosign/v2/internal/pkg/oci/remote"
-	"github.com/sigstore/cosign/v2/pkg/cosign/env"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 )
 
@@ -149,10 +147,9 @@ func attestations(digestable digestable, o *options) (oci.Signatures, error) {
 
 // attachment is a shared implementation of the oci.Signed* Attachment method.
 func attachment(digestable digestable, attName string, o *options) (oci.File, error) {
-	if b, err := strconv.ParseBool(env.Getenv(env.VariableOCIExperimental)); err == nil && b {
-		if file, err := attachmentExperimentalOCI(digestable, attName, o); err == nil {
-			return file, nil
-		}
+	// Try using OCI 1.1 behavior
+	if file, err := attachmentExperimentalOCI(digestable, attName, o); err == nil {
+		return file, nil
 	}
 
 	h, err := digestable.Digest()

diff --git a/pkg/oci/remote/write.go b/pkg/oci/remote/write.go
@@ -172,6 +172,9 @@ func WriteSignaturesExperimentalOCI(d name.Digest, se oci.SignedEntity, opts ...
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err
 	}
+
+	// TODO: write the config blob
+
 	artifactType := ociexperimental.ArtifactType("sig")
 	m.Config.MediaType = types.MediaType(artifactType)
 	m.Subject = desc