Skip to content

Commit

Permalink
Add privacy statement for PII storage (#1909)
Browse files Browse the repository at this point in the history
This statement has been added just before the OIDC code/normal flow,
since only in this flow we expect a user to be present. For the device
flow or when a token is provided, it's likely that Cosign is being run
in an automated environment.

This requires the user either type Y or provide a global flag for
confirmation. This should not break any existing flows in automated
environments because it's only the flow when a browser is needed, not
for the device flow or when a token is provided.

Signed-off-by: Hayden Blauzvern <[email protected]>
  • Loading branch information
haydentherapper authored May 25, 2022
1 parent b73da70 commit 5f09c42
Show file tree
Hide file tree
Showing 55 changed files with 108 additions and 6 deletions.
2 changes: 1 addition & 1 deletion cmd/cosign/cli/clean.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func Clean() *cobra.Command {

func CleanCmd(ctx context.Context, regOpts options.RegistryOptions, cleanType, imageRef string, force bool) error {
if !force {
ok, err := cosign.ConfirmPrompt(prompt(cleanType))
ok, err := cosign.ConfirmPromptDestructive(prompt(cleanType))
if err != nil {
return err
}
Expand Down
6 changes: 6 additions & 0 deletions cmd/cosign/cli/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (

cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/pkg/cosign"
)

var (
Expand Down Expand Up @@ -73,6 +74,11 @@ func New() *cobra.Command {
if ro.Verbose {
logs.Debug.SetOutput(os.Stderr)
}

if ro.SkipConfirmation {
cosign.SetSkipConfirmation(ro.SkipConfirmation)
}

return nil
},
PersistentPostRun: func(cmd *cobra.Command, args []string) {
Expand Down
16 changes: 16 additions & 0 deletions cmd/cosign/cli/fulcio/fulcio.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"errors"
"fmt"
"net/url"
"os"
Expand All @@ -41,6 +42,12 @@ const (
FlowNormal = "normal"
FlowDevice = "device"
FlowToken = "token"
// spacing is intentional to have this indented
PrivacyStatement = `
Note that there may be personally identifiable information associated with this signed artifact.
This may include the email address associated with the account with which you authenticate.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.`
PrivacyStatementConfirmation = " By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs."
)

type oidcConnector interface {
Expand Down Expand Up @@ -135,6 +142,8 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
}
fmt.Fprintln(os.Stderr, "Retrieving signed certificate...")

fmt.Fprintln(os.Stderr, PrivacyStatement)

var flow string
switch {
case ko.FulcioAuthFlow != "":
Expand All @@ -146,6 +155,13 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
fmt.Fprintln(os.Stderr, "Non-interactive mode detected, using device flow.")
flow = FlowDevice
default:
ok, err := cosign.ConfirmPrompt(PrivacyStatementConfirmation)
if err != nil {
return nil, err
}
if !ok {
return nil, errors.New("no confirmation")
}
flow = FlowNormal
}
Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain.
Expand Down
10 changes: 7 additions & 3 deletions cmd/cosign/cli/options/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,10 @@ import (

// RootOptions define flags and options for the root cosign cli.
type RootOptions struct {
OutputFile string
Verbose bool
Timeout time.Duration
OutputFile string
Verbose bool
Timeout time.Duration
SkipConfirmation bool
}

// DefaultTimeout specifies the default timeout for commands.
Expand All @@ -43,4 +44,7 @@ func (o *RootOptions) AddFlags(cmd *cobra.Command) {

cmd.PersistentFlags().DurationVarP(&o.Timeout, "timeout", "t", DefaultTimeout,
"timeout for commands")

cmd.PersistentFlags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
"skip confirmation prompts for non-destructive operations")
}
1 change: 1 addition & 0 deletions doc/cosign.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attach.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attach_attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attach_sbom.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attach_signature.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attest.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_clean.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_completion.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_copy.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_dockerfile.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_dockerfile_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_download.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_download_attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_download_sbom.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_download_signature.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_generate-key-pair.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_generate.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_import-key-pair.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_initialize.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_load.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_login.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_manifest.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_manifest_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_generate-key.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_reset.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_set-management-key.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_set-pin.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_set-puk.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_piv-tool_unblock.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_pkcs11-tool.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_pkcs11-tool_list-keys-uris.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_pkcs11-tool_list-tokens.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_policy.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_policy_init.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_policy_sign.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_public-key.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 5f09c42

Please sign in to comment.