Warn if the payload is not provided for (cosign signature attach)

The signature signs the payload; it makes no sense for the user
to provide the signature but not the payload - it would effectively
force cosign to generate a byte-for-byte identical (and, currently,
undesirable) payload forever.

Still, for compatibility, continue to accept such invocations,
but trigger a warning.

Signed-off-by: Miloslav Trmač <[email protected]>

EXAMPLES.md

@@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
 $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
 $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
 # We have to base64 encode the signature
-$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
+$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
 ```
 
 Now (on another machine) download the public key, payload, signatures and verify it!
@@ -71,7 +71,7 @@ $ aws kms sign  --key-id $AWS_CMK_ID \
               --output text \
               --query Signature > payload.sig
 
-$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig)
+$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json
 ```
 
 Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`!

USAGE.md

@@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl...
 
 ## Upload a generated signature
 
-The signature is passed via the `--signature` flag.
+The signature is passed via the `--signature` and `--payload` flags.
 It can be a file:
 
 ```shell
-$ cosign attach signature --signature file.sig $IMAGE_DIGEST
+$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST
 Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
 ```
 
 or, `-` for stdin for chaining from other commands:
 
 ```shell
-$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST
+$ … | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST
 Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig
 ```
 

cmd/cosign/cli/attach/sig.go

@@ -25,10 +25,10 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/oci/mutate"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
-	sigPayload "github.com/sigstore/sigstore/pkg/signature/payload"
 )
 
 func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error {
@@ -58,7 +58,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
 
 	var payload []byte
 	if payloadRef == "" {
-		payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON()
+		payload, err = cosign.ObsoletePayload(ctx, digest)
 	} else {
 		payload, err = os.ReadFile(filepath.Clean(payloadRef))
 	}

cmd/cosign/cli/options/attach.go

@@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
 		"path to the signature, or {-} for stdin")
 
 	cmd.Flags().StringVar(&o.Payload, "payload", "",
-		"path to the payload covered by the signature (if using another format)")
+		"path to the payload covered by the signature")
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")