diff --git a/EXAMPLES.md b/EXAMPLES.md index 1c5ad9b5daa9..ea2a1c1f349a 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central # We have to base64 encode the signature -$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun +$ cat gcpkms.sig | base64 | cosign attach signature --payload payload.json --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun ``` Now (on another machine) download the public key, payload, signatures and verify it! @@ -71,7 +71,7 @@ $ aws kms sign --key-id $AWS_CMK_ID \ --output text \ --query Signature > payload.sig -$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) +$ cosign attach signature docker.io/davivcgarcia/hello-world:latest --signature $(< payload.sig) --payload payload.json ``` Now (on another machine) use the `cosign` to download signature bundle, extract payload and signature value, and verify it with `aws kms`! diff --git a/USAGE.md b/USAGE.md index e58d12951614..7a593849ceff 100644 --- a/USAGE.md +++ b/USAGE.md @@ -130,18 +130,18 @@ $ cosign generate $IMAGE_DIGEST | openssl... ## Upload a generated signature -The signature is passed via the `--signature` flag. +The signature is passed via the `--signature` and `--payload` flags. It can be a file: ```shell -$ cosign attach signature --signature file.sig $IMAGE_DIGEST +$ cosign attach signature --signature file.sig --payload payload.json $IMAGE_DIGEST Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig ``` or, `-` for stdin for chaining from other commands: ```shell -$ cosign generate $IMAGE_DIGEST | openssl... | cosign attach signature --signature - $IMAGE_DIGEST +$ … | openssl... | cosign attach signature --signature - --payload ... $IMAGE_DIGEST Pushing signature to: dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def.sig ``` diff --git a/cmd/cosign/cli/attach/sig.go b/cmd/cosign/cli/attach/sig.go index aa0d2f5acbfe..f1ad36cdd4fd 100644 --- a/cmd/cosign/cli/attach/sig.go +++ b/cmd/cosign/cli/attach/sig.go @@ -25,10 +25,10 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" "github.com/sigstore/cosign/v2/pkg/oci/static" - sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" ) func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, payloadRef, certRef, certChainRef, imageRef string) error { @@ -58,7 +58,7 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, var payload []byte if payloadRef == "" { - payload, err = (&sigPayload.Cosign{Image: digest}).MarshalJSON() + payload, err = cosign.ObsoletePayload(ctx, digest) } else { payload, err = os.ReadFile(filepath.Clean(payloadRef)) } diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go index 8eaa4cf281ff..5c02663516cf 100644 --- a/cmd/cosign/cli/options/attach.go +++ b/cmd/cosign/cli/options/attach.go @@ -44,7 +44,7 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) { "path to the signature, or {-} for stdin") cmd.Flags().StringVar(&o.Payload, "payload", "", - "path to the payload covered by the signature (if using another format)") + "path to the payload covered by the signature") cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md index bbe863666727..861a142e578f 100644 --- a/doc/cosign_attach_signature.md +++ b/doc/cosign_attach_signature.md @@ -22,7 +22,7 @@ cosign attach signature [flags] --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). - --payload string path to the payload covered by the signature (if using another format) + --payload string path to the payload covered by the signature --signature string path to the signature, or {-} for stdin ```