Skip to content

Commit

Permalink
Remove experimental mode from cosign attest and verify-attestation
Browse files Browse the repository at this point in the history
Signed-off-by: Priya Wadhwa <[email protected]>
  • Loading branch information
priyawadhwa committed Nov 14, 2022
1 parent 44a7117 commit 2fd3b4c
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 24 deletions.
4 changes: 2 additions & 2 deletions cmd/cosign/cli/attest.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ func Attest() *cobra.Command {
Short: "Attest the supplied container image.",
Example: ` cosign attest --key <key path>|<kms uri> [--predicate <path>] [--a key=value] [--no-upload=true|false] [--f] [--r] <image uri>
# attach an attestation to a container image Google sign-in (experimental)
COSIGN_EXPERIMENTAL=1 cosign attest --timeout 90s --predicate <FILE> --type <TYPE> <IMAGE>
# attach an attestation to a container image Google sign-in
cosign attest --timeout 90s --predicate <FILE> --type <TYPE> <IMAGE>
# attach an attestation to a container image with a local key pair file
cosign attest --predicate <FILE> --type <TYPE> --key cosign.key <IMAGE>
Expand Down
12 changes: 3 additions & 9 deletions cmd/cosign/cli/attest/attest.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,15 +81,9 @@ type AttestCommand struct {

// nolint
func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
// A key file or token is required unless we're in experimental mode!
if options.EnableExperimental() {
if options.NOf(c.KeyRef, c.Sk) > 1 {
return &options.KeyParseError{}
}
} else {
if !options.OneOf(c.KeyRef, c.Sk) {
return &options.KeyParseError{}
}
// We can't have both a key and a security key
if options.NOf(c.KeyRef, c.Sk) > 1 {
return &options.KeyParseError{}
}

predicateURI, err := options.ParsePredicateType(c.PredicateType)
Expand Down
5 changes: 1 addition & 4 deletions cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ func VerifyAttestation() *cobra.Command {
against the transparency log.`,
Example: ` cosign verify-attestation --key <key path>|<key url>|<kms uri> <image uri> [<image uri> ...]
# verify cosign attestations on the image
# verify cosign attestations on the image against the transparency log
cosign verify-attestation <IMAGE>
# verify multiple images
Expand All @@ -151,9 +151,6 @@ against the transparency log.`,
# additionally verify specified annotations
cosign verify-attestation -a key1=val1 -a key2=val2 <IMAGE>
# (experimental) additionally, verify with the transparency log
COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE>
# verify image with public key
cosign verify-attestation --key cosign.pub <IMAGE>
Expand Down
7 changes: 4 additions & 3 deletions cmd/cosign/cli/verify/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,9 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
return flag.ErrHelp
}

if !options.OneOf(c.KeyRef, c.Sk, c.CertRef) && !options.EnableExperimental() {
return &options.PubKeyParseError{}
// We can't have both a key and a security key
if options.NOf(c.KeyRef, c.Sk) > 1 {
return &options.KeyParseError{}
}

ociremoteOpts, err := c.ClientOpts(ctx)
Expand All @@ -97,7 +98,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
if c.CheckClaims {
co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
}
if options.EnableExperimental() {
if keylessVerification(c.KeyRef, c.Sk) {
if c.RekorURL != "" {
rekorClient, err := rekor.NewClient(c.RekorURL)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions doc/cosign_attest.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 1 addition & 4 deletions doc/cosign_verify-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 2fd3b4c

Please sign in to comment.