From 2fd3b4c0bc0e67fb385b13a34d0bd9fec2da2e4b Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 14 Nov 2022 12:21:41 -0800 Subject: [PATCH] Remove experimental mode from cosign attest and verify-attestation Signed-off-by: Priya Wadhwa --- cmd/cosign/cli/attest.go | 4 ++-- cmd/cosign/cli/attest/attest.go | 12 +++--------- cmd/cosign/cli/verify.go | 5 +---- cmd/cosign/cli/verify/verify_attestation.go | 7 ++++--- doc/cosign_attest.md | 4 ++-- doc/cosign_verify-attestation.md | 5 +---- 6 files changed, 13 insertions(+), 24 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 6b7e445aa5a..400d1a58f1d 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -33,8 +33,8 @@ func Attest() *cobra.Command { Short: "Attest the supplied container image.", Example: ` cosign attest --key | [--predicate ] [--a key=value] [--no-upload=true|false] [--f] [--r] - # attach an attestation to a container image Google sign-in (experimental) - COSIGN_EXPERIMENTAL=1 cosign attest --timeout 90s --predicate --type + # attach an attestation to a container image Google sign-in + cosign attest --timeout 90s --predicate --type # attach an attestation to a container image with a local key pair file cosign attest --predicate --type --key cosign.key diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 5a6b969ca1a..d9e10f3db69 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -81,15 +81,9 @@ type AttestCommand struct { // nolint func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error { - // A key file or token is required unless we're in experimental mode! - if options.EnableExperimental() { - if options.NOf(c.KeyRef, c.Sk) > 1 { - return &options.KeyParseError{} - } - } else { - if !options.OneOf(c.KeyRef, c.Sk) { - return &options.KeyParseError{} - } + // We can't have both a key and a security key + if options.NOf(c.KeyRef, c.Sk) > 1 { + return &options.KeyParseError{} } predicateURI, err := options.ParsePredicateType(c.PredicateType) diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index d41753de4a3..c7f9cbe3fdc 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -142,7 +142,7 @@ func VerifyAttestation() *cobra.Command { against the transparency log.`, Example: ` cosign verify-attestation --key || [ ...] - # verify cosign attestations on the image + # verify cosign attestations on the image against the transparency log cosign verify-attestation # verify multiple images @@ -151,9 +151,6 @@ against the transparency log.`, # additionally verify specified annotations cosign verify-attestation -a key1=val1 -a key2=val2 - # (experimental) additionally, verify with the transparency log - COSIGN_EXPERIMENTAL=1 cosign verify-attestation - # verify image with public key cosign verify-attestation --key cosign.pub diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index 2d2cd8d6f92..2c83739d9d8 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -73,8 +73,9 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return flag.ErrHelp } - if !options.OneOf(c.KeyRef, c.Sk, c.CertRef) && !options.EnableExperimental() { - return &options.PubKeyParseError{} + // We can't have both a key and a security key + if options.NOf(c.KeyRef, c.Sk) > 1 { + return &options.KeyParseError{} } ociremoteOpts, err := c.ClientOpts(ctx) @@ -97,7 +98,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - if options.EnableExperimental() { + if keylessVerification(c.KeyRef, c.Sk) { if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 9c4096ca015..88ae2da27e5 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -11,8 +11,8 @@ cosign attest [flags] ``` cosign attest --key | [--predicate ] [--a key=value] [--no-upload=true|false] [--f] [--r] - # attach an attestation to a container image Google sign-in (experimental) - COSIGN_EXPERIMENTAL=1 cosign attest --timeout 90s --predicate --type + # attach an attestation to a container image Google sign-in + cosign attest --timeout 90s --predicate --type # attach an attestation to a container image with a local key pair file cosign attest --predicate --type --key cosign.key diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index f79d218dc50..7c3bdd356b2 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -16,7 +16,7 @@ cosign verify-attestation [flags] ``` cosign verify-attestation --key || [ ...] - # verify cosign attestations on the image + # verify cosign attestations on the image against the transparency log cosign verify-attestation # verify multiple images @@ -25,9 +25,6 @@ cosign verify-attestation [flags] # additionally verify specified annotations cosign verify-attestation -a key1=val1 -a key2=val2 - # (experimental) additionally, verify with the transparency log - COSIGN_EXPERIMENTAL=1 cosign verify-attestation - # verify image with public key cosign verify-attestation --key cosign.pub