Remove experimental mode from sign-blob and verify-blob (#2457)

Signed-off-by: Priya Wadhwa <[email protected]>

Signed-off-by: Priya Wadhwa <[email protected]>

.gitignore

@@ -32,4 +32,8 @@ policyControllerImagerefs
 sgetImagerefs
 policyImagerefs
 
+bundle
+signature
+certificate
+
 **verify-experimental*

cmd/cosign/cli/options/signblob.go

@@ -34,6 +34,7 @@ type SignBlobOptions struct {
 	Registry          RegistryOptions
 	BundlePath        string
 	SkipConfirmation  bool
+	TlogUpload        bool
 }
 
 var _ Interface = (*SignBlobOptions)(nil)
@@ -70,4 +71,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for non-destructive operations")
+
+	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", false,
+		"whether or not to upload to the tlog")
 }

cmd/cosign/cli/sign/sign.go

@@ -76,6 +76,11 @@ func ShouldUploadToTlog(ctx context.Context, ko options.KeyOpts, ref name.Refere
 		return true
 	}
 
+	// We don't need to validate the ref, just return true
+	if ref == nil {
+		return true
+	}
+
 	// Check if the image is public (no auth in Get)
 	if _, err := remote.Get(ref, remote.WithContext(ctx)); err != nil {
 		fmt.Fprintf(os.Stderr, "%q appears to be a private repository, please confirm uploading to the transparency log at %q [Y/N]: ", ref.Context().String(), ko.RekorURL)

cmd/cosign/cli/sign/sign_blob.go

@@ -34,7 +34,7 @@ import (
 )
 
 // nolint
-func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) {
+func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) {
 	var payload []byte
 	var err error
 	var rekorBytes []byte
@@ -65,7 +65,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Re
 
 	signedPayload := cosign.LocalSignedPayload{}
 
-	if options.EnableExperimental() {
+	if ShouldUploadToTlog(ctx, ko, nil, ko.SkipConfirmation, tlogUpload) {
 		rekorBytes, err = sv.Bytes(ctx)
 		if err != nil {
 			return nil, err

cmd/cosign/cli/signblob.go

@@ -36,7 +36,7 @@ func SignBlob() *cobra.Command {
 		Example: `  cosign sign-blob --key <key path>|<kms uri> <blob>
 
   # sign a blob with Google sign-in (experimental)
-  COSIGN_EXPERIMENTAL=1 cosign --timeout 90s sign-blob <FILE>
+  cosign sign-blob <FILE> --output-signature <FILE> --output-certificate <FILE>
 
   # sign a blob with a local key pair file
   cosign sign-blob --key cosign.key <FILE>
@@ -55,11 +55,8 @@ func SignBlob() *cobra.Command {
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		PreRunE: func(cmd *cobra.Command, args []string) error {
-			// A key file is required unless we're in experimental mode!
-			if !options.EnableExperimental() {
-				if !options.OneOf(o.Key, o.SecurityKey.Use) {
-					return &options.KeyParseError{}
-				}
+			if options.NOf(o.Key, o.SecurityKey.Use) > 1 {
+				return &options.KeyParseError{}
 			}
 			return nil
 		},
@@ -91,7 +88,7 @@ func SignBlob() *cobra.Command {
 					fmt.Fprintln(os.Stderr, "WARNING: the '--output' flag is deprecated and will be removed in the future. Use '--output-signature'")
 					o.OutputSignature = o.Output
 				}
-				if _, err := sign.SignBlobCmd(ro, ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate); err != nil {
+				if _, err := sign.SignBlobCmd(ro, ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil {
 					return fmt.Errorf("signing %s: %w", blob, err)
 				}
 			}

cmd/cosign/cli/verify.go

@@ -264,7 +264,7 @@ The blob may be specified as a path to a file or - for stdin.`,
   cosign verify-blob --key gitlab://[PROJECT_ID]  --signature $sig <blob>
 
   # Verify a signature against a certificate
-  COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate <cert> --signature $sig <blob>
+  cosign verify-blob --certificate <cert> --signature $sig <blob>
 `,
 
 		Args:             cobra.ExactArgs(1),

cmd/cosign/cli/verify/verify.go

@@ -118,7 +118,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
 	}
 
-	if c.keylessVerification() {
+	if keylessVerification(c.KeyRef, c.Sk) {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {
@@ -408,11 +408,11 @@ func loadCertChainFromFileOrURL(path string) ([]*x509.Certificate, error) {
 	return certs, nil
 }
 
-func (c *VerifyCommand) keylessVerification() bool {
-	if c.KeyRef != "" {
+func keylessVerification(keyRef string, sk bool) bool {
+	if keyRef != "" {
 		return false
 	}
-	if c.Sk {
+	if sk {
 		return false
 	}
 	return true

cmd/cosign/cli/verify/verify_blob.go

@@ -91,8 +91,8 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	var bundle *bundle.RekorBundle
 
 	// Require a certificate/key OR a local bundle file that has the cert.
-	if !options.OneOf(c.KeyRef, c.Sk, c.CertRef) && c.BundlePath == "" {
-		return &options.PubKeyParseError{}
+	if options.NOf(c.KeyRef, c.Sk) > 1 {
+		return &options.KeyParseError{}
 	}
 
 	sig, err := signatures(c.SigRef, c.BundlePath)
@@ -117,16 +117,14 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		IgnoreSCT:                    c.IgnoreSCT,
 		Offline:                      c.Offline,
 	}
-	if options.EnableExperimental() {
+	if keylessVerification(c.KeyRef, c.Sk) {
 		if c.RekorURL != "" {
 			rekorClient, err := rekor.NewClient(c.RekorURL)
 			if err != nil {
 				return fmt.Errorf("creating Rekor client: %w", err)
 			}
 			co.RekorClient = rekorClient
 		}
-	}
-	if options.EnableExperimental() {
 		co.RootCerts, err = fulcio.GetRoots()
 		if err != nil {
 			return fmt.Errorf("getting Fulcio roots: %w", err)
@@ -242,6 +240,8 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 			return fmt.Errorf("loading verifier from bundle: %w", err)
 		}
 		bundle = b.Bundle
+	default:
+		return fmt.Errorf("please provide a cert to verify against via --certificate or a bundle via --bundle")
 	}
 
 	// Performs all blob verification.

test/e2e_test.go

@@ -693,7 +693,7 @@ func TestSignBlob(t *testing.T) {
 		KeyRef:   privKeyPath1,
 		PassFunc: passFunc,
 	}
-	sig, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "")
+	sig, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -738,15 +738,15 @@ func TestSignBlobBundle(t *testing.T) {
 		BundlePath: bundlePath,
 		RekorURL:   rekorURL,
 	}
-	if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", ""); err != nil {
+	if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil {
 		t.Fatal(err)
 	}
 	// Now verify should work
 	must(verifyBlobCmd.Exec(ctx, bp), t)
 
 	// Now we turn on the tlog and sign again
 	defer setenv(t, env.VariableExperimental.String(), "1")()
-	if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", ""); err != nil {
+	if _, err := sign.SignBlobCmd(ro, ko, options.RegistryOptions{}, bp, true, "", "", false); err != nil {
 		t.Fatal(err)
 	}