Add --output-signature flag to store signature to a file

Signed-off-by: Priya Wadhwa <[email protected]>
sigstore · Oct 11, 2022 · 5b76402 · 5b76402
1 parent 93ce7b6
commit 5b76402
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 17 deletions.
diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go
@@ -43,7 +43,7 @@ import (
 )
 
 // nolint
-func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string, certChainPath string, noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
+func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string, certChainPath string, noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration, outputSignature string) error {
 	// A key file or token is required unless we're in experimental mode!
 	if options.EnableExperimental() {
 		if options.NOf(ko.KeyRef, ko.Sk) > 1 {
@@ -118,6 +118,10 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
 	if err != nil {
 		return err
 	}
+
+	fmt.Println("Payload:")
+	fmt.Println(string(payload))
+
 	sig, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx))
 	if err != nil {
 		return errors.Wrap(err, "signing")
@@ -157,14 +161,18 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
 		fmt.Printf("Bundle wrote in the file %s\n", ko.BundlePath)
 	}
 
-	// Print signature and certificate
-	// TODO: Write the signature and certificate to file if specified via flag
-	fmt.Println("Signature:")
+	// TODO: Write the certificate to file if specified via flag
 	sig = []byte(base64.StdEncoding.EncodeToString(sig))
-	fmt.Println(string(sig))
+	if outputSignature != "" {
+		if err := os.WriteFile(outputSignature, sig, 0600); err != nil {
+			return fmt.Errorf("create signature file: %w", err)
+		}
+		fmt.Printf("Signature written in %s\n", outputSignature)
+	} else {
+		fmt.Println(string(sig))
+	}
 
 	if rekorBytes != nil {
-		fmt.Println("Cert:")
 		fmt.Println(string(rekorBytes))
 	}
 

diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go
@@ -70,7 +70,7 @@ func AttestBlob() *cobra.Command {
 			}
 			for _, artifact := range args {
 				if err := attest.AttestBlobCmd(cmd.Context(), ko, artifact, o.Hash, o.Cert, o.CertChain, o.NoUpload,
-					o.Predicate.Path, o.Force, o.Predicate.Type, o.Replace, ro.Timeout); err != nil {
+					o.Predicate.Path, o.Force, o.Predicate.Type, o.Replace, ro.Timeout, o.OutputSignature); err != nil {
 					return errors.Wrapf(err, "attesting %s", artifact)
 				}
 			}

diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go
@@ -22,15 +22,16 @@ import (
 
 // AttestOptions is the top level wrapper for the attest command.
 type AttestBlobOptions struct {
-	Key       string
-	Cert      string
-	CertChain string
-	NoUpload  bool
-	Force     bool
-	Recursive bool
-	Replace   bool
-	Timeout   time.Duration
-	Hash      string
+	Key             string
+	Cert            string
+	CertChain       string
+	NoUpload        bool
+	Force           bool
+	Recursive       bool
+	Replace         bool
+	Timeout         time.Duration
+	Hash            string
+	OutputSignature string
 
 	Rekor       RekorOptions
 	Fulcio      FulcioOptions
@@ -55,6 +56,10 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Cert, "cert", "",
 		"path to the x509 certificate to include in the Signature")
 
+	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
+		"write the signature to FILE")
+	_ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{})
+
 	cmd.Flags().StringVar(&o.CertChain, "cert-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+

diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md
diff --git a/slsaprov b/slsaprov