From 5ceec00857f48d9b7c0b4d5575dff3f719fe7c8d Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 24 Apr 2023 09:41:30 -0700 Subject: [PATCH] Remove experimental from Rekor/OIDC related flags Signed-off-by: Priya Wadhwa --- cmd/cosign/cli/options/oidc.go | 12 ++++++------ cmd/cosign/cli/options/rekor.go | 2 +- doc/cosign_attest-blob.md | 14 +++++++------- doc/cosign_attest.md | 14 +++++++------- doc/cosign_dockerfile_verify.md | 2 +- doc/cosign_manifest_verify.md | 2 +- doc/cosign_sign-blob.md | 14 +++++++------- doc/cosign_sign.md | 14 +++++++------- doc/cosign_verify-attestation.md | 2 +- doc/cosign_verify-blob-attestation.md | 2 +- doc/cosign_verify-blob.md | 2 +- doc/cosign_verify.md | 2 +- test/e2e_test.sh | 1 - 13 files changed, 41 insertions(+), 42 deletions(-) diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index 2bd3d13b1e5..580b93d4ca0 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -57,21 +57,21 @@ var _ Interface = (*OIDCOptions)(nil) // AddFlags implements Interface func (o *OIDCOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Issuer, "oidc-issuer", DefaultOIDCIssuerURL, - "[EXPERIMENTAL] OIDC provider to be used to issue ID token") + "OIDC provider to be used to issue ID token") cmd.Flags().StringVar(&o.ClientID, "oidc-client-id", "sigstore", - "[EXPERIMENTAL] OIDC client ID for application") + "OIDC client ID for application") cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "", - "[EXPERIMENTAL] Path to file containing OIDC client secret for application") + "Path to file containing OIDC client secret for application") _ = cmd.Flags().SetAnnotation("oidc-client-secret-file", cobra.BashCompFilenameExt, []string{}) cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "", - "[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") + "OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") cmd.Flags().StringVar(&o.Provider, "oidc-provider", "", - "[EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent]") + "Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent]") cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false, - "[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read") + "Disable ambient OIDC providers. When true, ambient credentials will not be read") } diff --git a/cmd/cosign/cli/options/rekor.go b/cmd/cosign/cli/options/rekor.go index 66dbe449f99..724d6143e6b 100644 --- a/cmd/cosign/cli/options/rekor.go +++ b/cmd/cosign/cli/options/rekor.go @@ -31,5 +31,5 @@ var _ Interface = (*RekorOptions)(nil) // AddFlags implements Interface func (o *RekorOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.URL, "rekor-url", DefaultRekorURL, - "[EXPERIMENTAL] address of rekor STL server") + "address of rekor STL server") } diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 4be2d929657..664d32086d5 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -39,17 +39,17 @@ cosign attest-blob [flags] --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-attestation string write the attestation to FILE --output-certificate string write the certificate to FILE --output-signature string write the signature to FILE --predicate string path to the predicate file. - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp-bundle string path to an RFC 3161 timestamp bundle FILE --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index d9f7f5c05a2..2f3b3682b51 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -51,15 +51,15 @@ cosign attest [flags] --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret --no-upload do not upload the generated attestation - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --predicate string path to the predicate file. -r, --recursive if a multi-arch image is specified, additionally sign each discrete image - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --replace --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index a5a1d6c8fd7..ca55a5a40b7 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -76,7 +76,7 @@ cosign dockerfile verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index fc9565b3d8c..7934a5ab667 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -70,7 +70,7 @@ cosign manifest verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 41605e1d218..72d4ed5e535 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -41,16 +41,16 @@ cosign sign-blob [flags] --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output string write the signature to FILE --output-certificate string write the certificate to FILE --output-signature string write the signature to FILE - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 6d8392c85df..655f3ae49d2 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -80,19 +80,19 @@ cosign sign [flags] --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-certificate string write the certificate to FILE --output-payload string write the signed payload to FILE --output-signature string write the signature to FILE --payload string path to a payload file to use rather than generating one -r, --recursive if a multi-arch image is specified, additionally sign each discrete image --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 2fe3f19efea..044724104e8 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -80,7 +80,7 @@ cosign verify-attestation [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files will be using for validation - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index aee0633ccd1..7dc0fe512a3 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -46,7 +46,7 @@ cosign verify-blob-attestation [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --offline only allow offline verification - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string path to base64-encoded signature over attestation in DSSE format diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 6ef5f908b58..77b970f0d4f 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -75,7 +75,7 @@ cosign verify-blob [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --offline only allow offline verification - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 1ea9d603f19..48294bf55a3 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -89,7 +89,7 @@ cosign verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/test/e2e_test.sh b/test/e2e_test.sh index c7872ae420d..f3eb00f5d32 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -47,7 +47,6 @@ go build -o cosign ./cmd/cosign go test -tags=e2e -race $(go list ./... | grep -v third_party/) # Test `cosign dockerfile verify` -export COSIGN_EXPERIMENTAL=true ./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi ./cosign dockerfile verify --base-image-only ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com