Add privacy statement for PII storage (#1909)

This statement has been added just before the OIDC code/normal flow,
since only in this flow we expect a user to be present. For the device
flow or when a token is provided, it's likely that Cosign is being run
in an automated environment.

This requires the user either type Y or provide a global flag for
confirmation. This should not break any existing flows in automated
environments because it's only the flow when a browser is needed, not
for the device flow or when a token is provided.

Signed-off-by: Hayden Blauzvern <[email protected]>

cmd/cosign/cli/clean.go

@@ -51,7 +51,7 @@ func Clean() *cobra.Command {
 
 func CleanCmd(ctx context.Context, regOpts options.RegistryOptions, cleanType, imageRef string, force bool) error {
 	if !force {
-		ok, err := cosign.ConfirmPrompt(prompt(cleanType))
+		ok, err := cosign.ConfirmPromptDestructive(prompt(cleanType))
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/commands.go

@@ -26,6 +26,7 @@ import (
 
 	cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/pkg/cosign"
 )
 
 var (
@@ -73,6 +74,11 @@ func New() *cobra.Command {
 			if ro.Verbose {
 				logs.Debug.SetOutput(os.Stderr)
 			}
+
+			if ro.SkipConfirmation {
+				cosign.SetSkipConfirmation(ro.SkipConfirmation)
+			}
+
 			return nil
 		},
 		PersistentPostRun: func(cmd *cobra.Command, args []string) {

cmd/cosign/cli/fulcio/fulcio.go

@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"net/url"
 	"os"
@@ -41,6 +42,12 @@ const (
 	FlowNormal = "normal"
 	FlowDevice = "device"
 	FlowToken  = "token"
+	// spacing is intentional to have this indented
+	PrivacyStatement = `
+        Note that there may be personally identifiable information associated with this signed artifact.
+        This may include the email address associated with the account with which you authenticate.
+        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.`
+	PrivacyStatementConfirmation = "        By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs."
 )
 
 type oidcConnector interface {
@@ -135,6 +142,8 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
 	}
 	fmt.Fprintln(os.Stderr, "Retrieving signed certificate...")
 
+	fmt.Fprintln(os.Stderr, PrivacyStatement)
+
 	var flow string
 	switch {
 	case ko.FulcioAuthFlow != "":
@@ -146,6 +155,13 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
 		fmt.Fprintln(os.Stderr, "Non-interactive mode detected, using device flow.")
 		flow = FlowDevice
 	default:
+		ok, err := cosign.ConfirmPrompt(PrivacyStatementConfirmation)
+		if err != nil {
+			return nil, err
+		}
+		if !ok {
+			return nil, errors.New("no confirmation")
+		}
 		flow = FlowNormal
 	}
 	Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain.

cmd/cosign/cli/options/root.go

@@ -23,9 +23,10 @@ import (
 
 // RootOptions define flags and options for the root cosign cli.
 type RootOptions struct {
-	OutputFile string
-	Verbose    bool
-	Timeout    time.Duration
+	OutputFile       string
+	Verbose          bool
+	Timeout          time.Duration
+	SkipConfirmation bool
 }
 
 // DefaultTimeout specifies the default timeout for commands.
@@ -43,4 +44,7 @@ func (o *RootOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.PersistentFlags().DurationVarP(&o.Timeout, "timeout", "t", DefaultTimeout,
 		"timeout for commands")
+
+	cmd.PersistentFlags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
+		"skip confirmation prompts for non-destructive operations")
 }