Skip to content

Commit

Permalink
Make the warning around TUF roots a little less scary. (#590)
Browse files Browse the repository at this point in the history
Signed-off-by: Dan Lorenc <[email protected]>
  • Loading branch information
dlorenc authored Aug 28, 2021
1 parent 36fa588 commit b1c033d
Show file tree
Hide file tree
Showing 5 changed files with 6 additions and 6 deletions.
2 changes: 1 addition & 1 deletion cmd/cosign/cli/fulcio/fulcio.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ func initRoots() *x509.CertPool {
err := tuf.GetTarget(ctx, fulcioTargetStr, &buf)
if err != nil {
// The user may not have initialized the local root metadata. Log the error and use the embedded root.
fmt.Fprintln(os.Stderr, "using embedded fulcio certificate. did you run `cosign init`? error retrieving target: ", err)
fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded CA certificate.")
if !cp.AppendCertsFromPEM([]byte(rootPem)) {
panic("error creating root cert pool")
}
Expand Down
3 changes: 1 addition & 2 deletions cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,15 +116,14 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) {

co := &cosign.CheckOpts{
Annotations: *c.Annotations,
RootCerts: fulcio.GetRoots(),
RegistryClientOpts: DefaultRegistryClientOpts(ctx),
}
if c.CheckClaims {
co.ClaimVerifier = cosign.SimpleClaimVerifier
}
if EnableExperimental() {
co.RekorURL = c.RekorURL

co.RootCerts = fulcio.GetRoots()
}
keyRef := c.KeyRef

Expand Down
3 changes: 2 additions & 1 deletion cmd/cosign/cli/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
}

co := &cosign.CheckOpts{
RootCerts: fulcio.GetRoots(),
RegistryClientOpts: DefaultRegistryClientOpts(ctx),
SigTagSuffixOverride: cosign.AttestationTagSuffix,
}
Expand All @@ -125,6 +124,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err
}
if EnableExperimental() {
co.RekorURL = c.RekorURL
co.RootCerts = fulcio.GetRoots()

}
keyRef := c.KeyRef

Expand Down
2 changes: 1 addition & 1 deletion cmd/sget/cli/sget.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error
co := &cosign.CheckOpts{
ClaimVerifier: cosign.SimpleClaimVerifier,
VerifyBundle: true,
RootCerts: fulcio.GetRoots(),
RegistryClientOpts: []remote.Option{
remote.WithAuthFromKeychain(authn.DefaultKeychain),
remote.WithContext(ctx),
Expand All @@ -58,6 +57,7 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error
}

if co.SigVerifier != nil || cli.EnableExperimental() {
co.RootCerts = fulcio.GetRoots()
sigRepo, err := cli.TargetRepositoryForImage(ref)
if err != nil {
return nil, err
Expand Down
2 changes: 1 addition & 1 deletion pkg/cosign/tlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func GetRekorPub() string {
err := tuf.GetTarget(ctx, rekorTargetStr, &buf)
if err != nil {
// The user may not have initialized the local root metadata. Log the error and use the embedded root.
fmt.Fprintln(os.Stderr, "using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err)
fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded rekor key")
return rekorPub
}
return buf.String()
Expand Down

0 comments on commit b1c033d

Please sign in to comment.