Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

passing '--bundle' flag causes cosign to ignore '--output-certificate' and '--output-signature' #2005

Closed
patflynn opened this issue Jun 17, 2022 · 3 comments · Fixed by #2016
Closed

passing '--bundle' flag causes cosign to ignore '--output-certificate' and '--output-signature' #2005

patflynn opened this issue Jun 17, 2022 · 3 comments · Fixed by #2016
Labels
bug Something isn't working

Comments

@patflynn
Copy link

patflynn commented Jun 17, 2022
edited
Loading

Good news is this behavior is the same in keyless and keyfull mode.

to reproduce:

  1. run COSIGN_EXPERIMENTAL=true cosign sign-blob java-service.jar --output-certificate foo.pem --output-signature foo.sig --bundle foo.bundle
  1. run $ ls and observe that your foo.sig and foo.pem files were never written.
@patflynn patflynn added the bug Something isn't working label Jun 17, 2022
@znewman01
Copy link
Contributor

Duplicate of #1821

@Dentrax
Copy link
Member

Dentrax commented Jun 19, 2022

I think @priyawadhwa did this on purpose, since foo.bundle contains both of sig and cert information inside it:

# same output as --output-signature
$ cat foo.bundle | jq -r .base64Signature

# same output as --output-certificate
$ cat foo.bundle | jq -r .cert

What's the right UX here?

  • if --bundle passed with any other --output- flag, should we print an info log about we ignore other outputs?
  • rename --bundle to --output-bundle and do not ignore the rest
  • make --bundle mutually exclusive with --output- flags

@priyawadhwa
Copy link
Contributor

Just commented in #1821 as well, but I think this is a bug. --bundle should work independently & --output-signature and --output-certificate should be respected!

Dentrax added a commit to Dentrax/cosign that referenced this issue Jun 22, 2022
@Dentrax
sign-blob: bundle should work independently
36a4785 
Fixes sigstore#1821
Fixes sigstore#2005

Signed-off-by: Furkan <[email protected]>
@Dentrax Dentrax mentioned this issue Jun 22, 2022
Merged
dlorenc pushed a commit that referenced this issue Jun 23, 2022
@Dentrax
sign-blob: bundle should work independently (#2016)
4e282fd 
Fixes #1821
Fixes #2005

Signed-off-by: Furkan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
4 participants
@znewman01 @patflynn @priyawadhwa @Dentrax