Remove sget command

.github/workflows/build.yaml

@@ -61,9 +61,7 @@ jobs:
 
       - name: creds
         run: gcloud auth configure-docker --quiet
-
-      - name: containers-cosign-sget
-        run: make sign-ci-containers
-        env:
-          KO_PREFIX: gcr.io/projectsigstore/cosign/ci
-          COSIGN_PASSWORD: "${{secrets.COSIGN_PASSWORD}}"
+      - name: container
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container
+      - name: cosigned
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned

.github/workflows/cross.yaml

@@ -25,15 +25,12 @@ jobs:
         include:
           - os: macos-latest
             COSIGN_TARGET: cosign-darwin-amd64
-            SGET_TARGET: sget-darwin-amd64
             COSIGN_PASSWORD: COSIGN_PASSWORD
           - os: ubuntu-latest
             COSIGN_TARGET: cosign-linux-amd64
-            SGET_TARGET: sget-linux-amd64
             COSIGN_PASSWORD: COSIGN_PASSWORD
           - os: windows-latest
             COSIGN_TARGET: cosign-windows-amd64.exe
-            SGET_TARGET: sget-windows-amd64.exe
             COSIGN_PASSWORD: COSIGN_PASSWORD
     steps:
       - name: Install Go
@@ -46,27 +43,22 @@ jobs:
       - name: build cosign
         run: |
           make cosign && mv ./cosign ./${{matrix.COSIGN_TARGET}}
-          make sget && mv ./sget ./${{matrix.SGET_TARGET}}
       - name: Create checksum file
         shell: pwsh
         run: |
           $hash=Get-FileHash -Path ./${{matrix.COSIGN_TARGET}}
           Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.COSIGN_TARGET}}.sha256
-          $hash=Get-FileHash -Path ./${{matrix.SGET_TARGET}}
-          Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.SGET_TARGET}}.sha256
       - name: sign
         shell: bash
         env:
           COSIGN_PASSWORD: ${{secrets[matrix.COSIGN_PASSWORD]}}
         if: github.event_name != 'pull_request'
         run: |
-          ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
-          ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
+          ./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign-test.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
       - name: verify
         if: github.event_name != 'pull_request'
         run: |
           ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
-          ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
       - name: Upload artifacts
         if: github.event_name != 'pull_request'
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
@@ -76,6 +68,3 @@ jobs:
             cosign-*
             cosign.-*sha256
             cosign-*.sig
-            sget-*
-            sget.-*sha256
-            sget-*.sig

.github/workflows/validate-release.yml

@@ -70,4 +70,4 @@ jobs:
       - name: check binaries
         run: |
           ./dist/cosign-linux-amd64 version
-          ./dist/sget-linux-amd64 version
+          ./dist/cosigned-linux-amd64 --help

.goreleaser.yml

@@ -155,68 +155,56 @@ builds:
       - pivkey
       - pkcs11key
 
-  - id: sget
-    binary: sget-{{ .Os }}-{{ .Arch }}
-    no_unique_dist_dir: true
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    main: ./cmd/sget
-    flags:
-      - -trimpath
-    goos:
-      - linux
-      - darwin
-      - windows
-    goarch:
-      - amd64
-      - arm64
-      - arm
-      - s390x
-      - ppc64le
-      - riscv64
-    goarm:
-      - '7'
-    ignore:
-      - goos: windows
-        goarch: arm64
-      - goos: windows
-        goarch: arm
-      - goos: windows
-        goarch: s390x
-      - goos: windows
-        goarch: ppc64le
-    ldflags:
-      - "{{ .Env.LDFLAGS }}"
-    env:
-      - CGO_ENABLED=0
+- id: linux-cosigned
+  binary: cosigned-linux-{{ .Arch }}
+  no_unique_dist_dir: true
+  main: ./cmd/cosign/webhook
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  flags:
+    - -trimpath
+  goos:
+    - linux
+  goarch:
+    - amd64
+    - arm64
+    - arm
+    - s390x
+    - ppc64le
+  goarm:
+    - 7
+  ldflags:
+    - "{{ .Env.LDFLAGS }}"
+  env:
+    - CGO_ENABLED=0
 
 signs:
   - id: cosign
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
-  - id: sget
+  - id: cosigned
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
     ids:
-      - sget
+      - linux-cosigned
   # Keyless
   - id: cosign-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
     artifacts: binary
-  - id: sget-keyless
+  - id: cosigned-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
     artifacts: binary
     ids:
-      - sget
+      - linux-cosigned
   - id: checksum-keyless
     signature: "${artifact}-keyless.sig"
     certificate: "${artifact}-keyless.pem"

.ko.yaml

@@ -32,9 +32,9 @@ builds:
   - -extldflags "-static"
   - "{{ .Env.LDFLAGS }}"
 
-- id: sget
+- id: cosigned
   dir: .
-  main: ./cmd/sget
+  main: ./cmd/cosign/webhook
   env:
   - CGO_ENABLED=0
   flags:

Makefile

@@ -84,10 +84,6 @@ cosign: $(SRCS)
 cosign-pivkey-pkcs11key: $(SRCS)
 	CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign
 
-.PHONY: sget
-sget: ## Build sget binary
-	$(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/sget
-
 .PHONY: cross
 cross:
 	$(foreach GOOS, $(PLATFORMS),\
@@ -112,7 +108,7 @@ test:
 
 clean:
 	rm -rf cosign
-	rm -rf sget
+	rm -rf cosigned
 	rm -rf dist/
 
 KOCACHE_PATH=/tmp/ko
@@ -144,15 +140,6 @@ ko-cosign:
 		$(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \
 		github.com/sigstore/cosign/v2/cmd/cosign
 
-.PHONY: ko-sget
-ko-sget:
-	# sget
-	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \
-		--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		--image-refs sgetImagerefs \
-		github.com/sigstore/cosign/v2/cmd/sget
-
 .PHONY: ko-local
 ko-local:
 	$(create_kocache_path)

README.md

@@ -190,46 +190,6 @@ Enter password for private key:
 Pushing signature to: ttl.sh/my-artifact-f42c22e0
 ```
 
-As usual, make sure to reference any images you sign by their digest to make sure you don't sign the wrong thing!
-
-#### sget
-
-We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor.
-
-To install `sget`, if you have Go 1.16+, you can directly run:
-
-    $ go install github.com/sigstore/cosign/v2/cmd/sget@latest
-
-and the resulting binary will be placed at `$GOPATH/bin/sget` (or `$GOBIN/sget`, if set).
-
-Just like `curl`, `sget` can be used to fetch artifacts by digest using the OCI URL.
-Digest verification is automatic:
-
-```shell
-$ sget us.gcr.io/dlorenc-vmtest2/readme@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec > artifact
-```
-
-You can also use `sget` to fetch contents by tag.
-Fetching contents without verifying them is dangerous, so we require the artifact be signed in this case:
-
-```shell
-$ sget gcr.io/dlorenc-vmtest2/artifact
-error: public key must be specified when fetching by tag, you must fetch by digest or supply a public key
-
-$ sget --key cosign.pub us.gcr.io/dlorenc-vmtest2/readme > foo
-
-Verification for us.gcr.io/dlorenc-vmtest2/readme --
-The following checks were performed on each of these signatures:
-  - The cosign claims were validated
-  - Existence of the claims in the transparency log was verified offline
-  - The signatures were verified against the specified public key
-  - The code-signing certificate was verified using trusted certificate authority certificates
-```
-
-The signature, claims and transparency log proofs are all verified automatically by sget as part of the download.
-
-`curl | bash` isn't a great idea, but `sget | bash` is less-bad.
-
 #### Tekton Bundles
 
 [Tekton](https://tekton.dev) bundles can be uploaded and managed within an OCI registry.
@@ -786,6 +746,6 @@ process](https://github.com/sigstore/.github/blob/main/SECURITY.md)
 
 ## PEM files in GitHub Release Assets
 
-The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries. 
+The GitHub release assets for cosign contain a PEM file produced by [GoReleaser](https://github.com/sigstore/cosign/blob/ac999344eb381ae91455b0a9c5c267e747608d76/.goreleaser.yml#L166) while signing the cosign blob that is used to verify the integrity of the release binaries. This file is not used by cosign itself, but is provided for users who wish to verify the integrity of the release binaries.
 
-By default, cosign output these PEM files in [base64 encoded format](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md#options), this approach might be good for air-gapped environments where the PEM file is stored in a file system. So, you should decode these PEM files before using them to verify the blobs.
+By default, cosign output these PEM files in [base64 encoded format](https://github.com/sigstore/cosign/blob/main/doc/cosign_sign-blob.md#options), this approach might be good for air-gapped environments where the PEM file is stored in a file system. So, you should decode these PEM files before using them to verify the blobs.

release/release.mk

@@ -4,16 +4,37 @@
 # used when releasing together with GCP CloudBuild
 .PHONY: release
 release:
-	LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --timeout 120m
+	LDFLAGS="$(LDFLAGS)" goreleaser release
+
+###########################
+# sign with GCP KMS section
+###########################
+
+.PHONY: sign-cosign-release
+sign-cosign-release:
+	cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
+
+.PHONY: sign-cosigned-release
+sign-cosigned-release:
+	cosign sign --force --key "gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION}" -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
+
+.PHONY: sign-container-release
+sign-container-release: ko sign-cosign-release sign-cosigned-release
 
 ######################
 # sign section
 ######################
 
-.PHONY: sign-release-images
-sign-release-images: ko
-	GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	./release/ko-sign-release-images.sh
+.PHONY: sign-keyless-cosign-release
+sign-keyless-cosign-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosign:$(GIT_VERSION)
+
+.PHONY: sign-keyless-cosigned-release
+sign-keyless-cosigned-release:
+	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/cosigned:$(GIT_VERSION)
+
+.PHONY: sign-keyless-release
+sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release
 
 # used when need to validate the goreleaser
 .PHONY: snapshot

test/ci.mk

@@ -11,6 +11,15 @@ sign-ci-containers: ko
 sign-ci-keyless-containers: ko
 	./scripts/sign-images-ci.sh
 
-.PHONY: sign-blob-experimental
-sign-blob-experimental:
-	./test/sign_blob_test.sh
+.PHONY: sign-keyless-cosign
+sign-keyless-cosign:
+	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_HASH)
+	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_VERSION)
+
+.PHONY: sign-keyless-cosigned
+sign-keyless-cosigned:
+	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosigned:$(GIT_HASH)
+	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosigned:$(GIT_VERSION)
+
+.PHONY: sign-keyless-container
+sign-keyless-container: ko sign-keyless-cosign sign-keyless-cosigned

test/e2e_test_secrets.sh

@@ -17,10 +17,8 @@
 set -ex
 
 go build -o cosign ./cmd/cosign
-go build -o sget ./cmd/sget
 tmp=$(mktemp -d -t cosign-e2e-secrets.XXXX)
 cp cosign $tmp/
-cp sget $tmp/
 
 pushd $tmp
 
@@ -130,7 +128,7 @@ tail -n 1 sigs > cdr.sig
 ./cosign verify-blob --key ${verification_key} --signature car.sig myblob
 ./cosign verify-blob --key ${verification_key} --signature cdr.sig myblob2
 
-## upload blob/sget
+## upload blob
 blobimg="${TEST_INSTANCE_REPO}/blob"
 crane ls ${blobimg} | while read tag ; do crane delete "${blobimg}:${tag}" ; done
 
@@ -142,22 +140,13 @@ dgst=$(./cosign upload blob -f randomblob ${blobimg})
 ./cosign sign --key ${signing_key} ${dgst}
 ./cosign verify --key ${verification_key} ${dgst} # For sanity
 
-# sget w/ signature verification should work via tag or digest
-./sget --key ${verification_key} -o verified_randomblob_from_digest $dgst
-./sget --key ${verification_key} -o verified_randomblob_from_tag $blobimg
-
-# sget w/o signature verification should only work for ref by digest
-./sget --key ${verification_key} -o randomblob_from_digest $dgst
-if (./sget -o randomblob_from_tag $blobimg); then false; fi
-
 # clean up a bit
 crane delete $blobimg || true
 crane delete $dgst || true
 
 # Make sure they're the same
 if ( ! cmp -s randomblob verified_randomblob_from_digest ); then false; fi
 if ( ! cmp -s randomblob verified_randomblob_from_tag ); then false; fi
-if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi
 
 # clean up a bit
 crane delete $blobimg || true