Remove experimental flag from cosign sign and cosign verify #2387
Conversation
this changes cosign behavior to automatically add all signatures to the transparency log. in the next commit i'll move the verification for this into the 'ShouldUploadTlog' function. Signed-off-by: Priya Wadhwa <[email protected]>
Signed-off-by: Priya Wadhwa <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #2387 +/- ##
=======================================
Coverage 30.12% 30.13%
=======================================
Files 136 136
Lines 8451 8456 +5
=======================================
+ Hits 2546 2548 +2
- Misses 5574 5578 +4
+ Partials 331 330 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Priya Wadhwa <[email protected]>
|
Can we be merge this into a release branch instead of main? Otherwise, we'll need to block future cosign releases until this and all other 2.0 work is done. |
|
@priyawadhwa, do you think a one-pager on this would be helpful? I noticed some TODOs, I think it'd be helpful to write up a brief doc where the community and maintainers can chime in with thoughts about flags and whatnot. |
|
@cpanato suggested forking off the 1.0 branch so that we can merge 2.0 changes in main. I like that proposal since I think it'll be easier than constantly rebasing a 2.0 branch (and I don't think we'll have to merge to 1.0 very often). WDYT @haydentherapper? |
|
Is there much difference between forking and creating a separate branch and rebasing only once we're ready to merge in the changes? I'm good with either! I think we should also ask that no major refactors occur in Cosign during the 2.0 work. |
|
Created |
| @@ -1179,16 +1179,16 @@ func TestTlog(t *testing.T) { | |||
| // Now verify should work! | |||
| must(verify(pubKeyPath, imgName, true, nil, ""), t) | |||
|
|
|||
| // Now we turn on the tlog! | |||
| defer setenv(t, env.VariableExperimental.String(), "1")() | |||
| // TODO: priyawadhwa@ to figure out how to add an entry to the tlog without using keyless signing | |||
There was a problem hiding this comment.
I'm hesitant about removing tests - I think these should be a part of the PR and not separate.
|
have we made or do we need a corresponding PR in https://github.com/sigstore/docs to update the docs on https://docs.sigstore.dev/cosign/keyless/? See also the Sigstore Slack discussion https://sigstore.slack.com/archives/C01PZKDL4DP/p1682515342798789 |
|
Docs are being actively updated. Signing and verifying has been updated |
part 1/n for #2255
figure there's a decent amount of refactoring to do here, but this is a good start. will have to include the other commands in follow-ups as well.
Signed-off-by: Priya Wadhwa [email protected]
Summary
Release Note
Remove the experimental flag from cosign sign and cosign verify, make keyless signing the default
Documentation