Deprecate --certificate-email flag. Make --certificate-identity and -…

cmd/cosign/cli/dockerfile.go

@@ -90,7 +90,7 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
 					CheckClaims:                  o.CheckClaims,
 					KeyRef:                       o.Key,
 					CertRef:                      o.CertVerify.Cert,
-					CertEmail:                    o.CertVerify.CertEmail,
+					CertIdentity:                 o.CertVerify.CertIdentity,
 					CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 					CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 					CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,

cmd/cosign/cli/manifest.go

@@ -85,7 +85,7 @@ against the transparency log.`,
 					CheckClaims:                  o.CheckClaims,
 					KeyRef:                       o.Key,
 					CertRef:                      o.CertVerify.Cert,
-					CertEmail:                    o.CertVerify.CertEmail,
+					CertIdentity:                 o.CertVerify.CertIdentity,
 					CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 					CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 					CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,

cmd/cosign/cli/options/certificate.go

@@ -21,7 +21,6 @@ import (
 // CertVerifyOptions is the wrapper for certificate verification.
 type CertVerifyOptions struct {
 	Cert                         string
-	CertEmail                    string
 	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
@@ -41,14 +40,11 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.")
 	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})
 
-	cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "",
-		"the email expected in a valid Fulcio certificate")
-
 	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
-		"the identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs.")
+		"Required. The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs.")
 
 	cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
-		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
+		"Required. The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
 
 	// -- Cert extensions begin --
 	// Source: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md

cmd/cosign/cli/verify.go

@@ -97,7 +97,6 @@ against the transparency log.`,
 				CheckClaims:                  o.CheckClaims,
 				KeyRef:                       o.Key,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
 				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
@@ -186,7 +185,6 @@ against the transparency log.`,
 				RegistryOptions:              o.Registry,
 				CheckClaims:                  o.CheckClaims,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
 				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,
@@ -276,7 +274,6 @@ The blob may be specified as a path to a file or - for stdin.`,
 			verifyBlobCmd := verify.VerifyBlobCmd{
 				KeyOpts:                      ko,
 				CertRef:                      o.CertVerify.Cert,
-				CertEmail:                    o.CertVerify.CertEmail,
 				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOIDCIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,

cmd/cosign/cli/verify/verify.go

@@ -51,7 +51,6 @@ type VerifyCommand struct {
 	CheckClaims                  bool
 	KeyRef                       string
 	CertRef                      string
-	CertEmail                    string
 	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
@@ -99,16 +98,14 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	co := &cosign.CheckOpts{
 		Annotations:                  c.Annotations.Annotations,
 		RegistryClientOpts:           ociremoteOpts,
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		EnforceSCT:                   c.EnforceSCT,
 		SignatureRef:                 c.SignatureRef,
+		Identities:                   []cosign.Identity{{Issuer: c.CertOidcIssuer, Subject: c.CertIdentity}},
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier

cmd/cosign/cli/verify/verify_attestation.go

@@ -45,7 +45,6 @@ type VerifyAttestationCommand struct {
 	CheckClaims                  bool
 	KeyRef                       string
 	CertRef                      string
-	CertEmail                    string
 	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
@@ -81,15 +80,13 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 	}
 	co := &cosign.CheckOpts{
 		RegistryClientOpts:           ociremoteOpts,
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		EnforceSCT:                   c.EnforceSCT,
+		Identities:                   []cosign.Identity{{Issuer: c.CertOidcIssuer, Subject: c.CertIdentity}},
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier

cmd/cosign/cli/verify/verify_blob.go

@@ -69,7 +69,6 @@ func isb64(data []byte) bool {
 type VerifyBlobCmd struct {
 	options.KeyOpts
 	CertRef                      string
-	CertEmail                    string
 	CertIdentity                 string
 	CertOIDCIssuer               string
 	CertChain                    string
@@ -102,15 +101,13 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 	}
 
 	co := &cosign.CheckOpts{
-		CertEmail:                    c.CertEmail,
-		CertIdentity:                 c.CertIdentity,
-		CertOidcIssuer:               c.CertOIDCIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSHA,
 		CertGithubWorkflowName:       c.CertGithubWorkflowName,
 		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
 		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
 		EnforceSCT:                   c.EnforceSCT,
+		Identities:                   []cosign.Identity{{Issuer: c.CertOIDCIssuer, Subject: c.CertIdentity}},
 	}
 	if options.EnableExperimental() {
 		if c.RekorURL != "" {

cmd/cosign/cli/verify/verify_blob_test.go

@@ -545,6 +545,7 @@ func TestVerifyBlob(t *testing.T) {
 			co := &cosign.CheckOpts{
 				SigVerifier: tt.sigVerifier,
 				RootCerts:   rootPool,
+				Identities:  []cosign.Identity{{Issuer: issuer, Subject: identity}},
 			}
 			// if expermental is enabled, add RekorClient to co.
 			if tt.experimental {
@@ -719,7 +720,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 		// Verify command
 		cmd := VerifyBlobCmd{
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertOIDCIssuer: issuer,
 			EnforceSCT:     false,
 		}
@@ -817,11 +818,13 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 
 		// Verify command
 		cmd := VerifyBlobCmd{
-			CertRef:    "", // Cert is fetched from bundle
-			CertChain:  "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
-			SigRef:     "", // Sig is fetched from bundle
-			KeyOpts:    options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT: false,
+			CertIdentity:   identity,
+			CertOIDCIssuer: issuer,
+			CertRef:        "", // Cert is fetched from bundle
+			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
+			SigRef:         "", // Sig is fetched from bundle
+			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
+			EnforceSCT:     false,
 		}
 		if err := cmd.Exec(context.Background(), blobPath); err != nil {
 			t.Fatal(err)
@@ -850,11 +853,13 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 
 		// Verify command
 		cmd := VerifyBlobCmd{
-			CertRef:    "", // Cert is fetched from bundle
-			CertChain:  "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
-			SigRef:     "", // Sig is fetched from bundle
-			KeyOpts:    options.KeyOpts{BundlePath: bundlePath},
-			EnforceSCT: false,
+			CertIdentity:   identity,
+			CertOIDCIssuer: issuer,
+			CertRef:        "", // Cert is fetched from bundle
+			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
+			SigRef:         "", // Sig is fetched from bundle
+			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
+			EnforceSCT:     false,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
 		if err == nil || !strings.Contains(err.Error(), "unable to verify SET") {
@@ -887,13 +892,13 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
 			CertRef:        "", // Cert is fetched from bundle
 			CertOIDCIssuer: issuer,
-			CertEmail:      "[email protected]",
+			CertIdentity:   "[email protected]",
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			EnforceSCT:     false,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
-		if err == nil || !strings.Contains(err.Error(), "expected identity not found in certificate") {
+		if err == nil || !strings.Contains(err.Error(), "none of the expected identities matched what was in the certificate") {
 			t.Fatalf("expected error with mismatched identity, got %v", err)
 		}
 	})
@@ -922,14 +927,14 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 		cmd := VerifyBlobCmd{
 			CertRef:        "", // Cert is fetched from bundle
 			CertOIDCIssuer: "invalid",
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
 			EnforceSCT:     false,
 		}
 		err = cmd.Exec(context.Background(), blobPath)
-		if err == nil || !strings.Contains(err.Error(), "expected oidc issuer not found in certificate") {
+		if err == nil || !strings.Contains(err.Error(), "none of the expected identities matched what was in the certificate") {
 			t.Fatalf("expected error with mismatched issuer, got %v", err)
 		}
 	})
@@ -959,7 +964,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 		cmd := VerifyBlobCmd{
 			CertRef:        certPath,
 			CertOIDCIssuer: issuer,
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
@@ -994,7 +999,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 		// Verify command
 		cmd := VerifyBlobCmd{
 			CertOIDCIssuer: issuer,
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      os.Getenv("SIGSTORE_ROOT_FILE"),
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
@@ -1040,7 +1045,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 		// Verify command
 		cmd := VerifyBlobCmd{
 			CertOIDCIssuer: issuer,
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      tmpChainFile.Name(),
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
@@ -1083,7 +1088,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 		cmd := VerifyBlobCmd{
 			CertRef:        certPath,
 			CertOIDCIssuer: issuer,
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},
@@ -1119,7 +1124,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 		cmd := VerifyBlobCmd{
 			CertRef:        "",
 			CertOIDCIssuer: issuer, // Fetched from bundle
-			CertEmail:      identity,
+			CertIdentity:   identity,
 			CertChain:      "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			SigRef:         "", // Sig is fetched from bundle
 			KeyOpts:        options.KeyOpts{BundlePath: bundlePath},