diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9997e3c101f..b77021b2429 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -62,7 +62,7 @@ jobs: - name: creds run: gcloud auth configure-docker --quiet - - name: containers-cosign-sget + - name: containers-cosign run: make sign-ci-containers env: KO_PREFIX: gcr.io/projectsigstore/cosign/ci diff --git a/.github/workflows/cross.yaml b/.github/workflows/cross.yaml index 82db8d34963..665d563599e 100644 --- a/.github/workflows/cross.yaml +++ b/.github/workflows/cross.yaml @@ -25,15 +25,12 @@ jobs: include: - os: macos-latest COSIGN_TARGET: cosign-darwin-amd64 - SGET_TARGET: sget-darwin-amd64 COSIGN_PASSWORD: COSIGN_PASSWORD - os: ubuntu-latest COSIGN_TARGET: cosign-linux-amd64 - SGET_TARGET: sget-linux-amd64 COSIGN_PASSWORD: COSIGN_PASSWORD - os: windows-latest COSIGN_TARGET: cosign-windows-amd64.exe - SGET_TARGET: sget-windows-amd64.exe COSIGN_PASSWORD: COSIGN_PASSWORD steps: - name: Install Go @@ -46,14 +43,11 @@ jobs: - name: build cosign run: | make cosign && mv ./cosign ./${{matrix.COSIGN_TARGET}} - make sget && mv ./sget ./${{matrix.SGET_TARGET}} - name: Create checksum file shell: pwsh run: | $hash=Get-FileHash -Path ./${{matrix.COSIGN_TARGET}} Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.COSIGN_TARGET}}.sha256 - $hash=Get-FileHash -Path ./${{matrix.SGET_TARGET}} - Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.SGET_TARGET}}.sha256 - name: sign shell: bash env: @@ -61,12 +55,10 @@ jobs: if: github.event_name != 'pull_request' run: | ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig - ./${{matrix.COSIGN_TARGET}} sign-blob --yes --key ./.github/workflows/cosign-test.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig - name: verify if: github.event_name != 'pull_request' run: | ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}} - ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}} - name: Upload artifacts if: github.event_name != 'pull_request' uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 @@ -76,6 +68,3 @@ jobs: cosign-* cosign.-*sha256 cosign-*.sig - sget-* - sget.-*sha256 - sget-*.sig diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml index ca819143589..2297b5ea3f3 100644 --- a/.github/workflows/e2e-with-binary.yml +++ b/.github/workflows/e2e-with-binary.yml @@ -42,7 +42,6 @@ jobs: id-token: write contents: read env: - COSIGN_EXPERIMENTAL: "true" COSIGN_YES: "true" steps: diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index 667d4d46c9e..37dff1a069a 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -35,7 +35,6 @@ jobs: packages: write contents: read env: - COSIGN_EXPERIMENTAL: "true" GIT_HASH: ${{ github.sha }} GIT_VERSION: unstable GITHUB_RUN_ID: ${{ github.run_id }} diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index ab9a7bc21c5..ea65c056330 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -70,4 +70,3 @@ jobs: - name: check binaries run: | ./dist/cosign-linux-amd64 version - ./dist/sget-linux-amd64 version diff --git a/.gitignore b/.gitignore index dc48d1d5b2b..f3515880e35 100644 --- a/.gitignore +++ b/.gitignore @@ -19,7 +19,6 @@ /cosign* .vscode .idea -/sget* # fuzzing artifacts *.libfuzzer @@ -28,10 +27,6 @@ bin* dist/ cosignImagerefs -policyControllerImagerefs -sgetImagerefs -policyImagerefs - bundle signature certificate diff --git a/.goreleaser.yml b/.goreleaser.yml index bc73025ab07..71ff7e381c4 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -155,53 +155,12 @@ builds: - pivkey - pkcs11key - - id: sget - binary: sget-{{ .Os }}-{{ .Arch }} - no_unique_dist_dir: true - mod_timestamp: '{{ .CommitTimestamp }}' - main: ./cmd/sget - flags: - - -trimpath - goos: - - linux - - darwin - - windows - goarch: - - amd64 - - arm64 - - arm - - s390x - - ppc64le - - riscv64 - goarm: - - '7' - ignore: - - goos: windows - goarch: arm64 - - goos: windows - goarch: arm - - goos: windows - goarch: s390x - - goos: windows - goarch: ppc64le - ldflags: - - "{{ .Env.LDFLAGS }}" - env: - - CGO_ENABLED=0 - signs: - id: cosign signature: "${artifact}.sig" cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] artifacts: binary - - id: sget - signature: "${artifact}.sig" - cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] - artifacts: binary - ids: - - sget # Keyless - id: cosign-keyless signature: "${artifact}-keyless.sig" @@ -209,14 +168,6 @@ signs: cmd: ./dist/cosign-linux-amd64 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] artifacts: binary - - id: sget-keyless - signature: "${artifact}-keyless.sig" - certificate: "${artifact}-keyless.pem" - cmd: ./dist/cosign-linux-amd64 - args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] - artifacts: binary - ids: - - sget - id: checksum-keyless signature: "${artifact}-keyless.sig" certificate: "${artifact}-keyless.pem" diff --git a/.ko.yaml b/.ko.yaml index 46c05743e1f..d64dcd6c753 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -31,18 +31,3 @@ builds: ldflags: - -extldflags "-static" - "{{ .Env.LDFLAGS }}" - -- id: sget - dir: . - main: ./cmd/sget - env: - - CGO_ENABLED=0 - flags: - - -trimpath - - --tags - - "{{ .Env.GIT_HASH }}" - - --tags - - "{{ .Env.GIT_VERSION }}" - ldflags: - - -extldflags "-static" - - "{{ .Env.LDFLAGS }}" diff --git a/Makefile b/Makefile index 5fe26785700..2ce7d7ba9fd 100644 --- a/Makefile +++ b/Makefile @@ -84,10 +84,6 @@ cosign: $(SRCS) cosign-pivkey-pkcs11key: $(SRCS) CGO_ENABLED=1 $(GOEXE) build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign -.PHONY: sget -sget: ## Build sget binary - $(GOEXE) build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/sget - .PHONY: cross cross: $(foreach GOOS, $(PLATFORMS),\ @@ -112,7 +108,6 @@ test: clean: rm -rf cosign - rm -rf sget rm -rf dist/ KOCACHE_PATH=/tmp/ko @@ -133,7 +128,7 @@ endef # ko build ########## .PHONY: ko -ko: ko-cosign ko-sget +ko: ko-cosign .PHONY: ko-cosign ko-cosign: @@ -144,15 +139,6 @@ ko-cosign: $(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \ github.com/sigstore/cosign/v2/cmd/cosign -.PHONY: ko-sget -ko-sget: - # sget - LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ - KOCACHE=$(KOCACHE_PATH) ko build --base-import-paths \ - --platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \ - --image-refs sgetImagerefs \ - github.com/sigstore/cosign/v2/cmd/sget - .PHONY: ko-local ko-local: $(create_kocache_path) diff --git a/README.md b/README.md index 6b75771e561..3ccfbae5595 100644 --- a/README.md +++ b/README.md @@ -192,44 +192,6 @@ Pushing signature to: ttl.sh/my-artifact-f42c22e0 As usual, make sure to reference any images you sign by their digest to make sure you don't sign the wrong thing! -#### sget - -We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor. - -To install `sget`, if you have Go 1.16+, you can directly run: - - $ go install github.com/sigstore/cosign/v2/cmd/sget@latest - -and the resulting binary will be placed at `$GOPATH/bin/sget` (or `$GOBIN/sget`, if set). - -Just like `curl`, `sget` can be used to fetch artifacts by digest using the OCI URL. -Digest verification is automatic: - -```shell -$ sget us.gcr.io/dlorenc-vmtest2/readme@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec > artifact -``` - -You can also use `sget` to fetch contents by tag. -Fetching contents without verifying them is dangerous, so we require the artifact be signed in this case: - -```shell -$ sget gcr.io/dlorenc-vmtest2/artifact -error: public key must be specified when fetching by tag, you must fetch by digest or supply a public key - -$ sget --key cosign.pub us.gcr.io/dlorenc-vmtest2/readme > foo - -Verification for us.gcr.io/dlorenc-vmtest2/readme -- -The following checks were performed on each of these signatures: - - The cosign claims were validated - - Existence of the claims in the transparency log was verified offline - - The signatures were verified against the specified public key - - The code-signing certificate was verified using trusted certificate authority certificates -``` - -The signature, claims and transparency log proofs are all verified automatically by sget as part of the download. - -`curl | bash` isn't a great idea, but `sget | bash` is less-bad. - #### Tekton Bundles [Tekton](https://tekton.dev) bundles can be uploaded and managed within an OCI registry. diff --git a/cmd/sget/cli/commands.go b/cmd/sget/cli/commands.go deleted file mode 100644 index 1f6691e22f3..00000000000 --- a/cmd/sget/cli/commands.go +++ /dev/null @@ -1,86 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Deprecated: This package is deprecated and will be removed in a future release. -package cli - -import ( - "bytes" - "errors" - "io" - "os" - - "github.com/spf13/cobra" - "sigs.k8s.io/release-utils/version" - - "github.com/sigstore/cosign/v2/cmd/sget/cli/options" //nolint:staticcheck - "github.com/sigstore/cosign/v2/pkg/sget" //nolint:staticcheck -) - -var ( - ro = &options.RootOptions{} -) - -func New() *cobra.Command { - cmd := &cobra.Command{ - Use: "sget ", - Short: "sget [--key ] ", - Long: `sget is DEPRECATED in the cosign repo -- see https://github.com/sigstore/sget for the new tool.`, - Args: func(cmd *cobra.Command, args []string) error { - if len(args) != 1 { - return errors.New("a single image reference is required") - } - ro.ImageRef = args[0] - return nil - }, - RunE: func(cmd *cobra.Command, args []string) error { - wc, err := createSink(ro.OutputFile) - if err != nil { - return err - } - defer wc.Close() - return sget.New(ro.ImageRef, ro.PublicKey, ro.RekorURL, wc).Do(cmd.Context()) - }, - } - ro.AddFlags(cmd) - - // Add sub-commands. - cmd.AddCommand(version.Version()) - - return cmd -} - -func createSink(path string) (io.WriteCloser, error) { - if path == "" { - // When writing to stdout, buffer so we can check the digest first. - return &buffered{w: os.Stdout, buf: &bytes.Buffer{}}, nil - } - - return os.Create(path) -} - -type buffered struct { - w io.Writer - buf *bytes.Buffer -} - -func (b *buffered) Write(p []byte) (n int, err error) { - return b.buf.Write(p) -} - -func (b *buffered) Close() error { - _, err := io.Copy(b.w, b.buf) - return err -} diff --git a/cmd/sget/cli/options/root.go b/cmd/sget/cli/options/root.go deleted file mode 100644 index 00e0192d931..00000000000 --- a/cmd/sget/cli/options/root.go +++ /dev/null @@ -1,44 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Deprecated: This package is deprecated and will be removed in a future release. -package options - -import ( - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/spf13/cobra" -) - -// RootOptions define flags and options for the root sget cli. -type RootOptions struct { - OutputFile string - PublicKey string - ImageRef string - RekorURL string -} - -var _ options.Interface = (*RootOptions)(nil) - -// AddFlags implements options.Interface -func (o *RootOptions) AddFlags(cmd *cobra.Command) { - cmd.Flags().StringVarP(&o.OutputFile, "output", "o", "", - "output file") - - cmd.Flags().StringVar(&o.PublicKey, "key", "", - "path to the public key file, URL, or KMS URI") - - cmd.Flags().StringVar(&o.RekorURL, "rekor-url", options.DefaultRekorURL, - "[EXPERIMENTAL] address of rekor STL server") -} diff --git a/cmd/sget/main.go b/cmd/sget/main.go deleted file mode 100644 index dcf9c75f14d..00000000000 --- a/cmd/sget/main.go +++ /dev/null @@ -1,67 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "log" - "os" - "strings" - "time" - - "github.com/sigstore/cosign/v2/cmd/sget/cli" //nolint:staticcheck - - // Register the provider-specific plugins - _ "github.com/sigstore/sigstore/pkg/signature/kms/aws" - _ "github.com/sigstore/sigstore/pkg/signature/kms/azure" - _ "github.com/sigstore/sigstore/pkg/signature/kms/gcp" - _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" -) - -const deprecationWarning = ` --------- NOTICE -------- -The sget tool in the cosign repo is deprecated, and will be removed in a future release. - -If you're interested in fetching content from an OCI registry or from an arbitrary URLs, please see: https://github.com/sigstore/sget. ------------------------- -` - -func main() { - log.Print(deprecationWarning) - time.Sleep(3 * time.Second) - - // Fix up flags to POSIX standard flags. - for i, arg := range os.Args { - if (strings.HasPrefix(arg, "-") && len(arg) == 2) || (strings.HasPrefix(arg, "--") && len(arg) >= 4) { - continue - } - if strings.HasPrefix(arg, "--") && len(arg) == 3 { - // Handle --o, convert to -o - newArg := fmt.Sprintf("-%c", arg[2]) - fmt.Fprintf(os.Stderr, "WARNING: the flag %s is deprecated and will be removed in a future release. Please use the flag %s.\n", arg, newArg) - os.Args[i] = newArg - } else if strings.HasPrefix(arg, "-") { - // Handle -output, convert to --output - newArg := fmt.Sprintf("-%s", arg) - fmt.Fprintf(os.Stderr, "WARNING: the flag %s is deprecated and will be removed in a future release. Please use the flag %s.\n", arg, newArg) - os.Args[i] = newArg - } - } - - if err := cli.New().Execute(); err != nil { - log.Fatalf("error during command execution: %v", err) - } -} diff --git a/pkg/sget/sget.go b/pkg/sget/sget.go deleted file mode 100644 index cf876fa4d13..00000000000 --- a/pkg/sget/sget.go +++ /dev/null @@ -1,145 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Deprecated: This package is deprecated and will be removed in a future release. -package sget - -import ( - "context" - "errors" - "fmt" - "io" - - "github.com/google/go-containerregistry/pkg/authn" - "github.com/google/go-containerregistry/pkg/name" - "github.com/google/go-containerregistry/pkg/v1/remote" - - "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" - "github.com/sigstore/cosign/v2/pkg/cosign" - ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - sigs "github.com/sigstore/cosign/v2/pkg/signature" -) - -func New(image, key, rekorURL string, out io.Writer) *SecureGet { - return &SecureGet{ - ImageRef: image, - KeyRef: key, - RekorURL: rekorURL, - Out: out, - } -} - -type SecureGet struct { - ImageRef string - KeyRef string - RekorURL string - Out io.Writer -} - -func (sg *SecureGet) Do(ctx context.Context) error { - ref, err := name.ParseReference(sg.ImageRef) - if err != nil { - return err - } - - opts := []remote.Option{ - remote.WithAuthFromKeychain(authn.DefaultKeychain), - remote.WithContext(ctx), - } - - co := &cosign.CheckOpts{ - ClaimVerifier: cosign.SimpleClaimVerifier, - RegistryClientOpts: []ociremote.Option{ociremote.WithRemoteOptions(opts...)}, - } - - rekorClient, err := rekor.NewClient(sg.RekorURL) - if err != nil { - return fmt.Errorf("creating Rekor client: %w", err) - } - co.RekorClient = rekorClient - - co.RekorPubKeys, err = cosign.GetRekorPubs(ctx) - if err != nil { - return fmt.Errorf("getting Rekor public keys: %w", err) - } - - if _, ok := ref.(name.Tag); ok { - if sg.KeyRef == "" && !options.EnableExperimental() { - return errors.New("public key must be specified when fetching by tag, you must fetch by digest or supply a public key") - } - } - // Overwrite "ref" with a digest to avoid a race where we verify the tag, - // and then access the file through the tag. This has a race where we - // might download content that isn't what we verified. - ref, err = ociremote.ResolveDigest(ref, co.RegistryClientOpts...) - if err != nil { - return err - } - - if sg.KeyRef != "" { - pub, err := sigs.LoadPublicKey(ctx, sg.KeyRef) - if err != nil { - return err - } - co.SigVerifier = pub - } - - if co.SigVerifier != nil || options.EnableExperimental() { - // NB: There are only 2 kinds of verification right now: - // 1. You gave us the public key explicitly to verify against so co.SigVerifier is non-nil or, - // 2. We're going to find an x509 certificate on the signature and verify against Fulcio root trust - // TODO(nsmith5): Refactor this verification logic to pass back _how_ verification - // was performed so we don't need to use this fragile logic here. - fulcioVerified := (co.SigVerifier == nil) - - co.RootCerts, err = fulcio.GetRoots() - if err != nil { - return fmt.Errorf("getting Fulcio roots: %w", err) - } - co.IntermediateCerts, err = fulcio.GetIntermediates() - if err != nil { - return fmt.Errorf("getting Fulcio intermediates: %w", err) - } - sp, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co) - if err != nil { - return err - } - verify.PrintVerificationHeader(ctx, sg.ImageRef, co, bundleVerified, fulcioVerified) - verify.PrintVerification(ctx, sp, "text") - } - - // TODO(mattmoor): Depending on what this is, use the higher-level stuff. - img, err := remote.Image(ref, opts...) - if err != nil { - return err - } - layers, err := img.Layers() - if err != nil { - return err - } - if len(layers) != 1 { - return errors.New("invalid artifact") - } - rc, err := layers[0].Compressed() - if err != nil { - return err - } - - _, err = io.Copy(sg.Out, rc) - return err -} diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index fdaa98a1bcb..c9cd94c12b9 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -32,16 +32,8 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi -if [[ ! -f sgetImagerefs ]]; then - echo "sgetImagerefs not found" - exit 1 -fi - echo "Signing cosign images with GCP KMS Key..." - cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) -cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) echo "Signing images with Keyless..." cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) -cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs) diff --git a/release/release.mk b/release/release.mk index 9f92deb4fbc..e30117180d6 100644 --- a/release/release.mk +++ b/release/release.mk @@ -4,7 +4,7 @@ # used when releasing together with GCP CloudBuild .PHONY: release release: - LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --timeout 120m + LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --clean --timeout 120m ###################### # sign section @@ -18,19 +18,12 @@ sign-release-images: ko # used when need to validate the goreleaser .PHONY: snapshot snapshot: - LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 120m --parallelism 1 + LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --clean --timeout 120m --parallelism 1 #################### # copy image to GHCR #################### -.PHONY: copy-cosign-signed-release-to-ghcr -copy-cosign-signed-release-to-ghcr: - cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) - -.PHONY: copy-sget-signed-release-to-ghcr -copy-sget-signed-release-to-ghcr: - cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION) - .PHONY: copy-signed-release-to-ghcr -copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-sget-signed-release-to-ghcr +copy-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) diff --git a/scripts/sign-images-ci.sh b/scripts/sign-images-ci.sh index 8abf3cfa5a7..391785dafd2 100755 --- a/scripts/sign-images-ci.sh +++ b/scripts/sign-images-ci.sh @@ -29,12 +29,5 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi -if [[ ! -f sgetImagerefs ]]; then - echo "sgetImagerefs not found" - exit 1 -fi - echo "Signing cosign images using Keyless..." - $COSIGN_CLI sign -y -a sha="$GIT_HASH" -a run_id="$GITHUB_RUN_ID" -a run_attempt="$GITHUB_RUN_ATTEMPT" $(cat cosignImagerefs) -$COSIGN_CLI sign -y -a sha="$GIT_HASH" -a run_id="$GITHUB_RUN_ID" -a run_attempt="$GITHUB_RUN_ATTEMPT" $(cat sgetImagerefs) diff --git a/test/ci.mk b/test/ci.mk index 01b143d727e..246ed3395aa 100644 --- a/test/ci.mk +++ b/test/ci.mk @@ -5,7 +5,6 @@ .PHONY: sign-ci-containers sign-ci-containers: ko cosign sign --yes --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH) - cosign sign --yes --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/sget:$(GIT_HASH) .PHONY: sign-ci-keyless-containers sign-ci-keyless-containers: ko diff --git a/test/e2e_test.go b/test/e2e_test.go index 02cf82c0ad8..719cd5cd11a 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -25,7 +25,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "io" "net/http/httptest" "net/url" "os" @@ -55,16 +54,13 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/publickey" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" - "github.com/sigstore/cosign/v2/cmd/cosign/cli/upload" cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/bundle" "github.com/sigstore/cosign/v2/pkg/cosign/env" "github.com/sigstore/cosign/v2/pkg/cosign/kubernetes" - cremote "github.com/sigstore/cosign/v2/pkg/cosign/remote" "github.com/sigstore/cosign/v2/pkg/oci/mutate" ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote" - "github.com/sigstore/cosign/v2/pkg/sget" sigs "github.com/sigstore/cosign/v2/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/payload" tsaclient "github.com/sigstore/timestamp-authority/pkg/client" @@ -1540,55 +1536,6 @@ func TestUploadDownload(t *testing.T) { } } -func TestUploadBlob(t *testing.T) { - repo, stop := reg(t) - defer stop() - td := t.TempDir() - ctx := context.Background() - - imgName := path.Join(repo, "/cosign-upload-e2e") - payload := "testpayload" - payloadPath := mkfile(payload, td, t) - - // Upload it! - files := []cremote.File{cremote.FileFromFlag(payloadPath)} - must(upload.BlobCmd(ctx, options.RegistryOptions{}, files, nil, "", imgName), t) - - // Check it - ref, err := name.ParseReference(imgName) - if err != nil { - t.Fatal(err) - } - - // Now download it with sget (this should fail by tag) - if err := sget.New(imgName, "", "", os.Stdout).Do(ctx); err == nil { - t.Error("expected download to fail") - } - - img, err := remote.Image(ref) - if err != nil { - t.Fatal(err) - } - dgst, err := img.Digest() - if err != nil { - t.Fatal(err) - } - - result := &bytes.Buffer{} - - // But pass by digest - if err := sget.New(imgName+"@"+dgst.String(), "", "", result).Do(ctx); err != nil { - t.Fatal(err) - } - b, err := io.ReadAll(result) - if err != nil { - t.Fatal(err) - } - if string(b) != payload { - t.Errorf("expected contents to be %s, got %s", payload, string(b)) - } -} - func TestSaveLoad(t *testing.T) { tests := []struct { description string diff --git a/test/e2e_test_attach.sh b/test/e2e_test_attach.sh index 49f2830c21f..35e44f8645f 100644 --- a/test/e2e_test_attach.sh +++ b/test/e2e_test_attach.sh @@ -17,10 +17,8 @@ set -ex go build -o cosign ./cmd/cosign -go build -o sget ./cmd/sget tmp=$(mktemp -d -t cosign-e2e-attach.XXXX) cp cosign $tmp/ -cp sget $tmp/ #copying key, cert, certchain and rootcert in temp folder cp ./test/testdata/test_attach_private_key $tmp/private_key diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh index 59ff687b565..e784f8c1ff6 100755 --- a/test/e2e_test_secrets.sh +++ b/test/e2e_test_secrets.sh @@ -17,10 +17,8 @@ set -ex go build -o cosign ./cmd/cosign -go build -o sget ./cmd/sget tmp=$(mktemp -d -t cosign-e2e-secrets.XXXX) cp cosign $tmp/ -cp sget $tmp/ pushd $tmp @@ -130,7 +128,7 @@ tail -n 1 sigs > cdr.sig ./cosign verify-blob --key ${verification_key} --signature car.sig myblob ./cosign verify-blob --key ${verification_key} --signature cdr.sig myblob2 -## upload blob/sget +## upload blob blobimg="${TEST_INSTANCE_REPO}/blob" crane ls ${blobimg} | while read tag ; do crane delete "${blobimg}:${tag}" ; done @@ -142,23 +140,6 @@ dgst=$(./cosign upload blob -f randomblob ${blobimg}) ./cosign sign --key ${signing_key} ${dgst} ./cosign verify --key ${verification_key} ${dgst} # For sanity -# sget w/ signature verification should work via tag or digest -./sget --key ${verification_key} -o verified_randomblob_from_digest $dgst -./sget --key ${verification_key} -o verified_randomblob_from_tag $blobimg - -# sget w/o signature verification should only work for ref by digest -./sget --key ${verification_key} -o randomblob_from_digest $dgst -if (./sget -o randomblob_from_tag $blobimg); then false; fi - -# clean up a bit -crane delete $blobimg || true -crane delete $dgst || true - -# Make sure they're the same -if ( ! cmp -s randomblob verified_randomblob_from_digest ); then false; fi -if ( ! cmp -s randomblob verified_randomblob_from_tag ); then false; fi -if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi - # clean up a bit crane delete $blobimg || true crane delete $dgst || true diff --git a/test/e2e_test_secrets_kms.sh b/test/e2e_test_secrets_kms.sh index 27a1aab58c9..ca540cc2763 100755 --- a/test/e2e_test_secrets_kms.sh +++ b/test/e2e_test_secrets_kms.sh @@ -17,10 +17,8 @@ set -ex go build -o cosign ./cmd/cosign -go build -o sget ./cmd/sget tmp=$(mktemp -d -t cosign-e2e-secrets.XXXXXX) cp cosign $tmp/ -cp sget $tmp/ cd $tmp