From 1e7bfcc8f998cd23e687754b3d7ec7bd2a439f71 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 24 Apr 2023 09:12:40 -0700 Subject: [PATCH 1/2] Remove experimental warning from Fulcio flags Signed-off-by: Priya Wadhwa --- cmd/cosign/cli/options/fulcio.go | 6 +++--- doc/cosign_attest-blob.md | 6 +++--- doc/cosign_attest.md | 6 +++--- doc/cosign_sign-blob.md | 6 +++--- doc/cosign_sign.md | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go index 93983fc8f66..291710c077b 100644 --- a/cmd/cosign/cli/options/fulcio.go +++ b/cmd/cosign/cli/options/fulcio.go @@ -34,11 +34,11 @@ var _ Interface = (*FulcioOptions)(nil) func (o *FulcioOptions) AddFlags(cmd *cobra.Command) { // TODO: change this back to api.SigstorePublicServerURL after the v1 migration is complete. cmd.Flags().StringVar(&o.URL, "fulcio-url", DefaultFulcioURL, - "[EXPERIMENTAL] address of sigstore PKI server") + "address of sigstore PKI server") cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "", - "[EXPERIMENTAL] identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") + "identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") cmd.Flags().BoolVar(&o.InsecureSkipFulcioVerify, "insecure-skip-verify", false, - "[EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing).") + "skip verifying fulcio published to the SCT (this should only be used for testing).") } diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index d8b7bbafd50..4be2d929657 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -33,11 +33,11 @@ cosign attest-blob [flags] --bundle string write everything required to verify the blob to a FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") + --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") --hash string hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash -h, --help help for attest-blob - --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). + --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --key string path to the private key file, KMS URI or Kubernetes Secret --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 93b0b08996b..d9f7f5c05a2 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -44,10 +44,10 @@ cosign attest [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") + --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest - --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). + --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret --no-upload do not upload the generated attestation diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index e2067a4e5c8..41605e1d218 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -35,10 +35,10 @@ cosign sign-blob [flags] ``` --b64 whether to base64 encode the output (default true) --bundle string write everything required to verify the blob to a FILE - --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") + --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign-blob - --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). + --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 2004290aaeb..6d8392c85df 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -73,10 +73,10 @@ cosign sign [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") + --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign - --identity-token string [EXPERIMENTAL] identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --insecure-skip-verify [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing). + --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret From 5ceec00857f48d9b7c0b4d5575dff3f719fe7c8d Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 24 Apr 2023 09:41:30 -0700 Subject: [PATCH 2/2] Remove experimental from Rekor/OIDC related flags Signed-off-by: Priya Wadhwa --- cmd/cosign/cli/options/oidc.go | 12 ++++++------ cmd/cosign/cli/options/rekor.go | 2 +- doc/cosign_attest-blob.md | 14 +++++++------- doc/cosign_attest.md | 14 +++++++------- doc/cosign_dockerfile_verify.md | 2 +- doc/cosign_manifest_verify.md | 2 +- doc/cosign_sign-blob.md | 14 +++++++------- doc/cosign_sign.md | 14 +++++++------- doc/cosign_verify-attestation.md | 2 +- doc/cosign_verify-blob-attestation.md | 2 +- doc/cosign_verify-blob.md | 2 +- doc/cosign_verify.md | 2 +- test/e2e_test.sh | 1 - 13 files changed, 41 insertions(+), 42 deletions(-) diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index 2bd3d13b1e5..580b93d4ca0 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -57,21 +57,21 @@ var _ Interface = (*OIDCOptions)(nil) // AddFlags implements Interface func (o *OIDCOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Issuer, "oidc-issuer", DefaultOIDCIssuerURL, - "[EXPERIMENTAL] OIDC provider to be used to issue ID token") + "OIDC provider to be used to issue ID token") cmd.Flags().StringVar(&o.ClientID, "oidc-client-id", "sigstore", - "[EXPERIMENTAL] OIDC client ID for application") + "OIDC client ID for application") cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "", - "[EXPERIMENTAL] Path to file containing OIDC client secret for application") + "Path to file containing OIDC client secret for application") _ = cmd.Flags().SetAnnotation("oidc-client-secret-file", cobra.BashCompFilenameExt, []string{}) cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "", - "[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") + "OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") cmd.Flags().StringVar(&o.Provider, "oidc-provider", "", - "[EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent]") + "Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent]") cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false, - "[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read") + "Disable ambient OIDC providers. When true, ambient credentials will not be read") } diff --git a/cmd/cosign/cli/options/rekor.go b/cmd/cosign/cli/options/rekor.go index 66dbe449f99..724d6143e6b 100644 --- a/cmd/cosign/cli/options/rekor.go +++ b/cmd/cosign/cli/options/rekor.go @@ -31,5 +31,5 @@ var _ Interface = (*RekorOptions)(nil) // AddFlags implements Interface func (o *RekorOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.URL, "rekor-url", DefaultRekorURL, - "[EXPERIMENTAL] address of rekor STL server") + "address of rekor STL server") } diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 4be2d929657..664d32086d5 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -39,17 +39,17 @@ cosign attest-blob [flags] --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-attestation string write the attestation to FILE --output-certificate string write the certificate to FILE --output-signature string write the signature to FILE --predicate string path to the predicate file. - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp-bundle string path to an RFC 3161 timestamp bundle FILE --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index d9f7f5c05a2..2f3b3682b51 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -51,15 +51,15 @@ cosign attest [flags] --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret --no-upload do not upload the generated attestation - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --predicate string path to the predicate file. -r, --recursive if a multi-arch image is specified, additionally sign each discrete image - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --replace --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index a5a1d6c8fd7..ca55a5a40b7 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -76,7 +76,7 @@ cosign dockerfile verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index fc9565b3d8c..7934a5ab667 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -70,7 +70,7 @@ cosign manifest verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 41605e1d218..72d4ed5e535 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -41,16 +41,16 @@ cosign sign-blob [flags] --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output string write the signature to FILE --output-certificate string write the certificate to FILE --output-signature string write the signature to FILE - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 6d8392c85df..655f3ae49d2 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -80,19 +80,19 @@ cosign sign [flags] --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret - --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") - --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application - --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read - --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") - --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] - --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. + --oidc-client-id string OIDC client ID for application (default "sigstore") + --oidc-client-secret-file string Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers Disable ambient OIDC providers. When true, ambient credentials will not be read + --oidc-issuer string OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem, buildkite-agent] + --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-certificate string write the certificate to FILE --output-payload string write the signed payload to FILE --output-signature string write the signature to FILE --payload string path to a payload file to use rather than generating one -r, --recursive if a multi-arch image is specified, additionally sign each discrete image --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 2fe3f19efea..044724104e8 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -80,7 +80,7 @@ cosign verify-attestation [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files will be using for validation - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md index aee0633ccd1..7dc0fe512a3 100644 --- a/doc/cosign_verify-blob-attestation.md +++ b/doc/cosign_verify-blob-attestation.md @@ -46,7 +46,7 @@ cosign verify-blob-attestation [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --offline only allow offline verification - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string path to base64-encoded signature over attestation in DSSE format diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 6ef5f908b58..77b970f0d4f 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -75,7 +75,7 @@ cosign verify-blob [flags] --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log --key string path to the public key file, KMS URI or Kubernetes Secret --offline only allow offline verification - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string path to RFC3161 timestamp FILE --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 1ea9d603f19..48294bf55a3 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -89,7 +89,7 @@ cosign verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL - --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") + --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256") diff --git a/test/e2e_test.sh b/test/e2e_test.sh index c7872ae420d..f3eb00f5d32 100755 --- a/test/e2e_test.sh +++ b/test/e2e_test.sh @@ -47,7 +47,6 @@ go build -o cosign ./cmd/cosign go test -tags=e2e -race $(go list ./... | grep -v third_party/) # Test `cosign dockerfile verify` -export COSIGN_EXPERIMENTAL=true ./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/alpine-base/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com); then false; fi ./cosign dockerfile verify --base-image-only ./test/testdata/unsigned_build_stage.Dockerfile --certificate-identity https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com