From 7064f0ad29f553fbd532098d4a64e53c2465efbb Mon Sep 17 00:00:00 2001 From: ttrabelsi Date: Thu, 22 Feb 2024 10:49:53 +0100 Subject: [PATCH 1/4] Honor creation timestamp for signatures again Signed-off-by: ttrabelsi --- pkg/oci/mutate/signatures.go | 12 ++++++++++++ pkg/oci/mutate/signatures_test.go | 4 ++-- pkg/oci/static/file.go | 11 +++++++++++ pkg/oci/static/file_test.go | 4 ++-- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/pkg/oci/mutate/signatures.go b/pkg/oci/mutate/signatures.go index 648cab04148..e16862d00fa 100644 --- a/pkg/oci/mutate/signatures.go +++ b/pkg/oci/mutate/signatures.go @@ -19,6 +19,7 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" + "github.com/sigstore/cosign/v2/internal/pkg/now" "github.com/sigstore/cosign/v2/pkg/oci" ) @@ -42,6 +43,17 @@ func AppendSignatures(base oci.Signatures, sigs ...oci.Signature) (oci.Signature return nil, err } + t, err := now.Now() + if err != nil { + return nil, err + } + + // Set the Created date to time of execution + img, err = mutate.CreatedAt(img, v1.Time{Time: t}) + if err != nil { + return nil, err + } + return &sigAppender{ Image: img, base: base, diff --git a/pkg/oci/mutate/signatures_test.go b/pkg/oci/mutate/signatures_test.go index 25384a60d8d..7bc12bcb8a0 100644 --- a/pkg/oci/mutate/signatures_test.go +++ b/pkg/oci/mutate/signatures_test.go @@ -73,7 +73,7 @@ func TestAppendSignatures(t *testing.T) { if testCfg, err := threeSig.ConfigFile(); err != nil { t.Fatalf("ConfigFile() = %v", err) - } else if !testCfg.Created.Time.IsZero() { - t.Errorf("Date of Signature was not Zero") + } else if testCfg.Created.Time.IsZero() { + t.Errorf("Date of Signature was Zero") } } diff --git a/pkg/oci/static/file.go b/pkg/oci/static/file.go index 6fc55d8311e..8e5cdc9c120 100644 --- a/pkg/oci/static/file.go +++ b/pkg/oci/static/file.go @@ -22,6 +22,7 @@ import ( "github.com/google/go-containerregistry/pkg/v1/empty" "github.com/google/go-containerregistry/pkg/v1/mutate" "github.com/google/go-containerregistry/pkg/v1/types" + "github.com/sigstore/cosign/v2/internal/pkg/now" "github.com/sigstore/cosign/v2/pkg/oci" "github.com/sigstore/cosign/v2/pkg/oci/signed" ) @@ -48,6 +49,16 @@ func NewFile(payload []byte, opts ...Option) (oci.File, error) { // Add annotations from options img = mutate.Annotations(img, o.Annotations).(v1.Image) + t, err := now.Now() + if err != nil { + return nil, err + } + + // Set the Created date to time of execution + img, err = mutate.CreatedAt(img, v1.Time{Time: t}) + if err != nil { + return nil, err + } return &file{ SignedImage: signed.Image(img), layer: layer, diff --git a/pkg/oci/static/file_test.go b/pkg/oci/static/file_test.go index 3dc5f304565..3c2877a4715 100644 --- a/pkg/oci/static/file_test.go +++ b/pkg/oci/static/file_test.go @@ -126,8 +126,8 @@ func TestNewFile(t *testing.T) { if err != nil { t.Fatalf("ConfigFile() = %v", err) } - if !fileCfg.Created.Time.IsZero() { - t.Errorf("Date of Signature was not Zero") + if fileCfg.Created.Time.IsZero() { + t.Errorf("Date of Signature was Zero") } }) From 8b8d95c8b9835122edfdcf9761f274406c4cba9d Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi Date: Tue, 5 Mar 2024 23:13:32 +0100 Subject: [PATCH 2/4] setting creation timestamp behind a feature flag to preserve current behavior Signed-off-by: Tobias Trabelsi --- cmd/cosign/cli/options/sign.go | 3 +++ cmd/cosign/cli/sign.go | 5 ++++- cmd/cosign/cli/sign/sign.go | 2 +- doc/cosign_sign.md | 4 ++++ pkg/oci/mutate/mutate.go | 2 +- pkg/oci/mutate/options.go | 11 +++++++++-- pkg/oci/mutate/signatures.go | 20 +++++++++++--------- pkg/oci/mutate/signatures_test.go | 12 +++++++++--- pkg/oci/static/file.go | 19 +++++++++++-------- pkg/oci/static/file_test.go | 15 ++++++++++++++- pkg/oci/static/options.go | 22 +++++++++++++++------- 11 files changed, 82 insertions(+), 33 deletions(-) diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index c7cef860723..acabfe7a2fd 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -41,6 +41,7 @@ type SignOptions struct { TSAServerURL string IssueCertificate bool SignContainerIdentity string + HonorCreateTimestamp bool Rekor RekorOptions Fulcio FulcioOptions @@ -130,4 +131,6 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.SignContainerIdentity, "sign-container-identity", "", "manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature") + + cmd.Flags().BoolVar(&o.HonorCreateTimestamp, "honor-create-timestamp", false, "honor the create timestamp in the signature artefact to be pushed to the OCI registry") } diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 110a01a6fd0..1b65d59cde3 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -83,7 +83,10 @@ race conditions or (worse) malicious tampering. cosign sign --key cosign.key --tlog-upload=false # sign a container image by manually setting the container image identity - cosign sign --sign-container-identity `, + cosign sign --sign-container-identity + + # sign a container image and honor the creation timestamp of the signature + cosign sign --key cosign.key --honor-create-timestamp `, Args: cobra.MinimumNArgs(1), PersistentPreRun: options.BindViper, diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 122aaa3339b..57800b9f767 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -329,7 +329,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } // Attach the signature to the entity. - newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd)) + newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithHonorCreationTimestamp(signOpts.HonorCreateTimestamp)) if err != nil { return err } diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index a6cf4885536..d55df7d0348 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -64,6 +64,9 @@ cosign sign [flags] # sign a container image by manually setting the container image identity cosign sign --sign-container-identity + + # sign a container image and honor the creation timestamp of the signature + cosign sign --key cosign.key --honor-create-timestamp ``` ### Options @@ -78,6 +81,7 @@ cosign sign [flags] --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign + --honor-create-timestamp honor the create timestamp in the signature artefact to be pushed to the OCI registry --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided diff --git a/pkg/oci/mutate/mutate.go b/pkg/oci/mutate/mutate.go index f934cb358db..a9585012f50 100644 --- a/pkg/oci/mutate/mutate.go +++ b/pkg/oci/mutate/mutate.go @@ -377,5 +377,5 @@ func (so *signOpts) dedupeAndReplace(sig oci.Signature, basefn func() (oci.Signa } return ReplaceSignatures(replace) } - return AppendSignatures(base, sig) + return AppendSignatures(base, so.hct, sig) } diff --git a/pkg/oci/mutate/options.go b/pkg/oci/mutate/options.go index a4c41b6fa9c..028217ec5ed 100644 --- a/pkg/oci/mutate/options.go +++ b/pkg/oci/mutate/options.go @@ -33,8 +33,9 @@ type ReplaceOp interface { type SignOption func(*signOpts) type signOpts struct { - dd DupeDetector - ro ReplaceOp + dd DupeDetector + ro ReplaceOp + hct bool } func makeSignOpts(opts ...SignOption) *signOpts { @@ -59,6 +60,12 @@ func WithReplaceOp(ro ReplaceOp) SignOption { } } +func WithHonorCreationTimestamp(hct bool) SignOption { + return func(so *signOpts) { + so.hct = hct + } +} + type signatureOpts struct { annotations map[string]string bundle *bundle.RekorBundle diff --git a/pkg/oci/mutate/signatures.go b/pkg/oci/mutate/signatures.go index e16862d00fa..f7507987bd8 100644 --- a/pkg/oci/mutate/signatures.go +++ b/pkg/oci/mutate/signatures.go @@ -25,7 +25,7 @@ import ( // AppendSignatures produces a new oci.Signatures with the provided signatures // appended to the provided base signatures. -func AppendSignatures(base oci.Signatures, sigs ...oci.Signature) (oci.Signatures, error) { +func AppendSignatures(base oci.Signatures, honorTimestamp bool, sigs ...oci.Signature) (oci.Signatures, error) { adds := make([]mutate.Addendum, 0, len(sigs)) for _, sig := range sigs { ann, err := sig.Annotations() @@ -43,15 +43,17 @@ func AppendSignatures(base oci.Signatures, sigs ...oci.Signature) (oci.Signature return nil, err } - t, err := now.Now() - if err != nil { - return nil, err - } + if honorTimestamp { + t, err := now.Now() + if err != nil { + return nil, err + } - // Set the Created date to time of execution - img, err = mutate.CreatedAt(img, v1.Time{Time: t}) - if err != nil { - return nil, err + // Set the Created date to time of execution + img, err = mutate.CreatedAt(img, v1.Time{Time: t}) + if err != nil { + return nil, err + } } return &sigAppender{ diff --git a/pkg/oci/mutate/signatures_test.go b/pkg/oci/mutate/signatures_test.go index 7bc12bcb8a0..b5f2b10c934 100644 --- a/pkg/oci/mutate/signatures_test.go +++ b/pkg/oci/mutate/signatures_test.go @@ -38,17 +38,17 @@ func TestAppendSignatures(t *testing.T) { t.Fatalf("NewSignature() = %v", err) } - oneSig, err := AppendSignatures(base, s1) + oneSig, err := AppendSignatures(base, false, s1) if err != nil { t.Fatalf("AppendSignatures() = %v", err) } - twoSig, err := AppendSignatures(oneSig, s2) + twoSig, err := AppendSignatures(oneSig, false, s2) if err != nil { t.Fatalf("AppendSignatures() = %v", err) } - threeSig, err := AppendSignatures(oneSig, s2, s3) + threeSig, err := AppendSignatures(oneSig, true, s2, s3) if err != nil { t.Fatalf("AppendSignatures() = %v", err) } @@ -76,4 +76,10 @@ func TestAppendSignatures(t *testing.T) { } else if testCfg.Created.Time.IsZero() { t.Errorf("Date of Signature was Zero") } + + if testDefaultCfg, err := twoSig.ConfigFile(); err != nil { + t.Fatalf("ConfigFile() = %v", err) + } else if !testDefaultCfg.Created.Time.IsZero() { + t.Errorf("Date of Signature was Zero") + } } diff --git a/pkg/oci/static/file.go b/pkg/oci/static/file.go index 8e5cdc9c120..a8f081737d4 100644 --- a/pkg/oci/static/file.go +++ b/pkg/oci/static/file.go @@ -49,16 +49,19 @@ func NewFile(payload []byte, opts ...Option) (oci.File, error) { // Add annotations from options img = mutate.Annotations(img, o.Annotations).(v1.Image) - t, err := now.Now() - if err != nil { - return nil, err - } + if o.HonorCreateTimestamp { + t, err := now.Now() + if err != nil { + return nil, err + } - // Set the Created date to time of execution - img, err = mutate.CreatedAt(img, v1.Time{Time: t}) - if err != nil { - return nil, err + // Set the Created date to time of execution + img, err = mutate.CreatedAt(img, v1.Time{Time: t}) + if err != nil { + return nil, err + } } + return &file{ SignedImage: signed.Image(img), layer: layer, diff --git a/pkg/oci/static/file_test.go b/pkg/oci/static/file_test.go index 3c2877a4715..eec863b5036 100644 --- a/pkg/oci/static/file_test.go +++ b/pkg/oci/static/file_test.go @@ -32,6 +32,12 @@ func TestNewFile(t *testing.T) { t.Fatalf("NewFile() = %v", err) } + timestampedFile, err := NewFile([]byte(payload), WithLayerMediaType("foo"), WithAnnotations(map[string]string{"foo": "bar"}), WithHonorCreationTimestamp(true)) + + if err != nil { + t.Fatalf("NewFile() = %v", err) + } + layers, err := file.Layers() if err != nil { t.Fatalf("Layers() = %v", err) @@ -126,7 +132,14 @@ func TestNewFile(t *testing.T) { if err != nil { t.Fatalf("ConfigFile() = %v", err) } - if fileCfg.Created.Time.IsZero() { + if !fileCfg.Created.Time.IsZero() { + t.Errorf("Date of Signature was not Zero") + } + tsCfg, err := timestampedFile.ConfigFile() + if err != nil { + t.Fatalf("ConfigFile() = %v", err) + } + if tsCfg.Created.Time.IsZero() { t.Errorf("Date of Signature was Zero") } }) diff --git a/pkg/oci/static/options.go b/pkg/oci/static/options.go index 100c988e986..c9bea16d093 100644 --- a/pkg/oci/static/options.go +++ b/pkg/oci/static/options.go @@ -27,13 +27,14 @@ import ( type Option func(*options) type options struct { - LayerMediaType types.MediaType - ConfigMediaType types.MediaType - Bundle *bundle.RekorBundle - RFC3161Timestamp *bundle.RFC3161Timestamp - Cert []byte - Chain []byte - Annotations map[string]string + LayerMediaType types.MediaType + ConfigMediaType types.MediaType + Bundle *bundle.RekorBundle + RFC3161Timestamp *bundle.RFC3161Timestamp + Cert []byte + Chain []byte + Annotations map[string]string + HonorCreateTimestamp bool } func makeOptions(opts ...Option) (*options, error) { @@ -112,3 +113,10 @@ func WithCertChain(cert, chain []byte) Option { o.Chain = chain } } + +// WithHonorCreationTimestamp sets the feature flag to honor the creation timestamp to time of running +func WithHonorCreationTimestamp(hct bool) Option { + return func(o *options) { + o.HonorCreateTimestamp = hct + } +} From 5a0b0291645ad893b76bac072e8ec1accfe9c482 Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi Date: Wed, 6 Mar 2024 21:37:44 +0100 Subject: [PATCH 3/4] review feedback Signed-off-by: Tobias Trabelsi --- cmd/cosign/cli/options/sign.go | 44 +++++++++++++++++----------------- cmd/cosign/cli/sign/sign.go | 2 +- doc/cosign_sign.md | 2 +- pkg/oci/mutate/mutate.go | 2 +- pkg/oci/mutate/options.go | 6 ++--- pkg/oci/mutate/signatures.go | 4 ++-- pkg/oci/static/file.go | 2 +- pkg/oci/static/file_test.go | 2 +- pkg/oci/static/options.go | 22 ++++++++--------- 9 files changed, 43 insertions(+), 43 deletions(-) diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index acabfe7a2fd..70ec9acab62 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -21,27 +21,27 @@ import ( // SignOptions is the top level wrapper for the sign command. type SignOptions struct { - Key string - Cert string - CertChain string - Upload bool - Output string // deprecated: TODO remove when the output flag is fully deprecated - OutputSignature string // TODO: this should be the root output file arg. - OutputPayload string - OutputCertificate string - PayloadPath string - Recursive bool - Attachment string - SkipConfirmation bool - TlogUpload bool - TSAClientCACert string - TSAClientCert string - TSAClientKey string - TSAServerName string - TSAServerURL string - IssueCertificate bool - SignContainerIdentity string - HonorCreateTimestamp bool + Key string + Cert string + CertChain string + Upload bool + Output string // deprecated: TODO remove when the output flag is fully deprecated + OutputSignature string // TODO: this should be the root output file arg. + OutputPayload string + OutputCertificate string + PayloadPath string + Recursive bool + Attachment string + SkipConfirmation bool + TlogUpload bool + TSAClientCACert string + TSAClientCert string + TSAClientKey string + TSAServerName string + TSAServerURL string + IssueCertificate bool + SignContainerIdentity string + RecordCreationTimestamp bool Rekor RekorOptions Fulcio FulcioOptions @@ -132,5 +132,5 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.SignContainerIdentity, "sign-container-identity", "", "manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature") - cmd.Flags().BoolVar(&o.HonorCreateTimestamp, "honor-create-timestamp", false, "honor the create timestamp in the signature artefact to be pushed to the OCI registry") + cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value") } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 57800b9f767..76c53a70322 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -329,7 +329,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } // Attach the signature to the entity. - newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithHonorCreationTimestamp(signOpts.HonorCreateTimestamp)) + newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithHonorCreationTimestamp(signOpts.RecordCreationTimestamp)) if err != nil { return err } diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index d55df7d0348..d8423db74b4 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -81,7 +81,6 @@ cosign sign [flags] --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign - --honor-create-timestamp honor the create timestamp in the signature artefact to be pushed to the OCI registry --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided @@ -97,6 +96,7 @@ cosign sign [flags] --output-payload string write the signed payload to FILE --output-signature string write the signature to FILE --payload string path to a payload file to use rather than generating one + --record-creation-timestamp set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value -r, --recursive if a multi-arch image is specified, additionally sign each discrete image --registry-password string registry basic auth password --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 diff --git a/pkg/oci/mutate/mutate.go b/pkg/oci/mutate/mutate.go index a9585012f50..59ba2c0c0ff 100644 --- a/pkg/oci/mutate/mutate.go +++ b/pkg/oci/mutate/mutate.go @@ -377,5 +377,5 @@ func (so *signOpts) dedupeAndReplace(sig oci.Signature, basefn func() (oci.Signa } return ReplaceSignatures(replace) } - return AppendSignatures(base, so.hct, sig) + return AppendSignatures(base, so.rct, sig) } diff --git a/pkg/oci/mutate/options.go b/pkg/oci/mutate/options.go index 028217ec5ed..712866dcacf 100644 --- a/pkg/oci/mutate/options.go +++ b/pkg/oci/mutate/options.go @@ -35,7 +35,7 @@ type SignOption func(*signOpts) type signOpts struct { dd DupeDetector ro ReplaceOp - hct bool + rct bool } func makeSignOpts(opts ...SignOption) *signOpts { @@ -60,9 +60,9 @@ func WithReplaceOp(ro ReplaceOp) SignOption { } } -func WithHonorCreationTimestamp(hct bool) SignOption { +func WithHonorCreationTimestamp(rct bool) SignOption { return func(so *signOpts) { - so.hct = hct + so.rct = rct } } diff --git a/pkg/oci/mutate/signatures.go b/pkg/oci/mutate/signatures.go index f7507987bd8..4f3bd98fa1f 100644 --- a/pkg/oci/mutate/signatures.go +++ b/pkg/oci/mutate/signatures.go @@ -25,7 +25,7 @@ import ( // AppendSignatures produces a new oci.Signatures with the provided signatures // appended to the provided base signatures. -func AppendSignatures(base oci.Signatures, honorTimestamp bool, sigs ...oci.Signature) (oci.Signatures, error) { +func AppendSignatures(base oci.Signatures, recordCreationTimestamp bool, sigs ...oci.Signature) (oci.Signatures, error) { adds := make([]mutate.Addendum, 0, len(sigs)) for _, sig := range sigs { ann, err := sig.Annotations() @@ -43,7 +43,7 @@ func AppendSignatures(base oci.Signatures, honorTimestamp bool, sigs ...oci.Sign return nil, err } - if honorTimestamp { + if recordCreationTimestamp { t, err := now.Now() if err != nil { return nil, err diff --git a/pkg/oci/static/file.go b/pkg/oci/static/file.go index a8f081737d4..c3435be4d59 100644 --- a/pkg/oci/static/file.go +++ b/pkg/oci/static/file.go @@ -49,7 +49,7 @@ func NewFile(payload []byte, opts ...Option) (oci.File, error) { // Add annotations from options img = mutate.Annotations(img, o.Annotations).(v1.Image) - if o.HonorCreateTimestamp { + if o.RecordCreationTimestamp { t, err := now.Now() if err != nil { return nil, err diff --git a/pkg/oci/static/file_test.go b/pkg/oci/static/file_test.go index eec863b5036..0866f25deda 100644 --- a/pkg/oci/static/file_test.go +++ b/pkg/oci/static/file_test.go @@ -32,7 +32,7 @@ func TestNewFile(t *testing.T) { t.Fatalf("NewFile() = %v", err) } - timestampedFile, err := NewFile([]byte(payload), WithLayerMediaType("foo"), WithAnnotations(map[string]string{"foo": "bar"}), WithHonorCreationTimestamp(true)) + timestampedFile, err := NewFile([]byte(payload), WithLayerMediaType("foo"), WithAnnotations(map[string]string{"foo": "bar"}), WithRecordCreationTimestamp(true)) if err != nil { t.Fatalf("NewFile() = %v", err) diff --git a/pkg/oci/static/options.go b/pkg/oci/static/options.go index c9bea16d093..b240fb228ae 100644 --- a/pkg/oci/static/options.go +++ b/pkg/oci/static/options.go @@ -27,14 +27,14 @@ import ( type Option func(*options) type options struct { - LayerMediaType types.MediaType - ConfigMediaType types.MediaType - Bundle *bundle.RekorBundle - RFC3161Timestamp *bundle.RFC3161Timestamp - Cert []byte - Chain []byte - Annotations map[string]string - HonorCreateTimestamp bool + LayerMediaType types.MediaType + ConfigMediaType types.MediaType + Bundle *bundle.RekorBundle + RFC3161Timestamp *bundle.RFC3161Timestamp + Cert []byte + Chain []byte + Annotations map[string]string + RecordCreationTimestamp bool } func makeOptions(opts ...Option) (*options, error) { @@ -114,9 +114,9 @@ func WithCertChain(cert, chain []byte) Option { } } -// WithHonorCreationTimestamp sets the feature flag to honor the creation timestamp to time of running -func WithHonorCreationTimestamp(hct bool) Option { +// WithRecordCreationTimestamp sets the feature flag to honor the creation timestamp to time of running +func WithRecordCreationTimestamp(rct bool) Option { return func(o *options) { - o.HonorCreateTimestamp = hct + o.RecordCreationTimestamp = rct } } From 39f2b6385e57385cb131ed5818642db1e7a5de80 Mon Sep 17 00:00:00 2001 From: Tobias Trabelsi Date: Thu, 7 Mar 2024 23:13:26 +0100 Subject: [PATCH 4/4] additional review feedback Signed-off-by: Tobias Trabelsi --- cmd/cosign/cli/sign.go | 2 +- cmd/cosign/cli/sign/sign.go | 2 +- doc/cosign_sign.md | 2 +- pkg/oci/mutate/options.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 1b65d59cde3..76f84a3210c 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -86,7 +86,7 @@ race conditions or (worse) malicious tampering. cosign sign --sign-container-identity # sign a container image and honor the creation timestamp of the signature - cosign sign --key cosign.key --honor-create-timestamp `, + cosign sign --key cosign.key --record-creation-timestamp `, Args: cobra.MinimumNArgs(1), PersistentPreRun: options.BindViper, diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 76c53a70322..1289e7b1bb4 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -329,7 +329,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti } // Attach the signature to the entity. - newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithHonorCreationTimestamp(signOpts.RecordCreationTimestamp)) + newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp)) if err != nil { return err } diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index d8423db74b4..de309400e77 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -66,7 +66,7 @@ cosign sign [flags] cosign sign --sign-container-identity # sign a container image and honor the creation timestamp of the signature - cosign sign --key cosign.key --honor-create-timestamp + cosign sign --key cosign.key --record-creation-timestamp ``` ### Options diff --git a/pkg/oci/mutate/options.go b/pkg/oci/mutate/options.go index 712866dcacf..342eea4e7c5 100644 --- a/pkg/oci/mutate/options.go +++ b/pkg/oci/mutate/options.go @@ -60,7 +60,7 @@ func WithReplaceOp(ro ReplaceOp) SignOption { } } -func WithHonorCreationTimestamp(rct bool) SignOption { +func WithRecordCreationTimestamp(rct bool) SignOption { return func(so *signOpts) { so.rct = rct }