From 4d7454760b6a724aa8002ace4fca2a59f21f739d Mon Sep 17 00:00:00 2001 From: Dan Lorenc Date: Sat, 28 Aug 2021 06:55:37 -0500 Subject: [PATCH] Make the warning around TUF roots a little less scary. Signed-off-by: Dan Lorenc --- cmd/cosign/cli/fulcio/fulcio.go | 2 +- cmd/cosign/cli/verify.go | 3 +-- cmd/cosign/cli/verify_attestation.go | 3 ++- cmd/sget/cli/sget.go | 2 +- pkg/cosign/tlog.go | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index 84d406ebdc1..6892d2217a8 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -214,7 +214,7 @@ func initRoots() *x509.CertPool { err := tuf.GetTarget(ctx, fulcioTargetStr, &buf) if err != nil { // The user may not have initialized the local root metadata. Log the error and use the embedded root. - fmt.Fprintln(os.Stderr, "using embedded fulcio certificate. did you run `cosign init`? error retrieving target: ", err) + fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded CA certificate.") if !cp.AppendCertsFromPEM([]byte(rootPem)) { panic("error creating root cert pool") } diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 3ad5fbea538..88d1a684c46 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -116,7 +116,6 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) { co := &cosign.CheckOpts{ Annotations: *c.Annotations, - RootCerts: fulcio.GetRoots(), RegistryClientOpts: DefaultRegistryClientOpts(ctx), } if c.CheckClaims { @@ -124,7 +123,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, args []string) (err error) { } if EnableExperimental() { co.RekorURL = c.RekorURL - + co.RootCerts = fulcio.GetRoots() } keyRef := c.KeyRef diff --git a/cmd/cosign/cli/verify_attestation.go b/cmd/cosign/cli/verify_attestation.go index 2130ae9e5ae..04a0fa0b954 100644 --- a/cmd/cosign/cli/verify_attestation.go +++ b/cmd/cosign/cli/verify_attestation.go @@ -116,7 +116,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err } co := &cosign.CheckOpts{ - RootCerts: fulcio.GetRoots(), RegistryClientOpts: DefaultRegistryClientOpts(ctx), SigTagSuffixOverride: cosign.AttestationTagSuffix, } @@ -125,6 +124,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, args []string) (err } if EnableExperimental() { co.RekorURL = c.RekorURL + co.RootCerts = fulcio.GetRoots() + } keyRef := c.KeyRef diff --git a/cmd/sget/cli/sget.go b/cmd/sget/cli/sget.go index cb46069621c..df5eec7af8a 100644 --- a/cmd/sget/cli/sget.go +++ b/cmd/sget/cli/sget.go @@ -43,7 +43,6 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error co := &cosign.CheckOpts{ ClaimVerifier: cosign.SimpleClaimVerifier, VerifyBundle: true, - RootCerts: fulcio.GetRoots(), RegistryClientOpts: []remote.Option{ remote.WithAuthFromKeychain(authn.DefaultKeychain), remote.WithContext(ctx), @@ -58,6 +57,7 @@ func SgetCmd(ctx context.Context, imageRef, keyRef string) (io.ReadCloser, error } if co.SigVerifier != nil || cli.EnableExperimental() { + co.RootCerts = fulcio.GetRoots() sigRepo, err := cli.TargetRepositoryForImage(ref) if err != nil { return nil, err diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index 69276a3dcac..04988fcb191 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -53,7 +53,7 @@ func GetRekorPub() string { err := tuf.GetTarget(ctx, rekorTargetStr, &buf) if err != nil { // The user may not have initialized the local root metadata. Log the error and use the embedded root. - fmt.Fprintln(os.Stderr, "using embedded rekor public key. did you run `cosign init`? error retrieving target: ", err) + fmt.Fprintln(os.Stderr, "No TUF root installed, using embedded rekor key") return rekorPub } return buf.String()