Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update to upstream 2.4.0 #236

Merged
merged 171 commits into from
Sep 5, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
171 commits
Select commit Hold shift + click to select a range
d96e379
fix 'go vet -tags e2e ./...' (#3550)
dmitris Feb 22, 2024
fb70b8e
chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (#…
dependabot[bot] Feb 26, 2024
c061e87
chore(deps): bump google.golang.org/api from 0.165.0 to 0.167.0 (#3557)
dependabot[bot] Feb 26, 2024
5923d9b
remove unused rootPool var (#3559)
dmitris Feb 27, 2024
86921c7
Bump sigstore/sigstore to v1.8.2 (#3561)
haydentherapper Feb 28, 2024
40dd4c3
Correct help text of triangulate cmd (#3551)
michaelvl Feb 28, 2024
8dcaf2c
chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d514…
dependabot[bot] Feb 28, 2024
a4da0c2
chore(deps): bump the actions group with 3 updates (#3564)
dependabot[bot] Feb 29, 2024
7a2d50b
Update builder image, cosign image, golangci-lint (#3565)
cpanato Mar 3, 2024
9a9c6cb
chore(deps): bump the actions group with 1 update (#3576)
dependabot[bot] Mar 4, 2024
5019cc4
chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.6…
dependabot[bot] Mar 4, 2024
d38d339
chore(deps): bump the gomod group with 5 updates (#3574)
dependabot[bot] Mar 4, 2024
fb488d7
free up disk space during e2e test runs (#3579)
bobcallaway Mar 7, 2024
cb01516
Honor creation timestamp for signatures again (#3549)
Lerentis Mar 7, 2024
4574cd2
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 (…
dependabot[bot] Mar 7, 2024
6ee5a9c
chore(deps): bump gopkg.in/go-jose/go-jose.v2 from 2.6.1 to 2.6.3 (#3…
dependabot[bot] Mar 7, 2024
16a3dda
bump release to use go 1.21.8 (#3583)
bobcallaway Mar 8, 2024
8ba9a5e
Clean up READMEs (#3587)
haydentherapper Mar 11, 2024
0506a69
chore(deps): bump the actions group with 1 update (#3588)
dependabot[bot] Mar 11, 2024
cdbb891
chore(deps): bump github.com/xanzy/go-gitlab from 0.98.0 to 0.100.0 (…
dependabot[bot] Mar 11, 2024
693db70
chore(deps): bump the gomod group with 4 updates (#3589)
dependabot[bot] Mar 11, 2024
d8a6af9
Update README for contributions (#3596)
haydentherapper Mar 11, 2024
2a96f4c
chore(deps): bump github.com/go-openapi/runtime from 0.27.2 to 0.28.0…
dependabot[bot] Mar 11, 2024
b20ff08
chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#3591)
dependabot[bot] Mar 11, 2024
b551637
chore(deps): bump google.golang.org/api from 0.167.0 to 0.169.0 (#3594)
dependabot[bot] Mar 11, 2024
5d60a9a
Adds Support for Fulcio Client Credentials Flow, and Argument to Set …
nkreiger Mar 12, 2024
3065e53
Update the script for working with blobs (#3610)
arewm Mar 19, 2024
0037808
chore(deps): bump the actions group with 1 update (#3607)
dependabot[bot] Mar 19, 2024
aab1b8f
chore(deps): bump cuelang.org/go from 0.7.1 to 0.8.0 (#3606)
dependabot[bot] Mar 19, 2024
9081f20
chore(deps): bump google.golang.org/api from 0.169.0 to 0.170.0 (#3605)
dependabot[bot] Mar 19, 2024
fb18bba
chore(deps): bump the gomod group with 1 update (#3603)
dependabot[bot] Mar 19, 2024
887f36b
chore(deps): bump github.com/docker/docker (#3612)
dependabot[bot] Mar 21, 2024
1ea2154
Put secrets on github organizations (#3567)
fnxpt Mar 21, 2024
7d56594
Update CHANGELOG for v1.13.6 (#3618)
haydentherapper Mar 22, 2024
45ebf49
chore(deps): bump the actions group with 2 updates (#3623)
dependabot[bot] Mar 25, 2024
c18b043
chore(deps): bump github.com/xanzy/go-gitlab from 0.100.0 to 0.101.0 …
dependabot[bot] Mar 25, 2024
45f626a
chore(deps): bump google.golang.org/api from 0.170.0 to 0.171.0 (#3626)
dependabot[bot] Mar 25, 2024
ba9898c
chore(deps): bump go.step.sm/crypto from 0.43.1 to 0.44.1 (#3625)
dependabot[bot] Mar 26, 2024
abfd1cd
Clean up and clarify e2e scripts (#3628)
cmurphy Mar 29, 2024
4824d6c
Remove cross.yaml workflow (#3629)
cmurphy Mar 31, 2024
fe51982
chore(deps): bump the gomod group with 6 updates (#3633)
dependabot[bot] Apr 1, 2024
52233da
chore(deps): bump google.golang.org/api from 0.171.0 to 0.172.0 (#3635)
dependabot[bot] Apr 1, 2024
d55b6f2
chore(deps): bump github.com/open-policy-agent/opa from 0.62.1 to 0.6…
dependabot[bot] Apr 1, 2024
700da0a
chore(deps): bump the actions group with 1 update (#3637)
dependabot[bot] Apr 2, 2024
6206f5a
feat: add OVHcloud MPR registry tested with cosign (#3639)
scraly Apr 3, 2024
7001e82
Fixing issue 3642 (#3643)
Mukuls77 Apr 4, 2024
fa504b4
Fixing issue 3642 (#3644)
Mukuls77 Apr 4, 2024
3c8170a
add oci bundle spec (#3622)
bdehamer Apr 5, 2024
f7d867b
chore(deps): bump the actions group with 2 updates (#3647)
dependabot[bot] Apr 8, 2024
d56c9e8
chore(deps): bump the gomod group with 3 updates (#3648)
dependabot[bot] Apr 8, 2024
2d13b65
chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#3650)
dependabot[bot] Apr 8, 2024
eba7c59
chore(deps): bump golang.org/x/term from 0.18.0 to 0.19.0 (#3651)
dependabot[bot] Apr 8, 2024
48858a2
chore(deps): bump github.com/xanzy/go-gitlab from 0.101.0 to 0.102.0 …
dependabot[bot] Apr 8, 2024
430c985
chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 (#3655)
dependabot[bot] Apr 9, 2024
c95439b
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.1.7 to 2.2.0 …
dependabot[bot] Apr 9, 2024
d0b9861
chore(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#3649)
dependabot[bot] Apr 9, 2024
302aee6
Refactor e2e-tests.yml workflow (#3627)
cmurphy Apr 9, 2024
629f5f8
Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
haydentherapper Apr 10, 2024
fb651b4
Add v2.2.4 changelog (#3662)
haydentherapper Apr 10, 2024
b15eefa
bump scaffolding to latest release for testing (#3663)
bobcallaway Apr 11, 2024
e23dcd1
fix latest tag not being created and add latest to the dev image as w…
cpanato Apr 11, 2024
db6d13f
chore(deps): bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.1 (#3656)
dependabot[bot] Apr 12, 2024
ba3d36d
switch to community repo of reusable-release (#3666)
bobcallaway Apr 12, 2024
ee4198d
chore(deps): bump the actions group with 3 updates (#3668)
dependabot[bot] Apr 15, 2024
e036af8
chore(deps): bump go.step.sm/crypto in the gomod group (#3667)
dependabot[bot] Apr 15, 2024
02b1b26
add registry options to cosign save (#3645)
JasonPowr Apr 17, 2024
59f0099
chore(deps): bump the actions group with 2 updates (#3676)
dependabot[bot] Apr 22, 2024
3102b3c
chore(deps): bump go.step.sm/crypto in the gomod group (#3672)
dependabot[bot] Apr 23, 2024
5f13e63
chore(deps): bump google.golang.org/api from 0.172.0 to 0.176.0 (#3673)
dependabot[bot] Apr 23, 2024
e4197bd
chore(deps): bump github.com/xanzy/go-gitlab from 0.102.0 to 0.103.0 …
dependabot[bot] Apr 23, 2024
d33bbc3
fix: close attestationFile (#3679)
testwill Apr 29, 2024
69f3478
chore(deps): bump actions/checkout in the actions group (#3680)
dependabot[bot] Apr 29, 2024
cd018e9
chore(deps): bump golangci/golangci-lint-action from 4.0.0 to 5.1.0 (…
dependabot[bot] Apr 29, 2024
d247bad
chore(deps): bump the gomod group with 3 updates (#3682)
dependabot[bot] Apr 29, 2024
e9a3739
chore(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.6…
dependabot[bot] Apr 29, 2024
fa17fab
Refactor KMS E2E tests (#3684)
cmurphy Apr 30, 2024
0976894
chore(deps): bump the actions group with 3 updates (#3686)
dependabot[bot] May 6, 2024
2d398bc
chore(deps): bump google.golang.org/api from 0.176.1 to 0.177.0 (#3687)
dependabot[bot] May 6, 2024
f0fd640
chore(deps): bump github.com/xanzy/go-gitlab from 0.103.0 to 0.104.0 …
dependabot[bot] May 6, 2024
b3448d4
chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 (#3691)
dependabot[bot] May 6, 2024
50c67f0
chore(deps): bump google.golang.org/api from 0.177.0 to 0.180.0 (#3698)
dependabot[bot] May 13, 2024
17c9af7
chore(deps): bump the actions group with 3 updates (#3694)
dependabot[bot] May 13, 2024
d2766d8
Add PayloadProvider interface to decouple AttestationToPayloadJSON fr…
codysoyland May 13, 2024
40e6740
chore(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (…
dependabot[bot] May 13, 2024
8b498bd
chore(deps): bump sigs.k8s.io/release-utils in the gomod group (#3696)
dependabot[bot] May 13, 2024
1211157
chore(deps): bump github.com/xanzy/go-gitlab from 0.104.0 to 0.105.0 …
dependabot[bot] May 13, 2024
62742a1
Refactor insecure registry E2E tests (#3701)
cmurphy May 17, 2024
2e65241
Remove KMS E2E test script (#3702)
cmurphy May 17, 2024
645636e
Remove sign_blob_test.sh test (#3707)
cmurphy May 20, 2024
2bb2e88
Add README.md for tests (#3708)
cmurphy May 20, 2024
6e2fcd6
chore(deps): bump the actions group with 3 updates (#3706)
dependabot[bot] May 21, 2024
2359dbd
chore(deps): bump google.golang.org/api from 0.180.0 to 0.181.0 (#3703)
dependabot[bot] May 21, 2024
5ae2e31
chore(deps): bump go.step.sm/crypto from 0.44.8 to 0.45.0 (#3704)
dependabot[bot] May 21, 2024
550dbf9
chore(deps): bump go.step.sm/crypto in the gomod group (#3710)
dependabot[bot] May 27, 2024
e623217
chore(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.6…
dependabot[bot] Jun 3, 2024
6b6acc2
chore(deps): bump the gomod group with 5 updates (#3713)
dependabot[bot] Jun 3, 2024
f3225b3
chore(deps): bump google.golang.org/api from 0.181.0 to 0.182.0 (#3716)
dependabot[bot] Jun 3, 2024
d275a27
chore(deps): bump go.step.sm/crypto from 0.45.1 to 0.46.0 (#3717)
dependabot[bot] Jun 3, 2024
098e892
chore(deps): bump cuelang.org/go from 0.8.2 to 0.9.0 (#3725)
dependabot[bot] Jun 10, 2024
eae74ff
chore(deps): bump google.golang.org/api from 0.182.0 to 0.183.0 (#3726)
dependabot[bot] Jun 10, 2024
5bbccd5
chore(deps): bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#3721)
dependabot[bot] Jun 11, 2024
ca1733a
Add debug providers command. (#3728)
wlynch Jun 11, 2024
e72f472
chore(deps): bump go.step.sm/crypto from 0.46.0 to 0.47.0 (#3723)
dependabot[bot] Jun 11, 2024
98fd801
Bump scaffolding version (#3736)
haydentherapper Jun 18, 2024
ee521e4
bump builder image to ise go1.21.11 and update goreleaser to version …
cpanato Jun 18, 2024
598c734
chore(deps): bump google.golang.org/api from 0.183.0 to 0.184.0 (#3734)
dependabot[bot] Jun 18, 2024
e5937c5
chore(deps): bump the actions group across 1 directory with 5 updates…
dependabot[bot] Jun 18, 2024
2525c93
chore(deps): bump the gomod group with 4 updates (#3731)
dependabot[bot] Jun 18, 2024
9a9447d
chore(deps): bump github.com/spiffe/go-spiffe/v2 from 2.2.0 to 2.3.0 …
dependabot[bot] Jun 18, 2024
9f18570
chore(deps): bump github.com/spf13/viper from 1.18.2 to 1.19.0 (#3715)
dependabot[bot] Jun 18, 2024
5209b38
Make config layers in ociremote mountable (#3741)
jonjohnsonjr Jun 18, 2024
9e3811b
upgrade to go1.22 (#3739)
cpanato Jun 19, 2024
2b538f8
adds tsa cert chain check for env var or tuf targets. (#3600)
ianhundere Jun 19, 2024
68d38a8
chore(deps): bump github.com/hashicorp/go-retryablehttp (#3749)
dependabot[bot] Jun 25, 2024
8859e29
chore(deps): bump github.com/xanzy/go-gitlab from 0.105.0 to 0.106.0 …
dependabot[bot] Jun 25, 2024
e924bc8
chore(deps): bump google.golang.org/api from 0.184.0 to 0.185.0 (#3747)
dependabot[bot] Jun 25, 2024
7c20052
Fixing issue 3743 (#3744)
Meeki1l Jun 25, 2024
40fc15f
add --ca-roots and --ca-intermediates flags to 'cosign verify' (#3464)
dmitris Jul 1, 2024
8b55af2
Set `bundleVerified` to true after Rekor verification (Resolves #3740…
maxlambrecht Jul 1, 2024
7d74685
chore(deps): bump google.golang.org/api from 0.185.0 to 0.186.0 (#3755)
dependabot[bot] Jul 2, 2024
79db196
chore(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.6…
dependabot[bot] Jul 2, 2024
3d622d1
Update README.md to account for necessary new go version (#3764)
bminahan73 Jul 3, 2024
d05a120
General housekeeping and go updates (#3765)
cpanato Jul 5, 2024
bf2067a
chore(deps): bump the gomod group across 1 directory with 7 updates (…
dependabot[bot] Jul 5, 2024
b310bc6
fix: extra whitespace in README.md (#3773)
hectorj2f Jul 8, 2024
58af4bb
chore(deps): bump go.step.sm/crypto from 0.47.1 to 0.48.1 (#3768)
dependabot[bot] Jul 8, 2024
e5afa56
chore(deps): bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#3771)
dependabot[bot] Jul 8, 2024
2dd32f6
chore(deps): bump golang.org/x/term from 0.21.0 to 0.22.0 (#3770)
dependabot[bot] Jul 8, 2024
bc5f6c6
chore(deps): bump sigs.k8s.io/release-utils in the gomod group (#3767)
dependabot[bot] Jul 9, 2024
811dba8
factor out keyless verification certificate loading function (#3762)
dmitris Jul 9, 2024
ca682f2
chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#3774)
dependabot[bot] Jul 10, 2024
bdcbf44
add handling of keyless verification for all verify commands (#3761)
dmitris Jul 11, 2024
f7a5725
Document ImportKeyPair and LoadPrivateKey functions in pkg/cosign (#3…
dmitris Jul 11, 2024
13d3a56
chore(deps): bump the actions group across 1 directory with 2 updates…
dependabot[bot] Jul 15, 2024
4fd699c
chore(deps): bump go.step.sm/crypto from 0.48.1 to 0.50.0 (#3781)
dependabot[bot] Jul 15, 2024
f9270c0
chore(deps): bump google.golang.org/api from 0.187.0 to 0.188.0 (#3782)
dependabot[bot] Jul 15, 2024
05026ee
chore(deps): bump github.com/google/go-containerregistry (#3783)
dependabot[bot] Jul 15, 2024
3c6c5c9
chore(deps): bump github.com/sigstore/fulcio from 1.4.5 to 1.5.1 (#3784)
dependabot[bot] Jul 16, 2024
4684fd6
chore(deps): bump the gomod group with 5 updates (#3780)
dependabot[bot] Jul 16, 2024
20d4724
chore(deps): bump github.com/google/go-containerregistry (#3790)
dependabot[bot] Jul 22, 2024
aeba473
Add CHANGELOG for v2.3.0 (#3789)
haydentherapper Jul 22, 2024
c6f89f8
chore(deps): bump github.com/buildkite/agent/v3 from 3.74.1 to 3.75.1…
dependabot[bot] Jul 22, 2024
deed363
chore(deps): bump github.com/xanzy/go-gitlab from 0.106.0 to 0.107.0 …
dependabot[bot] Jul 22, 2024
ffde21e
chore(deps): bump google.golang.org/api from 0.188.0 to 0.189.0 (#3791)
dependabot[bot] Jul 22, 2024
c6cdf1b
Adding protobuf bundle support to sign-blob and attest-blob (#3752)
steiza Jul 23, 2024
62a2cff
Include SCT verification failure details in error message (#3799)
bkabrda Jul 26, 2024
98c2cab
bump scaffolding version in tests to 0.7.5 (#3800)
bobcallaway Jul 28, 2024
0406602
Add support for recording creation timestamp for cosign attest (#3797)
zshorvath Jul 29, 2024
b4cf37b
Add new bundle support to `verify-blob` and `verify-blob-attestation`…
steiza Jul 29, 2024
973bcd1
chore(deps): bump ossf/scorecard-action in the actions group (#3801)
dependabot[bot] Jul 29, 2024
ec2480e
chore(deps): bump github.com/open-policy-agent/opa from 0.66.0 to 0.6…
dependabot[bot] Jul 29, 2024
f40ad0f
chore(deps): bump sigs.k8s.io/release-utils in the gomod group (#3802)
dependabot[bot] Jul 29, 2024
06d1290
chore(deps): bump github.com/docker/docker (#3804)
dependabot[bot] Jul 30, 2024
7e3c2f5
handle docker-compose v2, free up more space (#3809)
bobcallaway Aug 6, 2024
b61b689
chore(deps): bump the actions group across 1 directory with 4 updates…
dependabot[bot] Aug 6, 2024
71a4952
chore(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#3811)
dependabot[bot] Aug 6, 2024
983a368
chore(deps): bump go.step.sm/crypto from 0.50.0 to 0.51.1 (#3812)
dependabot[bot] Aug 6, 2024
7bac5e9
tidy up validate release script (#3817)
bobcallaway Aug 6, 2024
e3a3914
chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (#3814)
dependabot[bot] Aug 6, 2024
d0492cf
chore(deps): bump github.com/buildkite/agent/v3 from 3.75.1 to 3.76.2…
dependabot[bot] Aug 6, 2024
be43902
move incremental builds per commit to GHCR instead of GCR (#3808)
bobcallaway Aug 6, 2024
2387b50
chore(deps): bump google.golang.org/api from 0.189.0 to 0.190.0 (#3815)
dependabot[bot] Aug 6, 2024
fd0368a
Conformance testing for cosign (#3806)
steiza Aug 6, 2024
c346825
Bump sigstore/sigstore (#3819)
haydentherapper Aug 6, 2024
b5e7dc1
Add login for GHCR (#3820)
haydentherapper Aug 6, 2024
6b54010
Merge tag 'v2.4.0'
lance Aug 20, 2024
5cdc70c
chore(deps): bump github.com/docker/docker (#3823) (#242)
lance Aug 22, 2024
876c2f7
chore(pipelines): remove cosign hermetic builds
lance Sep 4, 2024
b69bf3b
chore: remove git stash/pop from cosign build
lance Sep 4, 2024
899e9be
Merge branch 'main' into lance/update-to-2.4.0
lance Sep 4, 2024
a97db15
fixup: remove prefetch-input task
lance Sep 4, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Honor creation timestamp for signatures again (sigstore#3549)
* Honor creation timestamp for signatures again

Signed-off-by: ttrabelsi <Lerentis@users.noreply.github.com>

* setting creation timestamp behind a feature flag to preserve current behavior

Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu>

* review feedback

Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu>

* additional review feedback

Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu>

---------

Signed-off-by: ttrabelsi <Lerentis@users.noreply.github.com>
Signed-off-by: Tobias Trabelsi <lerentis@uploadfilter24.eu>
  • Loading branch information
Lerentis authored Mar 7, 2024
commit cb0151608b5f8309fa2b732e9e02056cfb3bdfb1
43 changes: 23 additions & 20 deletions cmd/cosign/cli/options/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,27 @@ import (

// SignOptions is the top level wrapper for the sign command.
type SignOptions struct {
Key string
Cert string
CertChain string
Upload bool
Output string // deprecated: TODO remove when the output flag is fully deprecated
OutputSignature string // TODO: this should be the root output file arg.
OutputPayload string
OutputCertificate string
PayloadPath string
Recursive bool
Attachment string
SkipConfirmation bool
TlogUpload bool
TSAClientCACert string
TSAClientCert string
TSAClientKey string
TSAServerName string
TSAServerURL string
IssueCertificate bool
SignContainerIdentity string
Key string
Cert string
CertChain string
Upload bool
Output string // deprecated: TODO remove when the output flag is fully deprecated
OutputSignature string // TODO: this should be the root output file arg.
OutputPayload string
OutputCertificate string
PayloadPath string
Recursive bool
Attachment string
SkipConfirmation bool
TlogUpload bool
TSAClientCACert string
TSAClientCert string
TSAClientKey string
TSAServerName string
TSAServerURL string
IssueCertificate bool
SignContainerIdentity string
RecordCreationTimestamp bool

Rekor RekorOptions
Fulcio FulcioOptions
Expand Down Expand Up @@ -130,4 +131,6 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {

cmd.Flags().StringVar(&o.SignContainerIdentity, "sign-container-identity", "",
"manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature")

cmd.Flags().BoolVar(&o.RecordCreationTimestamp, "record-creation-timestamp", false, "set the createdAt timestamp in the signature artifact to the time it was created; by default, cosign sets this to the zero value")
}
5 changes: 4 additions & 1 deletion cmd/cosign/cli/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,10 @@ race conditions or (worse) malicious tampering.
cosign sign --key cosign.key --tlog-upload=false <IMAGE DIGEST>

# sign a container image by manually setting the container image identity
cosign sign --sign-container-identity <NEW IMAGE DIGEST> <IMAGE DIGEST>`,
cosign sign --sign-container-identity <NEW IMAGE DIGEST> <IMAGE DIGEST>

# sign a container image and honor the creation timestamp of the signature
cosign sign --key cosign.key --record-creation-timestamp <IMAGE DIGEST>`,

Args: cobra.MinimumNArgs(1),
PersistentPreRun: options.BindViper,
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/sign/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti
}

// Attach the signature to the entity.
newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd))
newSE, err := mutate.AttachSignatureToEntity(se, ociSig, mutate.WithDupeDetector(dd), mutate.WithRecordCreationTimestamp(signOpts.RecordCreationTimestamp))
if err != nil {
return err
}
Expand Down
4 changes: 4 additions & 0 deletions doc/cosign_sign.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion pkg/oci/mutate/mutate.go
Original file line number Diff line number Diff line change
Expand Up @@ -377,5 +377,5 @@ func (so *signOpts) dedupeAndReplace(sig oci.Signature, basefn func() (oci.Signa
}
return ReplaceSignatures(replace)
}
return AppendSignatures(base, sig)
return AppendSignatures(base, so.rct, sig)
}
11 changes: 9 additions & 2 deletions pkg/oci/mutate/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,9 @@ type ReplaceOp interface {
type SignOption func(*signOpts)

type signOpts struct {
dd DupeDetector
ro ReplaceOp
dd DupeDetector
ro ReplaceOp
rct bool
}

func makeSignOpts(opts ...SignOption) *signOpts {
Expand All @@ -59,6 +60,12 @@ func WithReplaceOp(ro ReplaceOp) SignOption {
}
}

func WithRecordCreationTimestamp(rct bool) SignOption {
return func(so *signOpts) {
so.rct = rct
}
}

type signatureOpts struct {
annotations map[string]string
bundle *bundle.RekorBundle
Expand Down
16 changes: 15 additions & 1 deletion pkg/oci/mutate/signatures.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,13 @@ import (
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/empty"
"github.com/google/go-containerregistry/pkg/v1/mutate"
"github.com/sigstore/cosign/v2/internal/pkg/now"
"github.com/sigstore/cosign/v2/pkg/oci"
)

// AppendSignatures produces a new oci.Signatures with the provided signatures
// appended to the provided base signatures.
func AppendSignatures(base oci.Signatures, sigs ...oci.Signature) (oci.Signatures, error) {
func AppendSignatures(base oci.Signatures, recordCreationTimestamp bool, sigs ...oci.Signature) (oci.Signatures, error) {
adds := make([]mutate.Addendum, 0, len(sigs))
for _, sig := range sigs {
ann, err := sig.Annotations()
Expand All @@ -42,6 +43,19 @@ func AppendSignatures(base oci.Signatures, sigs ...oci.Signature) (oci.Signature
return nil, err
}

if recordCreationTimestamp {
t, err := now.Now()
if err != nil {
return nil, err
}

// Set the Created date to time of execution
img, err = mutate.CreatedAt(img, v1.Time{Time: t})
if err != nil {
return nil, err
}
}

return &sigAppender{
Image: img,
base: base,
Expand Down
16 changes: 11 additions & 5 deletions pkg/oci/mutate/signatures_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,17 +38,17 @@ func TestAppendSignatures(t *testing.T) {
t.Fatalf("NewSignature() = %v", err)
}

oneSig, err := AppendSignatures(base, s1)
oneSig, err := AppendSignatures(base, false, s1)
if err != nil {
t.Fatalf("AppendSignatures() = %v", err)
}

twoSig, err := AppendSignatures(oneSig, s2)
twoSig, err := AppendSignatures(oneSig, false, s2)
if err != nil {
t.Fatalf("AppendSignatures() = %v", err)
}

threeSig, err := AppendSignatures(oneSig, s2, s3)
threeSig, err := AppendSignatures(oneSig, true, s2, s3)
if err != nil {
t.Fatalf("AppendSignatures() = %v", err)
}
Expand All @@ -73,7 +73,13 @@ func TestAppendSignatures(t *testing.T) {

if testCfg, err := threeSig.ConfigFile(); err != nil {
t.Fatalf("ConfigFile() = %v", err)
} else if !testCfg.Created.Time.IsZero() {
t.Errorf("Date of Signature was not Zero")
} else if testCfg.Created.Time.IsZero() {
t.Errorf("Date of Signature was Zero")
}

if testDefaultCfg, err := twoSig.ConfigFile(); err != nil {
t.Fatalf("ConfigFile() = %v", err)
} else if !testDefaultCfg.Created.Time.IsZero() {
t.Errorf("Date of Signature was Zero")
}
}
14 changes: 14 additions & 0 deletions pkg/oci/static/file.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/google/go-containerregistry/pkg/v1/empty"
"github.com/google/go-containerregistry/pkg/v1/mutate"
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/sigstore/cosign/v2/internal/pkg/now"
"github.com/sigstore/cosign/v2/pkg/oci"
"github.com/sigstore/cosign/v2/pkg/oci/signed"
)
Expand All @@ -48,6 +49,19 @@ func NewFile(payload []byte, opts ...Option) (oci.File, error) {
// Add annotations from options
img = mutate.Annotations(img, o.Annotations).(v1.Image)

if o.RecordCreationTimestamp {
t, err := now.Now()
if err != nil {
return nil, err
}

// Set the Created date to time of execution
img, err = mutate.CreatedAt(img, v1.Time{Time: t})
if err != nil {
return nil, err
}
}

return &file{
SignedImage: signed.Image(img),
layer: layer,
Expand Down
13 changes: 13 additions & 0 deletions pkg/oci/static/file_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ func TestNewFile(t *testing.T) {
t.Fatalf("NewFile() = %v", err)
}

timestampedFile, err := NewFile([]byte(payload), WithLayerMediaType("foo"), WithAnnotations(map[string]string{"foo": "bar"}), WithRecordCreationTimestamp(true))

if err != nil {
t.Fatalf("NewFile() = %v", err)
}

layers, err := file.Layers()
if err != nil {
t.Fatalf("Layers() = %v", err)
Expand Down Expand Up @@ -129,6 +135,13 @@ func TestNewFile(t *testing.T) {
if !fileCfg.Created.Time.IsZero() {
t.Errorf("Date of Signature was not Zero")
}
tsCfg, err := timestampedFile.ConfigFile()
if err != nil {
t.Fatalf("ConfigFile() = %v", err)
}
if tsCfg.Created.Time.IsZero() {
t.Errorf("Date of Signature was Zero")
}
})

t.Run("check annotations", func(t *testing.T) {
Expand Down
22 changes: 15 additions & 7 deletions pkg/oci/static/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,14 @@ import (
type Option func(*options)

type options struct {
LayerMediaType types.MediaType
ConfigMediaType types.MediaType
Bundle *bundle.RekorBundle
RFC3161Timestamp *bundle.RFC3161Timestamp
Cert []byte
Chain []byte
Annotations map[string]string
LayerMediaType types.MediaType
ConfigMediaType types.MediaType
Bundle *bundle.RekorBundle
RFC3161Timestamp *bundle.RFC3161Timestamp
Cert []byte
Chain []byte
Annotations map[string]string
RecordCreationTimestamp bool
}

func makeOptions(opts ...Option) (*options, error) {
Expand Down Expand Up @@ -112,3 +113,10 @@ func WithCertChain(cert, chain []byte) Option {
o.Chain = chain
}
}

// WithRecordCreationTimestamp sets the feature flag to honor the creation timestamp to time of running
func WithRecordCreationTimestamp(rct bool) Option {
return func(o *options) {
o.RecordCreationTimestamp = rct
}
}