From 593b9f28fdf71720c1ee398296b4cc35bf567d48 Mon Sep 17 00:00:00 2001 From: Hayden B Date: Mon, 4 Dec 2023 16:35:07 -0800 Subject: [PATCH] Fix copy without any flag set (#3409) PR #3247 added an --only flag which when set copies only a subset of metadata. By default the flag is set to an empty string, meaning that by default copy would copy nothing. This PR fixes this bug so that if only is unset, copy defaults to the same behavior as before copying everything. Also update the tag name to be sig rather than sign for the flag. Signed-off-by: Hayden Blauzvern --- cmd/cosign/cli/copy.go | 4 ++-- cmd/cosign/cli/copy/copy.go | 17 +++++++++++------ doc/cosign_copy.md | 4 ++-- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/cmd/cosign/cli/copy.go b/cmd/cosign/cli/copy.go index f6c76571f52..5519b18e2db 100644 --- a/cmd/cosign/cli/copy.go +++ b/cmd/cosign/cli/copy.go @@ -34,10 +34,10 @@ func Copy() *cobra.Command { cosign copy example.com/src:latest example.com/dest:latest # copy the signatures only - cosign copy --only=sign example.com/src example.com/dest + cosign copy --only=sig example.com/src example.com/dest # copy the signatures, attestations, sbom only - cosign copy --only=sign,att,sbom example.com/src example.com/dest + cosign copy --only=sig,att,sbom example.com/src example.com/dest # overwrite destination image and signatures cosign copy -f example.com/src example.com/dest diff --git a/cmd/cosign/cli/copy/copy.go b/cmd/cosign/cli/copy/copy.go index 65c65e99b30..6575c71fb4b 100644 --- a/cmd/cosign/cli/copy/copy.go +++ b/cmd/cosign/cli/copy/copy.go @@ -79,7 +79,13 @@ func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstIm return err } + onlyFlagSet := false tags := parseOnlyOpt(copyOnly, sigOnly) + if len(tags) > 0 { + onlyFlagSet = true + } else { + tags = []tagMap{ociremote.SignatureTag, ociremote.AttestationTag, ociremote.SBOMTag} + } if err := walk.SignedEntity(gctx, root, func(ctx context.Context, se oci.SignedEntity) error { // Both of the SignedEntity types implement Digest() h, err := se.Digest() @@ -126,7 +132,7 @@ func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstIm } // If we're only copying sig/att/sbom, we have nothing left to do. - if len(tags) > 0 { + if onlyFlagSet { return nil } @@ -174,17 +180,16 @@ func remoteCopy(ctx context.Context, pusher *remote.Pusher, src, dest name.Refer return pusher.Push(ctx, dest, got) } -func parseOnlyOpt(str string, sigOnly bool) []tagMap { +func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap { var tags []tagMap - items := strings.Split(str, ",") - tagSet := sets.New(items...) + tagSet := sets.New(strings.Split(onlyFlag, ",")...) if sigOnly { - fmt.Fprintf(os.Stderr, "--sig-only is deprecated, use --only=sign instead") + fmt.Fprintf(os.Stderr, "--sig-only is deprecated, use --only=sig instead") tagSet.Insert("sign") } - if tagSet.Has("sign") { + if tagSet.Has("sig") { tags = append(tags, ociremote.SignatureTag) } if tagSet.Has("sbom") { diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md index bd5ba29d80e..5cce9b638d5 100644 --- a/doc/cosign_copy.md +++ b/doc/cosign_copy.md @@ -15,10 +15,10 @@ cosign copy [flags] cosign copy example.com/src:latest example.com/dest:latest # copy the signatures only - cosign copy --only=sign example.com/src example.com/dest + cosign copy --only=sig example.com/src example.com/dest # copy the signatures, attestations, sbom only - cosign copy --only=sign,att,sbom example.com/src example.com/dest + cosign copy --only=sig,att,sbom example.com/src example.com/dest # overwrite destination image and signatures cosign copy -f example.com/src example.com/dest