From 276e1133c0ad14b9876b504b4430251012eb693b Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Wed, 11 May 2022 21:19:00 +0000 Subject: [PATCH] Normalize certificate flag names This changes the flag names to use certificate instead of the abbreviated cert. To avoid breaking clients, we add a global alias that translates between the two. Signed-off-by: Hayden Blauzvern --- cmd/cosign/cli/commands.go | 25 +++++++++++++++++++++++++ cmd/cosign/cli/options/attest.go | 4 ++-- cmd/cosign/cli/options/certificate.go | 8 ++++---- cmd/cosign/cli/options/sign.go | 4 ++-- doc/cosign_attest.md | 4 ++-- doc/cosign_dockerfile_verify.md | 8 ++++---- doc/cosign_manifest_verify.md | 8 ++++---- doc/cosign_sign.md | 4 ++-- doc/cosign_verify-attestation.md | 8 ++++---- doc/cosign_verify-blob.md | 8 ++++---- doc/cosign_verify.md | 8 ++++---- 11 files changed, 57 insertions(+), 32 deletions(-) diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go index 2b483e71f4e5..3fc300e881ef 100644 --- a/cmd/cosign/cli/commands.go +++ b/cmd/cosign/cli/commands.go @@ -21,6 +21,7 @@ import ( "github.com/google/go-containerregistry/pkg/logs" "github.com/pkg/errors" "github.com/spf13/cobra" + "github.com/spf13/pflag" "sigs.k8s.io/release-utils/version" cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd" @@ -31,6 +32,27 @@ var ( ro = &options.RootOptions{} ) +func normalizeCertificateFlags(_ *pflag.FlagSet, name string) pflag.NormalizedName { + switch name { + case "cert": + name = "certificate" + break + case "cert-email": + name = "certificate-email" + break + case "cert-chain": + name = "certificate-chain" + break + case "cert-oidc-issuer": + name = "certificate-oidc-issuer" + break + case "output-cert": + name = "output-certificate" + break + } + return pflag.NormalizedName(name) +} + func New() *cobra.Command { var ( out, stdout *os.File @@ -97,5 +119,8 @@ func New() *cobra.Command { cmd.AddCommand(version.WithFont("starwars")) cmd.AddCommand(cranecmd.NewCmdAuthLogin("cosign")) + + cmd.SetGlobalNormalizationFunc(normalizeCertificateFlags) + return cmd } diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go index caa1db52133b..fee88d048c5d 100644 --- a/cmd/cosign/cli/options/attest.go +++ b/cmd/cosign/cli/options/attest.go @@ -51,10 +51,10 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go index 615842c810e0..d383857c1fe7 100644 --- a/cmd/cosign/cli/options/certificate.go +++ b/cmd/cosign/cli/options/certificate.go @@ -31,16 +31,16 @@ var _ Interface = (*RekorOptions)(nil) // AddFlags implements Interface func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) { - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the public certificate") - cmd.Flags().StringVar(&o.CertEmail, "cert-email", "", + cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "", "the email expected in a valid Fulcio certificate") - cmd.Flags().StringVar(&o.CertOidcIssuer, "cert-oidc-issuer", "", + cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go index a4a1df779fbc..e22482b67a6c 100644 --- a/cmd/cosign/cli/options/sign.go +++ b/cmd/cosign/cli/options/sign.go @@ -55,10 +55,10 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Key, "key", "", "path to the private key file, KMS URI or Kubernetes Secret") - cmd.Flags().StringVar(&o.Cert, "cert", "", + cmd.Flags().StringVar(&o.Cert, "certificate", "", "path to the X.509 certificate in PEM format to include in the OCI Signature") - cmd.Flags().StringVar(&o.CertChain, "cert-chain", "", + cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "", "path to a list of CA X.509 certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 014ad4f680c7..e5f1d033da5b 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -41,8 +41,8 @@ cosign attest [flags] ``` --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the X.509 certificate in PEM format to include in the OCI Signature - --cert-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature + --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -f, --force skip warnings and confirmations --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index fa6ec41bfe3d..e852a0c96c3d 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -57,10 +57,10 @@ cosign dockerfile verify [flags] --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --base-image-only only verify the base image (the last FROM image in the Dockerfile) - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index 81f314d83f80..042b6c7d652a 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -51,10 +51,10 @@ cosign manifest verify [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 61e1ea5a2b81..4cb379bdde66 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -59,8 +59,8 @@ cosign sign [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the X.509 certificate in PEM format to include in the OCI Signature - --cert-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature + --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature -f, --force skip warnings and confirmations --fulcio-url string [EXPERIMENTAL] address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index 65ca6994699f..7349a7c27bc4 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -61,10 +61,10 @@ cosign verify-attestation [flags] ``` --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify-attestation diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md index 894e46afde6b..ef9c7acc5492 100644 --- a/doc/cosign_verify-blob.md +++ b/doc/cosign_verify-blob.md @@ -64,10 +64,10 @@ cosign verify-blob [flags] --allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --bundle string path to bundle FILE - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify-blob --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 9de4dbad45f8..a5cbb988a646 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -70,10 +70,10 @@ cosign verify [flags] -a, --annotations strings extra key=value pairs to sign --attachment string related image attachment to sign (sbom), default none --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] - --cert string path to the public certificate - --cert-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate - --cert-email string the email expected in a valid Fulcio certificate - --cert-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth + --certificate string path to the public certificate + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate + --certificate-email string the email expected in a valid Fulcio certificate + --certificate-oidc-issuer string the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth --check-claims whether to check the claims found (default true) --enforce-sct whether to enforce that a certificate contain an embedded SCT, a proof of inclusion in a certificate transparency log -h, --help help for verify