dockerfile-verify: inline certificate verification options

[thepwagner]

trafficstars

Description

In cosign dockerfile verify, verification options like --certificate and --certificate-oidc-issuer are passed as command-line arguments. This leaves the user burdened with mapping certificate criteria to images externally, and for multi-stage builds invoking cosign verify dockerfile multiple times.

I propose allowing the options.CertVerifyOptions to be encoded within comments of the Dockerfile:

# cosign-verify: certificate-oidc-issuer="https://token.actions.githubusercontent.com" enforce-sct=true
FROM gcr.io/test/image:v1

# cosign-verify: certificate-oidc-issuer=https://token.actions.githubusercontent.com certificate-github-workflow-repository=thepwagner/my-cool-repo certificate-github-workflow-name=release.yaml
FROM gcr.io/test/image:v1

The implementation would parse any comments preceding a FROM statement and support the same options as the CLI, expressed as key-value pairs. Values specified at the command line would overwrite those derived from comments.

Naively the VerifyDockerfileCommand could invoke the embedded VerifyCommand multiple times with each unique options.CertVerifyOptions discovered. Grouping by unique options would mean users not using the comments are unaffected.

Does anyone else want this? Does it belong in cosign, or should it be a separate tool?

Related

• https://github.com/sigstore/cosign/pull/1626 (I really want certificate-github-workflow-repository and certificate-github-workflow-name 😍 )