cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

feat: add insecure option to name options

Open developer-guy opened this issue 3 years ago • 11 comments

Signed-off-by: Batuhan Apaydın [email protected]

Fixes #2290

Summary

This PR will add an insecure option to the name options and use it while parsing the reference of the image name to set the HTTP scheme.

Release Note

  • adds an insecure option to sign & verify commands' name options to set the HTTP scheme for insecure registries properly

Documentation

developer-guy avatar Oct 06 '22 13:10 developer-guy

Codecov Report

Merging #2316 (d76b7b3) into main (32f6f1a) will decrease coverage by 0.10%. The diff coverage is 0.00%.

:exclamation: Current head d76b7b3 differs from pull request most recent head 523a10a. Consider uploading reports for the commit 523a10a to get more accurate results

@@            Coverage Diff             @@
##             main    #2316      +/-   ##
==========================================
- Coverage   30.19%   30.08%   -0.11%     
==========================================
  Files         136      136              
  Lines        8432     8462      +30     
==========================================
  Hits         2546     2546              
- Misses       5555     5585      +30     
  Partials      331      331
Impacted Files Coverage Δ
cmd/cosign/cli/clean.go 0.00% <0.00%> (ø)
cmd/cosign/cli/generate/generate.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/registry.go 0.00% <0.00%> (ø)
cmd/cosign/cli/policy_init.go 1.33% <0.00%> (-0.04%) :arrow_down:
cmd/cosign/cli/sign/sign.go 16.20% <0.00%> (-0.19%) :arrow_down:
cmd/cosign/cli/tree.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify.go 0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go 19.27% <0.00%> (ø)
cmd/cosign/cli/verify/verify_attestation.go 0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

codecov-commenter avatar Oct 06 '22 14:10 codecov-commenter

@souleb 🥳

developer-guy avatar Oct 06 '22 18:10 developer-guy

There are some other places that we need to do the same thing, I guess 🤔

developer-guy avatar Oct 07 '22 08:10 developer-guy

kindly ping @hectorj2f @dlorenc

developer-guy avatar Oct 07 '22 13:10 developer-guy

I'd vote for (2) over (3). We have a similar problem in crane and ko, and just saying there should be a separate flag if you want http seems the best option. This also gives us a go option for http-but-not-also-bad-https.

Do we think we need a warning for a release or two before we change the semantics of "insecure registry"

imjasonh avatar Oct 07 '22 22:10 imjasonh

@jonjohnsonjr

imjasonh avatar Oct 07 '22 22:10 imjasonh

spec-noncompliant

I'm 90% sure there's no spec 🙃

Is there prior art for other clients that need to do this?

jonjohnsonjr avatar Oct 07 '22 23:10 jonjohnsonjr

Do we think we need a warning for a release or two before we change the semantics of "insecure registry"

Are we proposing that (for Cosign)? I think we can introduce a new flag without changing existing behavior, we just probably want better docs. Or are you talking GGCR?

znewman01 avatar Oct 07 '22 23:10 znewman01

Sorry I misunderstood, you're right.

imjasonh avatar Oct 08 '22 01:10 imjasonh

kindly ping. What has to be done before merging this? 🙋🏻‍♂️

developer-guy avatar Oct 18 '22 09:10 developer-guy

I think we want to separate this behavior into a distinct flag. So --allow-insecure-registry should continue to work exactly as it does before this PR, and the new flag (--allow-http-registry maybe?) would enable this behavior.

znewman01 avatar Oct 18 '22 16:10 znewman01

that should be okay now @znewman01

developer-guy avatar Oct 19 '22 20:10 developer-guy

I think we want to separate this behavior into a distinct flag. So --allow-insecure-registry should continue to work exactly as it does before this PR, and the new flag (--allow-http-registry maybe?) would enable this behavior.

Hi All, I have tried to test new flag '--allow-http-registry' with insecure harbor registry with cosign prerelease cosign_2.0.0.rc.0 . images are getting signed and pushed to insecure registry as expected with this flag. but i see a P3 bug on cosign_2.0.0.rc.0 version. Issue: --allow-http-registry flag is NOT added under consig help Expected Behaviour: --allow-http-registry flag should be added under cosign help example:

cosign version

______ ______ . __ _______ . . / | / __ \ / || | / || \ | | | ,----'| | | | | (----| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . | | ----.| --' | .----) | | | | || | | |\ | _| ______/ |_/ || __| || _| cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion: v2.0.0-rc.0 GitCommit: a827922053c48283fb458b7b6bc51be3f477ec4d GitTreeState: clean BuildDate: 2022-12-15T00:07:35Z GoVersion: go1.19.4 Compiler: gc Platform: linux/amd64

# cosign help

A tool for Container Signing, Verification and Storage in an OCI registry.

Usage: cosign [command]

Available Commands:

attach Provides utilities for attaching artifacts to other artifacts in a registry attest Attest the supplied container image. attest-blob Attest the supplied blob. clean Remove all signatures from an image. completion Generate completion script copy Copy the supplied container image and signatures. dockerfile Provides utilities for discovering images in and performing operations on Dockerfiles download Provides utilities for downloading artifacts and attached artifacts in a registry env Prints Cosign environment variables generate Generates (unsigned) signature payloads from the supplied container image. generate-key-pair Generates a key-pair. help Help about any command import-key-pair Imports a PEM-encoded RSA or EC private key. initialize Initializes SigStore root to retrieve trusted certificate and key targets for verification. load Load a signed image on disk to a remote registry login Log in to a registry manifest Provides utilities for discovering images in and performing operations on Kubernetes manifests policy subcommand to manage a keyless policy. public-key Gets a public key from the key-pair. save Save the container image and associated signatures to disk at the specified directory. sign Sign the supplied container image. sign-blob Sign the supplied blob, outputting the base64-encoded signature to stdout. tree Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations triangulate Outputs the located cosign image reference. This is the location cosign stores the specified artifact type. upload Provides utilities for uploading artifacts to a registry verify Verify a signature on the supplied container image verify-attestation Verify an attestation on the supplied container image verify-blob Verify a signature on the supplied blob verify-blob-attestation Verify an attestation on the supplied blob version Prints the version

Flags: -h, --help help for cosign --output-file string log output to a file -t, --timeout duration timeout for commands (default 3m0s) -d, --verbose log debug output

Additional help topics: cosign piv-tool This cosign was not built with piv-tool support! cosign pkcs11-tool This cosign was not built with pkcs11-tool support!

Use "cosign [command] --help" for more information about a command.

"--allow-http-registry" flag is not listed in above output. Do we need create any bug to get address this issue. if yes then let me know will a create P3 bug for same.

Thanks !

bkumar08 avatar Jan 25 '23 18:01 bkumar08

It doesn't appear on the top-level cosign help output because not every command supports this flag.

If you check cosign sign --help for instance it should appear

znewman01 avatar Jan 25 '23 19:01 znewman01