cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

add --ca-roots and --ca-intermediates flags to 'cosign verify'

Open dmitris opened this issue 1 year ago • 5 comments

Summary

Add new --ca-roots and --ca-intermediates flags to allow pass a certificate bundle PEM file with multiple CA roots and optionally a file with the intermediate certificates. Related to issue #3462. Current commit adds the two flags to verify the CLI options. There is a new functional test file test/e2e_tsa_certbundle.sh for the new flags to cosign verify.

Release Note

  • New features and improvements, including behavioural changes, UI changes and CLI changes added --ca-roots and --ca-intermediates flags to take a certificate bundle PEM file with one or multiple CA roots and optionally a PEM file with intermediate certificates. Both flags are exclusive with --certificate-chain.

Documentation

https://github.com/sigstore/docs/pull/291

dmitris avatar Jan 02 '24 19:01 dmitris

Codecov Report

Attention: Patch coverage is 6.89655% with 54 lines in your changes are missing coverage. Please review.

Project coverage is 40.25%. Comparing base (2ef6022) to head (f7157af). Report is 67 commits behind head on main.

Files Patch % Lines
cmd/cosign/cli/verify/verify.go 0.00% 38 Missing :warning:
cmd/cosign/cli/options/certificate.go 0.00% 14 Missing :warning:
cmd/cosign/cli/verify.go 66.66% 2 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3464      +/-   ##
==========================================
+ Coverage   40.10%   40.25%   +0.15%     
==========================================
  Files         155      155              
  Lines       10044    10137      +93     
==========================================
+ Hits         4028     4081      +53     
- Misses       5530     5563      +33     
- Partials      486      493       +7

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Jan 02 '24 19:01 codecov[bot]

@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft?

haydentherapper avatar Jan 22 '24 18:01 haydentherapper

@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft?

I was waiting for the initial feedback - I think I have it now (in #3462), thanks! - I'll try to add the unit tests shortly and mark it as "ready to review".

dmitris avatar Jan 23 '24 17:01 dmitris

@haydentherapper marked as "ready for review" now. I thought about adding unit tests - but I believe the current implementation with the "big" VerifyCommand.Exec() method https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L85-L316 doesn't make it easy to cover that code with unit tests, could be a good idea to refactor and split that. I added a new functional test test/e2e_tsa_certbundle.sh modelled after and expanding on the test/e2e_tsa_mtls.sh code - it works with the PR code and (unsurprisingly) fails with the trunk version (since it tests the newly added --ca-roots command-line flag). We also are running this version internally in some CI pipelines.

dmitris avatar Jan 29 '24 08:01 dmitris

@haydentherapper addressed your feedback except adding a test to e2e_test.go - will do this next

dmitris avatar Feb 06 '24 17:02 dmitris