cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Add --signing-algorithm flag

Open ret2libc opened this issue 1 year ago • 1 comments

Summary

Give the user the option to choose which signing algorithm to use when generating keypairs (#3271).

Code based on https://github.com/sigstore/cosign/pull/3479 .

Release Note

Documentation

ret2libc avatar Jan 23 '24 13:01 ret2libc

Shall we add the --signing-algorithm to the verify/verify-blob commands as well?

ret2libc avatar Jan 23 '24 14:01 ret2libc

Codecov Report

:x: Patch coverage is 10.12658% with 71 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 35.22%. Comparing base (2ef6022) to head (b656626). :warning: Report is 575 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/signcommon/common.go 0.00% 34 Missing :warning:
cmd/cosign/cli/sign/sign_blob.go 40.00% 10 Missing and 2 partials :warning:
cmd/cosign/cli/signblob.go 0.00% 11 Missing :warning:
pkg/cosign/keys.go 0.00% 9 Missing :warning:
cmd/cosign/cli/options/signblob.go 0.00% 5 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3497      +/-   ##
==========================================
- Coverage   40.10%   35.22%   -4.88%     
==========================================
  Files         155      220      +65     
  Lines       10044    15224    +5180     
==========================================
+ Hits         4028     5363    +1335     
- Misses       5530     9173    +3643     
- Partials      486      688     +202

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Apr 02 '25 15:04 codecov[bot]

Would we want to have this only under the --new-bundle-format path, given that I assume we'll want to use the new sigstore-go compatible verifier? It would also decrease the number of places that changes have to be made along the sign path.

haydentherapper avatar Apr 17 '25 22:04 haydentherapper

Would we want to have this only under the --new-bundle-format path, given that I assume we'll want to use the new sigstore-go compatible verifier?

I can check --signing-algorithm is only used with --new-bundle-format and fail with msg if old bundle format is used. However, in terms of code changes I don't think it would really affect anything else because the format of the bundle is just affecting the very last bit in sign_blob.go where we serialize the data.

ret2libc avatar Apr 18 '25 07:04 ret2libc

Ideally this would be supported for other commands as well and not only for sign-blob, but we need some extra work on those other commands first.

ret2libc avatar Sep 03 '25 09:09 ret2libc

@haydentherapper i've extended --signing-algorithm flag to affect also the signing-config path (which is now default), so it creates an ephemeral key of the right algorithm when used.

ret2libc avatar Oct 16 '25 12:10 ret2libc