From ea1c77f3294cb508bf9d5f7459568471a4390319 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Wed, 11 Sep 2024 09:45:25 -0400 Subject: [PATCH] Linter fixes and docgen Signed-off-by: Zach Steindler --- cmd/cosign/cli/trustedroot.go | 4 +-- cmd/cosign/cli/trustedroot/trustedroot.go | 13 ++++--- .../cli/trustedroot/trustedroot_test.go | 4 +-- doc/cosign.md | 1 + doc/cosign_trusted-root.md | 27 ++++++++++++++ doc/cosign_trusted-root_create.md | 36 +++++++++++++++++++ 6 files changed, 74 insertions(+), 11 deletions(-) create mode 100644 doc/cosign_trusted-root.md create mode 100644 doc/cosign_trusted-root_create.md diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go index 24d271e3e33..fb10c7ad555 100644 --- a/cmd/cosign/cli/trustedroot.go +++ b/cmd/cosign/cli/trustedroot.go @@ -43,8 +43,8 @@ func trustedRootCreate() *cobra.Command { Use: "create", Short: "Create a Sigstore protobuf trusted root", Long: "Create a Sigstore protobuf trusted root by supplying verification material", - RunE: func(cmd *cobra.Command, args []string) error { - trCreateCmd := &trustedroot.TrustedRootCreateCmd{ + RunE: func(cmd *cobra.Command, _ []string) error { + trCreateCmd := &trustedroot.CreateCmd{ CAIntermediates: o.CAIntermediates, CARoots: o.CARoots, CertChain: o.CertChain, diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go index 125ed4f06c8..5cc6ad99818 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot.go +++ b/cmd/cosign/cli/trustedroot/trustedroot.go @@ -32,7 +32,7 @@ import ( "github.com/sigstore/cosign/v2/internal/ui" ) -type TrustedRootCreateCmd struct { +type CreateCmd struct { CAIntermediates string CARoots string CertChain string @@ -41,7 +41,7 @@ type TrustedRootCreateCmd struct { TSACertChainPath string } -func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error { +func (c *CreateCmd) Exec(ctx context.Context) error { var fulcioCertAuthorities []root.CertificateAuthority var timestampAuthorities []root.CertificateAuthority rekorTransparencyLogs := make(map[string]*root.TransparencyLog) @@ -52,7 +52,6 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error { return err } fulcioCertAuthorities = append(fulcioCertAuthorities, *fulcioAuthority) - } else if c.CARoots != "" { roots, err := parseCerts(c.CARoots) if err != nil { @@ -108,10 +107,10 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error { rekorTransparencyLog := root.TransparencyLog{ BaseURL: c.RekorURL, - HashFunc: crypto.Hash(crypto.SHA256), + HashFunc: crypto.SHA256, ID: keyHash[:], PublicKey: pub, - SignatureHashFunc: crypto.Hash(crypto.SHA256), + SignatureHashFunc: crypto.SHA256, } rekorTransparencyLogs[keyID] = &rekorTransparencyLog @@ -140,7 +139,7 @@ func (c *TrustedRootCreateCmd) Exec(ctx context.Context) error { } if c.Out != "" { - err = os.WriteFile(c.Out, trBytes, 0640) + err = os.WriteFile(c.Out, trBytes, 0600) if err != nil { return err } @@ -187,7 +186,7 @@ func parseCerts(path string) ([]*x509.Certificate, error) { } if len(certs) == 0 { - return nil, fmt.Errorf("No certificates in file %s", path) + return nil, fmt.Errorf("no certificates in file %s", path) } return certs, nil diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go index 582b6cf7f29..3b2f4878af6 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot_test.go +++ b/cmd/cosign/cli/trustedroot/trustedroot_test.go @@ -29,7 +29,7 @@ import ( "github.com/sigstore/sigstore-go/pkg/root" ) -func TestTrustedRootCreate(t *testing.T) { +func TestCreateCmd(t *testing.T) { ctx := context.Background() // Make some certificate chains @@ -43,7 +43,7 @@ func TestTrustedRootCreate(t *testing.T) { outPath := filepath.Join(td, "trustedroot.json") - trustedrootCreate := TrustedRootCreateCmd{ + trustedrootCreate := CreateCmd{ CertChain: fulcioChainPath, Out: outPath, TSACertChainPath: tsaChainPath, diff --git a/doc/cosign.md b/doc/cosign.md index d7f90aae469..bb2e39b15d7 100644 --- a/doc/cosign.md +++ b/doc/cosign.md @@ -37,6 +37,7 @@ A tool for Container Signing, Verification and Storage in an OCI registry. * [cosign sign-blob](cosign_sign-blob.md) - Sign the supplied blob, outputting the base64-encoded signature to stdout. * [cosign tree](cosign_tree.md) - Display supply chain security related artifacts for an image such as signatures, SBOMs and attestations * [cosign triangulate](cosign_triangulate.md) - Outputs the located cosign image reference. This is the location where cosign stores the specified artifact type. +* [cosign trusted-root](cosign_trusted-root.md) - Interact with a Sigstore protobuf trusted root * [cosign upload](cosign_upload.md) - Provides utilities for uploading artifacts to a registry * [cosign verify](cosign_verify.md) - Verify a signature on the supplied container image * [cosign verify-attestation](cosign_verify-attestation.md) - Verify an attestation on the supplied container image diff --git a/doc/cosign_trusted-root.md b/doc/cosign_trusted-root.md new file mode 100644 index 00000000000..eb2dc15dfb9 --- /dev/null +++ b/doc/cosign_trusted-root.md @@ -0,0 +1,27 @@ +## cosign trusted-root + +Interact with a Sigstore protobuf trusted root + +### Synopsis + +Tools for interacting with a Sigstore protobuf trusted root + +### Options + +``` + -h, --help help for trusted-root +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry. +* [cosign trusted-root create](cosign_trusted-root_create.md) - Create a Sigstore protobuf trusted root + diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md new file mode 100644 index 00000000000..8c7e94bba37 --- /dev/null +++ b/doc/cosign_trusted-root_create.md @@ -0,0 +1,36 @@ +## cosign trusted-root create + +Create a Sigstore protobuf trusted root + +### Synopsis + +Create a Sigstore protobuf trusted root by supplying verification material + +``` +cosign trusted-root create [flags] +``` + +### Options + +``` + --ca-intermediates string path to a file of intermediate CA certificates in PEM format which will be needed when building the certificate chains for the signing certificate. The flag is optional and must be used together with --ca-roots, conflicts with --certificate-chain. + --ca-roots string path to a bundle file of CA certificates in PEM format which will be needed when building the certificate chains for the signing certificate. Conflicts with --certificate-chain. + --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates. + -h, --help help for create + --out string path to output trusted root + --rekor-url string address of rekor STL server + --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates +``` + +### Options inherited from parent commands + +``` + --output-file string log output to a file + -t, --timeout duration timeout for commands (default 3m0s) + -d, --verbose log debug output +``` + +### SEE ALSO + +* [cosign trusted-root](cosign_trusted-root.md) - Interact with a Sigstore protobuf trusted root +