cosign policy sign: remove experimental flag and make keyless signing…

… default (#2459)

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

cmd/cosign/cli/options/policy.go

@@ -63,6 +63,7 @@ type PolicySignOptions struct {
 	Fulcio           FulcioOptions
 	Rekor            RekorOptions
 	SkipConfirmation bool
+	TlogUpload       bool
 
 	OIDC OIDCOptions
 }
@@ -80,6 +81,9 @@ func (o *PolicySignOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for non-destructive operations")
 
+	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", false,
+		"whether or not to upload to the tlog")
+
 	o.Registry.AddFlags(cmd)
 	o.Fulcio.AddFlags(cmd)
 	o.Rekor.AddFlags(cmd)

cmd/cosign/cli/policy_init.go

@@ -181,7 +181,7 @@ func signPolicy() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			sv, err := sign.SignerFromKeyOpts(ctx, "", "", options.KeyOpts{
+			ko := options.KeyOpts{
 				FulcioURL:                o.Fulcio.URL,
 				IDToken:                  o.Fulcio.IdentityToken,
 				InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
@@ -192,7 +192,8 @@ func signPolicy() *cobra.Command {
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
 				OIDCProvider:             o.OIDC.Provider,
 				SkipConfirmation:         o.SkipConfirmation,
-			})
+			}
+			sv, err := sign.SignerFromKeyOpts(ctx, "", "", ko)
 
 			if err != nil {
 				return err
@@ -260,7 +261,7 @@ func signPolicy() *cobra.Command {
 			}
 
 			// Upload to rekor
-			if options.EnableExperimental() {
+			if sign.ShouldUploadToTlog(ctx, ko, ref, ko.SkipConfirmation, o.TlogUpload) {
 				// TODO: Refactor with sign.go
 				rekorBytes := sv.Cert
 				rekorClient, err := rekor.NewClient(o.Rekor.URL)