Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TSA certificate related flags and fields for cosign attest #4079

Merged
merged 2 commits into from
Feb 21, 2025
Merged

Add TSA certificate related flags and fields for cosign attest #4079

merged 2 commits into from
Feb 21, 2025

Conversation

dmitris
Copy link
Contributor

@dmitris dmitris commented Feb 21, 2025
edited
Loading

Summary

Add the following command-line flags for cosign attest and cosign blob-attest:

  • timestamp-client-cacert
  • timestamp-client-cert
  • timestamp-client-key
  • timestamp-server-name to enable the mTLS connections to the custom TSA server using non-public CA roots. Also add the supporting fields in the AttestOptions struct.

All the added fields are optional with empty defaults - not providing them should not make any difference for those who do not need them.

The initial patch (442e0e8) is authored by my teammate Aditya Mahendrakar (@maditya) and used with the author's permission.

Release Note

  • Config changes (additions, deletions, updates)
    cosign attest and cosign blob-attest - add optional timestamp-client-cacert, timestamp-client-cert, timestamp-client-key, and
    timestamp-server-name flags to enable an mTLS connection to the custom TSA server (with the non-public CA roots),
    analogue to the existing flags for cosign sign[-blob].

Documentation

sigstore/docs#368

@dmitris
Add TSA certificate related flags and fields for cosign attest
442e0e8 
Add the following command-line flags for `cosign attest`:
* timestamp-client-cacert
* timestamp-client-cert
* timestamp-client-key
* timestamp-server-name
to enable the mTLS connections to the custom TSA server
using non-public CA roots. Also add the supporting fields
in the AttestOptions struct.

All the added fields are optional with empty defaults -
not providing them should not make any difference for those
who do not need them.

The patch is authored by Aditya Mahendrakar (@maditya).

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>
@dmitris dmitris requested a review from a team as a code owner February 21, 2025 15:38
@codecov Codecov
Copy link

codecov bot commented Feb 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 54 lines in your changes missing coverage. Please review.

Project coverage is 36.62%. Comparing base (2ef6022) to head (a6c5931).
Report is 323 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/attest/attest_blob.go 0.00% 11 Missing and 1 partial ⚠️
cmd/cosign/cli/options/attest.go 0.00% 12 Missing ⚠️
cmd/cosign/cli/options/attest_blob.go 0.00% 12 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 10 Missing ⚠️
cmd/cosign/cli/attest.go 0.00% 4 Missing ⚠️
cmd/cosign/cli/attest_blob.go 0.00% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4079      +/-   ##
==========================================
- Coverage   40.10%   36.62%   -3.48%     
==========================================
  Files         155      210      +55     
  Lines       10044    13436    +3392     
==========================================
+ Hits         4028     4921     +893     
- Misses       5530     7897    +2367     
- Partials      486      618     +132

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

haydentherapper
haydentherapper reviewed Feb 21, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we do the same for attest-blob? Otherwise, LGTM.

@dmitris
Add TSA certificate flag/fields for cosign attest-blob
b060021 
Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>
dmitris added a commit to dmitris/sigstore-docs that referenced this pull request Feb 21, 2025
@dmitris
mention 'cosign attest' and 'cosign blob-attest' in TSA secion
2bf9f54 
Expand the list of commands that support the mTLS and custom CA
TSA parameters to include `cosign attest` and `cosign blob-attest`.
Related to sigstore/cosign#4079
and its issue
sigstore/cosign#4078.

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>
@dmitris dmitris mentioned this pull request Feb 21, 2025
Open
@haydentherapper
Copy link
Contributor

Thanks!

@haydentherapper haydentherapper merged commit 8911168 into sigstore:main Feb 21, 2025
57 checks passed
@dmitris dmitris deleted the tsa-certs branch February 23, 2025 18:51
dmitris added a commit to dmitris/sigstore-docs that referenced this pull request Feb 24, 2025
@dmitris
mention 'cosign attest' and 'cosign blob-attest' in TSA section
f02775e 
Expand the list of commands that support the mTLS and custom CA
TSA parameters to include `cosign attest` and `cosign blob-attest`.
Related to sigstore/cosign#4079
and its issue
sigstore/cosign#4078.

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmitris @haydentherapper