add --private-infrastructure flag

This commit adds the --private-infrastructure command line flag for verification commands. This flag is an alias for --insecure-ignore-tlog with the exception that it also silences the warning message the later flag prints. This flag is intended for users who do not rely on a public transparency log and have their own private infrastructure dedicated to verification. Signed-off-by: dylrich <dylan.richardson@mongodb.com>
sigstore · Nov 17, 2023 · cb513f5 · cb513f5
1 parent f57aa2c
commit cb513f5
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 5 deletions.
diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go
@@ -28,7 +28,8 @@ type CommonVerifyOptions struct {
 	MaxWorkers       int
 	// This is added to CommonVerifyOptions to provide a path to support
 	// it for other verify options.
-	ExperimentalOCI11 bool
+	ExperimentalOCI11     bool
+	PrivateInfrastructure bool
 }
 
 func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
@@ -43,6 +44,9 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
 			"cannot be publicly verified when not included in a log")
 
+	cmd.Flags().BoolVar(&o.PrivateInfrastructure, "private-infrastructure", false,
+		"an alias for --insecure-ignore-tlog")
+
 	cmd.Flags().BoolVar(&o.ExperimentalOCI11, "experimental-oci11", false,
 		"set to true to enable experimental OCI 1.1 behaviour")
 

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -89,6 +89,10 @@ against the transparency log.`,
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			annotations, err := o.AnnotationsMap()
 			if err != nil {
 				return err
@@ -140,7 +144,7 @@ against the transparency log.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "signature"))
 			}
 
@@ -201,6 +205,10 @@ against the transparency log.`,
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			v := &verify.VerifyAttestationCommand{
 				RegistryOptions:              o.Registry,
 				CheckClaims:                  o.CheckClaims,
@@ -235,7 +243,7 @@ against the transparency log.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "attestation"))
 			}
 
@@ -298,6 +306,10 @@ The blob may be specified as a path to a file or - for stdin.`,
 		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			ko := options.KeyOpts{
 				KeyRef:               o.Key,
 				Sk:                   o.SecurityKey.Use,
@@ -326,7 +338,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob"))
 			}
 
@@ -359,6 +371,10 @@ The blob may be specified as a path to a file.`,
 		Args:             cobra.MaximumNArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if o.CommonVerifyOptions.PrivateInfrastructure {
+				o.CommonVerifyOptions.IgnoreTlog = true
+			}
+
 			ko := options.KeyOpts{
 				KeyRef:               o.Key,
 				Sk:                   o.SecurityKey.Use,
@@ -397,7 +413,7 @@ The blob may be specified as a path to a file.`,
 
 			ctx := cmd.Context()
 
-			if o.CommonVerifyOptions.IgnoreTlog {
+			if o.CommonVerifyOptions.IgnoreTlog && !o.CommonVerifyOptions.PrivateInfrastructure {
 				ui.Warnf(ctx, fmt.Sprintf(ignoreTLogMessage, "blob attestation"))
 			}
 

diff --git a/test/e2e_signblob_tsa_mtls.sh b/test/e2e_signblob_tsa_mtls.sh
@@ -86,6 +86,11 @@ $COSIGN_CLI verify-blob --bundle cosign.bundle \
     --rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
     --insecure-ignore-tlog=true --key import-cosign.pub $BLOB
 
+$COSIGN_CLI verify-blob --bundle cosign.bundle \
+    --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' \
+    --rfc3161-timestamp=timestamp.txt --timestamp-certificate-chain=$TIMESTAMP_CHAIN_FILE \
+    --private-infrastructure --key import-cosign.pub $BLOB
+
 # cleanup
 rm -fr blob.sig ca-key.pem cacert.pem cert.pem cosign.bundle import-cosign.key \
     import-cosign.pub key.pem timestamp.txt timestamp-chain.pem \

diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh
@@ -165,6 +165,7 @@ cat /dev/urandom | head -n 10 | base64 > randomblob
 dgst=$(./cosign upload blob -f randomblob ${blobimg})
 ./cosign sign --key ${signing_key} --tlog-upload=false ${dgst}
 ./cosign verify --key ${verification_key} --insecure-ignore-tlog=true ${dgst} # For sanity
+./cosign verify --key ${verification_key} --private-infrastructure ${dgst}
 
 # clean up a bit
 crane delete $blobimg || true