Add TSA certificate related flags and fields for cosign attest #4079
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add the following command-line flags for `cosign attest`: * timestamp-client-cacert * timestamp-client-cert * timestamp-client-key * timestamp-server-name to enable the mTLS connections to the custom TSA server using non-public CA roots. Also add the supporting fields in the AttestOptions struct. All the added fields are optional with empty defaults - not providing them should not make any difference for those who do not need them. The patch is authored by Aditya Mahendrakar (@maditya). Signed-off-by: Dmitry Savintsev <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4079 +/- ##
==========================================
- Coverage 40.10% 36.62% -3.48%
==========================================
Files 155 210 +55
Lines 10044 13436 +3392
==========================================
+ Hits 4028 4921 +893
- Misses 5530 7897 +2367
- Partials 486 618 +132 ☔ View full report in Codecov by Sentry. |
Contributor
haydentherapper
left a comment
There was a problem hiding this comment.
Can we do the same for attest-blob? Otherwise, LGTM.
Signed-off-by: Dmitry Savintsev <[email protected]>
dmitris
added a commit
to dmitris/sigstore-docs
that referenced
this pull request
Feb 21, 2025
Expand the list of commands that support the mTLS and custom CA TSA parameters to include `cosign attest` and `cosign blob-attest`. Related to sigstore/cosign#4079 and its issue sigstore/cosign#4078. Signed-off-by: Dmitry Savintsev <[email protected]>
haydentherapper
approved these changes
Feb 21, 2025
Contributor
|
Thanks! |
dmitris
added a commit
to dmitris/sigstore-docs
that referenced
this pull request
Feb 24, 2025
Expand the list of commands that support the mTLS and custom CA TSA parameters to include `cosign attest` and `cosign blob-attest`. Related to sigstore/cosign#4079 and its issue sigstore/cosign#4078. Signed-off-by: Dmitry Savintsev <[email protected]>
haydentherapper
pushed a commit
to sigstore/docs
that referenced
this pull request
Mar 4, 2025
Expand the list of commands that support the mTLS and custom CA TSA parameters to include `cosign attest` and `cosign blob-attest`. Related to sigstore/cosign#4079 and its issue sigstore/cosign#4078. Signed-off-by: Dmitry Savintsev <[email protected]>
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
May 10, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cosign](https://github.com/sigstore/cosign) | minor | `2.4.3` -> `2.5.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>sigstore/cosign (cosign)</summary> ### [`v2.5.0`](https://github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v250) [Compare Source](sigstore/cosign@v2.4.3...v2.5.0) v2.5.0 includes an implementation of the new bundle specification, attesting and verifying OCI image attestations uploaded as OCI artifacts. This feature is currently gated behind the `--new-bundle-format` flag when running `cosign attest`. #### Features - Add support for new bundle specification for attesting/verifying OCI image attestations ([#​3889](sigstore/cosign#3889)) - Feat/non filename completions ([#​4115](sigstore/cosign#4115)) - Add TSA certificate related flags and fields for cosign attest ([#​4079](sigstore/cosign#4079)) #### Fixes - cmd/cosign/cli: fix typo in ignoreTLogMessage ([#​4111](sigstore/cosign#4111)) - Fix replace with compliant image mediatype ([#​4077](sigstore/cosign#4077)) #### Contributors - Bob Callaway - Carlos Tadeu Panato Junior - Cody Soyland - Dmitry Savintsev - Hayden B - Ramon Petgrave - Riccardo Schirone - Stef Graces - Ville Skyttä </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTkuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI1OS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add the following command-line flags for
cosign attestandcosign blob-attest:All the added fields are optional with empty defaults - not providing them should not make any difference for those who do not need them.
The initial patch (442e0e8) is authored by my teammate Aditya Mahendrakar (@maditya) and used with the author's permission.
Release Note
cosign attestandcosign blob-attest- add optionaltimestamp-client-cacert,timestamp-client-cert,timestamp-client-key, andtimestamp-server-nameflags to enable an mTLS connection to the custom TSA server (with the non-public CA roots),analogue to the existing flags for
cosign sign[-blob].Documentation
sigstore/docs#368