sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.48k stars 547 forks source link

Create subcommands to help people move to trusted roots and protobuf ("new") bundles #3855

Closed steiza closed 2 months ago

steiza commented 2 months ago

Description

We are working on adding support to cosign for trusted roots (#3700) and the protobuf bundle format (#3139).

For folks who have previously signed disparate content, it could be helpful to have a subcommand that helps them assemble it into a new protobuf bundle.

Likewise, for folks with a private Sigstore deployment, it might be helpful to provide a subcommand that takes disparate verification material and assembles a trusted root.

Here's an example of what those commands could look like:

cosign create-new-bundle

Assembles a protobuf ("new") bundle. Has flags similar to `verify-blob` and `verify-blob-attestation`. Includes whatever information is not empty strings.

    --bundle='':
    path to bundle FILE to output

    --certificate='':
    path to the public certificate. The certificate will be verified
    against the Fulcio roots.

    --rfc3161-timestamp='':
    path to RFC3161 timestamp FILE

    --sct='':
    path to a detached Signed Certificate Timestamp, formatted as a
    RFC6962 AddChainResponse struct. If a certificate contains an SCT,
    verification will check both the detached and embedded SCTs.

    --signature='':
    signature content or path or remote URL
cosign create-trusted-root

Defaults to output PGI trusted root, obtained via TUF. Has flags similar to `verify-blob` and `verify-blob-attestation`. Includes whatever information is not empty strings (e.g. if you don't want a timestamp authority in your trusted root, leave off `--timestamp-certificate-chain`). 

    --ca-intermediates='':
    path to a file of intermediate CA certificates in PEM format which
    will be needed when building the certificate chains for the signing
    certificate. The flag is optional and must be used together with
    --ca-roots, conflicts with --certificate-chain.

    --ca-roots='':
    path to a bundle file of CA certificates in PEM format which will be
    needed when building the certificate chains for the signing
    certificate. Conflicts with --certificate-chain.

    --certificate-chain='':
    path to a list of CA certificates in PEM format which will be needed
    when building the certificate chain for the signing certificate. Must
    start with the parent intermediate CA certificate of the signing
    certificate and end with the root certificate. Conflicts with
    --ca-roots and --ca-intermediates.

    --key='':
    path to the public key file, KMS URI or Kubernetes Secret

    --rekor-url='https://rekor.sigstore.dev':
    address of rekor STL server

    --timestamp-certificate-chain='':
    path to PEM-encoded certificate chain file for the RFC3161 timestamp
    authority. Must contain the root CA certificate. Optionally may
    contain intermediate CA certificates, and may contain the leaf TSA
    certificate if not present in the timestamp

    --trusted-root='':
    path to trusted root FILE to output
steiza commented 2 months ago

See https://github.com/sigstore/cosign/issues/3794#issuecomment-2315979420 instead