diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go index d894380a212..a11e98364a4 100644 --- a/cmd/cosign/cli/options/certificate.go +++ b/cmd/cosign/cli/options/certificate.go @@ -38,7 +38,7 @@ type CertVerifyOptions struct { CertChain string SCT string IgnoreSCT bool - ExpectSigstoreBundle bool + NewBundleFormat bool TrustedRootPath string } @@ -106,7 +106,7 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) { "when set, verification will not check that a certificate contains an embedded SCT, a proof of "+ "inclusion in a certificate transparency log") cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "", "Path to a Sigstore TrustedRoot JSON file.") - cmd.Flags().BoolVar(&o.ExpectSigstoreBundle, "expect-sigstore-bundle", false, "expect the signature/attestation to be packaged in a Sigstore bundle") + cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false, "expect the signature/attestation to be packaged in a Sigstore bundle") } func (o *CertVerifyOptions) Identities() ([]cosign.Identity, error) { diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 4fb4e45c82d..04f26724510 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -146,7 +146,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { UseSignedTimestamps: c.UseSignedTimestamps, MaxWorkers: c.MaxWorkers, ExperimentalOCI11: c.ExperimentalOCI11, - ExpectSigstoreBundle: c.ExpectSigstoreBundle, + NewBundleFormat: c.NewBundleFormat, } if c.TrustedRootPath != "" { diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index b65cd99a4ad..a4b0f520f51 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -121,27 +121,27 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e IgnoreTlog: c.IgnoreTlog, UseSignedTimestamps: c.UseSignedTimestamps, MaxWorkers: c.MaxWorkers, - ExpectSigstoreBundle: c.ExpectSigstoreBundle, + NewBundleFormat: c.NewBundleFormat, } if c.CheckClaims { co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier } - if c.ExpectSigstoreBundle { + if c.NewBundleFormat { if err = checkSigstoreBundleUnsupportedOptions(c); err != nil { return err } } // Ignore Signed Certificate Timestamp if the flag is set or a key is provided - if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) && !c.ExpectSigstoreBundle { + if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) && !c.NewBundleFormat { co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx) if err != nil { return fmt.Errorf("getting ctlog public keys: %w", err) } } - if c.TSACertChainPath != "" || c.UseSignedTimestamps && !c.ExpectSigstoreBundle { + if c.TSACertChainPath != "" || c.UseSignedTimestamps && !c.NewBundleFormat { tsaCertificates, err := c.loadTSACertificates(ctx) if err != nil { return fmt.Errorf("unable to load TSA certificates: %w", err) @@ -151,7 +151,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e co.TSAIntermediateCertificates = tsaCertificates.IntermediateCerts } - if !c.IgnoreTlog && !co.ExpectSigstoreBundle { + if !c.IgnoreTlog && !co.NewBundleFormat { if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { @@ -197,7 +197,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e return fmt.Errorf("initializing piv token verifier: %w", err) } case c.CertRef != "": - if c.ExpectSigstoreBundle { + if c.NewBundleFormat { // This shouldn't happen because we already checked for this above in checkSigstoreBundleUnsupportedOptions return fmt.Errorf("unsupported: certificate reference currently not supported with --expect-sigstore-bundle") } @@ -238,7 +238,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e co.SCT = sct } case c.TrustedRootPath != "": - if !c.ExpectSigstoreBundle { + if !c.NewBundleFormat { return fmt.Errorf("unsupported: trusted root path currently only supported with --expect-sigstore-bundle") } diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index c2d3c6efea2..7988e35cda5 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -174,10 +174,10 @@ type CheckOpts struct { // Defaults to false. ExperimentalOCI11 bool - ExpectSigstoreBundle bool + NewBundleFormat bool // TrustedMaterial is the trusted material to use for verification. - // Currently, this is only applicable when ExpectSigstoreBundle is true. + // Currently, this is only applicable when NewBundleFormat is true. TrustedMaterial root.TrustedMaterial // TODO: Add these to replace above fields? @@ -602,7 +602,7 @@ func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co } } - if co.ExpectSigstoreBundle { + if co.NewBundleFormat { return nil, false, errors.New("bundle support for image signatures is not yet implemented") } @@ -994,7 +994,7 @@ func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, c if co.RootCerts == nil && co.SigVerifier == nil && co.TrustedMaterial == nil { return nil, false, errors.New("one of verifier, root certs, or TrustedMaterial is required") } - if co.ExpectSigstoreBundle { + if co.NewBundleFormat { return verifyImageAttestationsSigstoreBundle(ctx, signedImgRef, co) } diff --git a/test/e2e_test.go b/test/e2e_test.go index 9b0a54bec63..7ec814da58b 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -366,7 +366,7 @@ func attestVerify(t *testing.T, newBundleFormat bool, predicateType, attestation } if newBundleFormat { - verifyAttestation.ExpectSigstoreBundle = true + verifyAttestation.NewBundleFormat = true } // Fail case when using without type and policy flag