Address review comments

--signing-config and --use-signing-config are now mutually exclusive.

TrustedMaterial and SigningConfig are set in the same line as fetching
the trusted root and signing config.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

Author: haydentherapper

cmd/cosign/cli/attest.go

@@ -113,29 +113,26 @@ func Attest() *cobra.Command {
 						return fmt.Errorf("loading trusted root: %w", err)
 					}
 				} else {
-					trustedMaterial, err := cosign.TrustedRoot()
+					ko.TrustedMaterial, err = cosign.TrustedRoot()
 					if err != nil {
 						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
 					}
-					ko.TrustedMaterial = trustedMaterial
 				}
 			}
 
 			if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
 				return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
 			}
 			if o.UseSigningConfig {
-				signingConfig, err := cosign.SigningConfig()
+				ko.SigningConfig, err = cosign.SigningConfig()
 				if err != nil {
 					return fmt.Errorf("error getting signing config from TUF: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			} else if o.SigningConfigPath != "" {
-				signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath)
+				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
 				if err != nil {
 					return fmt.Errorf("error reading signing config from file: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			}
 
 			attestCommand := attest.AttestCommand{

cmd/cosign/cli/attest_blob.go

@@ -101,28 +101,25 @@ func AttestBlob() *cobra.Command {
 						return fmt.Errorf("loading trusted root: %w", err)
 					}
 				} else {
-					trustedMaterial, err := cosign.TrustedRoot()
+					ko.TrustedMaterial, err = cosign.TrustedRoot()
 					if err != nil {
 						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
 					}
-					ko.TrustedMaterial = trustedMaterial
 				}
 			}
 			if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
 				return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
 			}
 			if o.UseSigningConfig {
-				signingConfig, err := cosign.SigningConfig()
+				ko.SigningConfig, err = cosign.SigningConfig()
 				if err != nil {
 					return fmt.Errorf("error getting signing config from TUF: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			} else if o.SigningConfigPath != "" {
-				signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath)
+				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
 				if err != nil {
 					return fmt.Errorf("error reading signing config from file: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			}
 
 			v := attest.AttestBlobCommand{

cmd/cosign/cli/options/attest.go

@@ -124,6 +124,8 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "",
 		"path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format")
 
+	cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config")
+
 	cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "",
 		"optional path to a TrustedRoot JSON file to verify a signature after signing")
 }

cmd/cosign/cli/options/attest_blob.go

@@ -109,6 +109,8 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "",
 		"path to a signing config file. Must provide --bundle, which will output verification material in the new format")
 
+	cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config")
+
 	cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "",
 		"optional path to a TrustedRoot JSON file to verify a signature after signing")
 

cmd/cosign/cli/options/sign.go

@@ -152,6 +152,8 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "",
 		"path to a signing config file. Must provide --new-bundle-format, which will store verification material in the new format")
 
+	cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config")
+
 	cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "",
 		"optional path to a TrustedRoot JSON file to verify a signature after signing")
 }

cmd/cosign/cli/options/signblob.go

@@ -92,6 +92,8 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.SigningConfigPath, "signing-config", "",
 		"path to a signing config file. Must provide --bundle, which will output verification material in the new format")
 
+	cmd.MarkFlagsMutuallyExclusive("use-signing-config", "signing-config")
+
 	cmd.Flags().StringVar(&o.TrustedRootPath, "trusted-root", "",
 		"optional path to a TrustedRoot JSON file to verify a signature after signing")
 

cmd/cosign/cli/sign.go

@@ -143,29 +143,26 @@ race conditions or (worse) malicious tampering.
 						return fmt.Errorf("loading trusted root: %w", err)
 					}
 				} else {
-					trustedMaterial, err := cosign.TrustedRoot()
+					ko.TrustedMaterial, err = cosign.TrustedRoot()
 					if err != nil {
 						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
 					}
-					ko.TrustedMaterial = trustedMaterial
 				}
 			}
 
 			if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
 				return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
 			}
 			if o.UseSigningConfig {
-				signingConfig, err := cosign.SigningConfig()
+				ko.SigningConfig, err = cosign.SigningConfig()
 				if err != nil {
 					return fmt.Errorf("error getting signing config from TUF: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			} else if o.SigningConfigPath != "" {
-				signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath)
+				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
 				if err != nil {
 					return fmt.Errorf("error reading signing config from file: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			}
 
 			if err := sign.SignCmd(ro, ko, *o, args); err != nil {

cmd/cosign/cli/signblob.go

@@ -111,28 +111,25 @@ func SignBlob() *cobra.Command {
 						return fmt.Errorf("loading trusted root: %w", err)
 					}
 				} else {
-					trustedMaterial, err := cosign.TrustedRoot()
+					ko.TrustedMaterial, err = cosign.TrustedRoot()
 					if err != nil {
 						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
 					}
-					ko.TrustedMaterial = trustedMaterial
 				}
 			}
 			if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
 				return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
 			}
 			if o.UseSigningConfig {
-				signingConfig, err := cosign.SigningConfig()
+				ko.SigningConfig, err = cosign.SigningConfig()
 				if err != nil {
 					return fmt.Errorf("error getting signing config from TUF: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			} else if o.SigningConfigPath != "" {
-				signingConfig, err := root.NewSigningConfigFromPath(o.SigningConfigPath)
+				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
 				if err != nil {
 					return fmt.Errorf("error reading signing config from file: %w", err)
 				}
-				ko.SigningConfig = signingConfig
 			}
 
 			for _, blob := range args {