diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index a14e59a0..545156cf 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -50,8 +50,6 @@ jobs: with: go-version: '1.20' check-latest: true - - name: Install cosign - uses: sigstore/cosign-installer@main - name: Install Gitsign run: | @@ -126,7 +124,7 @@ jobs: # Setup staging TUF root - https://github.com/sigstore/public-good-instance/blob/1023ed05b7a8cf28e6a7de73bf98dd5075d97858/playbooks/tuf.md#updating-tuf-metadata-for-staging rm -rf ~/.sigstore wget https://tuf-repo-cdn.sigstage.dev/root.json - cosign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json + gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json # Sign commit git commit --allow-empty -S --message="Signed commit" diff --git a/docs/cli/gitsign.md b/docs/cli/gitsign.md index 5298aa8a..a72b2c58 100644 --- a/docs/cli/gitsign.md +++ b/docs/cli/gitsign.md @@ -23,6 +23,7 @@ gitsign [flags] ### SEE ALSO * [gitsign attest](gitsign_attest.md) - add attestations to Git objects +* [gitsign initialize](gitsign_initialize.md) - Initializes Sigstore root to retrieve trusted certificate and key targets for verification. * [gitsign show](gitsign_show.md) - Show source predicate information * [gitsign verify](gitsign_verify.md) - Verify a commit * [gitsign version](gitsign_version.md) - print Gitsign version diff --git a/docs/cli/gitsign_initialize.md b/docs/cli/gitsign_initialize.md new file mode 100644 index 00000000..f9114b81 --- /dev/null +++ b/docs/cli/gitsign_initialize.md @@ -0,0 +1,51 @@ +## gitsign initialize + +Initializes Sigstore root to retrieve trusted certificate and key targets for verification. + +### Synopsis + +Initializes Sigstore root to retrieve trusted certificate and key targets for verification. + +The following options are used by default: + - The current trusted Sigstore TUF root is embedded inside gitsign at the time of release. + - Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev. + +To provide an out-of-band trusted initial root.json, use the -root flag with a file or URL reference. +This will enable you to point gitsign to a separate TUF root. + +Any updated TUF repository will be written to $HOME/.sigstore/root/. + +Trusted keys and certificate used in gitsign verification (e.g. verifying Fulcio issued certificates +with Fulcio root CA) are pulled form the trusted metadata. + +``` +gitsign initialize [flags] +``` + +### Examples + +``` +gitsign initialize -mirror -out + +# initialize root with distributed root keys, default mirror, and default out path. +gitsign initialize + +# initialize with an out-of-band root key file, using the default mirror. +gitsign initialize -root + +# initialize with an out-of-band root key file and custom repository mirror. +gitsign initialize -mirror -root +``` + +### Options + +``` + -h, --help help for initialize + --mirror string GCS bucket to a Sigstore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev") + --root string path to trusted initial root. defaults to embedded root +``` + +### SEE ALSO + +* [gitsign](gitsign.md) - Keyless Git signing with Sigstore! + diff --git a/internal/commands/initialize/initialize.go b/internal/commands/initialize/initialize.go new file mode 100644 index 00000000..4e9b63d9 --- /dev/null +++ b/internal/commands/initialize/initialize.go @@ -0,0 +1,77 @@ +// +// Copyright 2023 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package initialize inits the TUF root for the tool. +// This is intended to replicate the behavior of `gitsign initialize`. +package initialize + +import ( + "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" + "github.com/sigstore/sigstore/pkg/tuf" + "github.com/spf13/cobra" +) + +type options struct { + Mirror string + Root string +} + +// AddFlags implements Interface +func (o *options) AddFlags(cmd *cobra.Command) { + cmd.Flags().StringVar(&o.Mirror, "mirror", tuf.DefaultRemoteRoot, + "GCS bucket to a Sigstore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap)") + + cmd.Flags().StringVar(&o.Root, "root", "", + "path to trusted initial root. defaults to embedded root") + _ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{}) +} + +func New() *cobra.Command { + o := &options{} + + cmd := &cobra.Command{ + Use: "initialize", + Short: "Initializes Sigstore root to retrieve trusted certificate and key targets for verification.", + Long: `Initializes Sigstore root to retrieve trusted certificate and key targets for verification. + +The following options are used by default: + - The current trusted Sigstore TUF root is embedded inside gitsign at the time of release. + - Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev. + +To provide an out-of-band trusted initial root.json, use the -root flag with a file or URL reference. +This will enable you to point gitsign to a separate TUF root. + +Any updated TUF repository will be written to $HOME/.sigstore/root/. + +Trusted keys and certificate used in gitsign verification (e.g. verifying Fulcio issued certificates +with Fulcio root CA) are pulled form the trusted metadata.`, + Example: `gitsign initialize -mirror -out + +# initialize root with distributed root keys, default mirror, and default out path. +gitsign initialize + +# initialize with an out-of-band root key file, using the default mirror. +gitsign initialize -root + +# initialize with an out-of-band root key file and custom repository mirror. +gitsign initialize -mirror -root `, + RunE: func(cmd *cobra.Command, args []string) error { + return initialize.DoInitialize(cmd.Context(), o.Root, o.Mirror) + }, + } + + o.AddFlags(cmd) + return cmd +} diff --git a/internal/commands/root/root.go b/internal/commands/root/root.go index 660b7695..8015b372 100644 --- a/internal/commands/root/root.go +++ b/internal/commands/root/root.go @@ -19,6 +19,7 @@ import ( "github.com/spf13/cobra" "github.com/sigstore/gitsign/internal/commands/attest" + "github.com/sigstore/gitsign/internal/commands/initialize" "github.com/sigstore/gitsign/internal/commands/show" "github.com/sigstore/gitsign/internal/commands/verify" "github.com/sigstore/gitsign/internal/commands/version" @@ -91,6 +92,7 @@ func New(cfg *config.Config) *cobra.Command { rootCmd.AddCommand(show.New(cfg)) rootCmd.AddCommand(attest.New(cfg)) rootCmd.AddCommand(verify.New(cfg)) + rootCmd.AddCommand(initialize.New()) o.AddFlags(rootCmd) return rootCmd