disallow key and cert identity being used together during verification #4636
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4636 +/- ##
==========================================
- Coverage 40.10% 36.58% -3.53%
==========================================
Files 155 220 +65
Lines 10044 12624 +2580
==========================================
+ Hits 4028 4618 +590
- Misses 5530 7305 +1775
- Partials 486 701 +215 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Hayden-IO
left a comment
Hayden-IO
left a comment
There was a problem hiding this comment.
Thanks! Can we also update verify-attestation and verify-blob-attestation? Can we have a shared method for verifying this called by the four verify-* commands?
cmd/cosign/cli/verify/verify.go
Outdated
| } | ||
|
|
||
| if c.KeyRef != "" && c.CertIdentity != "" { | ||
| return fmt.Errorf("provide either --key or --certificate-identity, not both") |
There was a problem hiding this comment.
Can you add a little bit more about what to do when you get this error? How should you know whether to provide a key or identity?
As I went to add the other verify commands, I found the NOf function being used to do similar mutually exclusive checks and copied that pattern. I also was looking deeper at the options and noticed CertIdentityRegex and I believe that should be added to the check as well as it appears to be an alternative to CertIdentity. This did cause an e2e test to fail. I did my best to dig into that test and I believe it ok to remove the CertVerifyOptions as the validation is done by key, but please double check me here. |
Hayden-IO
left a comment
Hayden-IO
left a comment
There was a problem hiding this comment.
Thanks, this looks great!
cmd/cosign/cli/options/errors.go
Outdated
| func (e *KeyAndIdentityParseError) Error() string { | ||
| return "exactly one of: key reference (--key) or certificate identity " + | ||
| "(--certificate-identity or --certificate-identity-regexp), must be provided. " + | ||
| "Bundles signed with identity will have a 'certificate' field under 'verificationMaterial.' " + |
There was a problem hiding this comment.
This will also cover the older Cosign bundle format - https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#properties - so we should mention a certificate could be under this as well.
Signed-off-by: Eric Pickard <piceri@github.com>
…d mutually exclusive flag tests Signed-off-by: Eric Pickard <piceri@github.com>
Signed-off-by: Eric Pickard <piceri@github.com>
Signed-off-by: Eric Pickard <piceri@github.com>
Signed-off-by: Eric Pickard <piceri@github.com>
piceri
force-pushed
the
verify-fail-with-key-and-identity
branch
from
230487f to
bb6a8cb
Compare
Signed-off-by: Eric Pickard <piceri@github.com>
piceri
force-pushed
the
verify-fail-with-key-and-identity
branch
from
bb6a8cb to
c491b79
Compare
2 participants
Summary
Closes #4617
This pull request forces a failure when both the --key and --certificate-identity flags are used when trying to verify. This will avoid confusion as to which method was used to verify and prompt users to only provide one or the other.
Release Note
Changed verify and verify-blob to not allow --key and --certificate-identity to be used together
Documentation