From 782e1f571c22e04c8716f2f8d8edb756465fa40e Mon Sep 17 00:00:00 2001 From: Noah Kreiger Date: Thu, 7 Mar 2024 07:26:38 -0500 Subject: [PATCH 1/3] add fulcio oauth flow client credentials Signed-off-by: Noah Kreiger --- cmd/cosign/cli/attest.go | 1 + cmd/cosign/cli/attest_blob.go | 1 + cmd/cosign/cli/fulcio/fulcio.go | 9 ++++++--- cmd/cosign/cli/options/fulcio.go | 4 ++++ cmd/cosign/cli/sign.go | 1 + cmd/cosign/cli/signblob.go | 1 + doc/cosign_attest-blob.md | 1 + doc/cosign_attest.md | 1 + doc/cosign_sign-blob.md | 1 + doc/cosign_sign.md | 1 + 10 files changed, 18 insertions(+), 3 deletions(-) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 73b473a6ab2..644b85bf352 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -74,6 +74,7 @@ func Attest() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index 3e7c6fe36b4..3cefa61ba53 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -61,6 +61,7 @@ func AttestBlob() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index de555d47b27..cc3e12ca9be 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -38,9 +38,10 @@ import ( ) const ( - flowNormal = "normal" - flowDevice = "device" - flowToken = "token" + flowNormal = "normal" + flowDevice = "device" + flowToken = "token" + flowClientCredentials = "client_credentials" ) type oidcConnector interface { @@ -89,6 +90,8 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) { c := &realConnector{} switch flow { + case flowClientCredentials: + c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer) case flowDevice: c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer) case flowNormal: diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go index 291710c077b..45312b8eeb1 100644 --- a/cmd/cosign/cli/options/fulcio.go +++ b/cmd/cosign/cli/options/fulcio.go @@ -24,6 +24,7 @@ const DefaultFulcioURL = "https://fulcio.sigstore.dev" // FulcioOptions is the wrapper for Fulcio related options. type FulcioOptions struct { URL string + AuthFlow string IdentityToken string InsecureSkipFulcioVerify bool } @@ -39,6 +40,9 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "", "identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") + cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "", + "fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment.") + cmd.Flags().BoolVar(&o.InsecureSkipFulcioVerify, "insecure-skip-verify", false, "skip verifying fulcio published to the SCT (this should only be used for testing).") } diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 76f84a3210c..a4ae71210f6 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -110,6 +110,7 @@ race conditions or (worse) malicious tampering. Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 28a65a94c65..956edc6ef81 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -75,6 +75,7 @@ func SignBlob() *cobra.Command { Slot: o.SecurityKey.Slot, FulcioURL: o.Fulcio.URL, IDToken: o.Fulcio.IdentityToken, + FulcioAuthFlow: o.Fulcio.AuthFlow, InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify, RekorURL: o.Rekor.URL, OIDCIssuer: o.OIDC.Issuer, diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 515999fecf3..63a3068ad68 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -37,6 +37,7 @@ cosign attest-blob [flags] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --hash string hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash -h, --help help for attest-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 95a436d2784..cb7bdc4e152 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -50,6 +50,7 @@ cosign attest [flags] --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index f49b5461906..e9f1d466411 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -41,6 +41,7 @@ cosign sign-blob [flags] --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index de309400e77..121b8997587 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -82,6 +82,7 @@ cosign sign [flags] --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). From 2b6c8815236338273923c0f6026b7c15a28ca23c Mon Sep 17 00:00:00 2001 From: Noah Kreiger Date: Thu, 7 Mar 2024 07:49:17 -0500 Subject: [PATCH 2/3] fix docgen Signed-off-by: Noah Kreiger --- doc/cosign_attest-blob.md | 2 +- doc/cosign_attest.md | 2 +- doc/cosign_sign-blob.md | 2 +- doc/cosign_sign.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 63a3068ad68..a6baddae9f2 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -36,8 +36,8 @@ cosign attest-blob [flags] --bundle string write everything required to verify the blob to a FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. + --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") --hash string hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash -h, --help help for attest-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index cb7bdc4e152..27158c333d4 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -47,10 +47,10 @@ cosign attest [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --key string path to the private key file, KMS URI or Kubernetes Secret diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index e9f1d466411..8bd0c42075a 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -38,10 +38,10 @@ cosign sign-blob [flags] ``` --b64 whether to base64 encode the output (default true) --bundle string write everything required to verify the blob to a FILE + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --key string path to the private key file, KMS URI or Kubernetes Secret diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 121b8997587..584be6cadf0 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -79,10 +79,10 @@ cosign sign [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. --insecure-skip-verify skip verifying fulcio published to the SCT (this should only be used for testing). --issue-certificate issue a code signing certificate from Fulcio, even if a key is provided --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). From 2acc28b29616f229a6ad13fc0ff150225a3215a0 Mon Sep 17 00:00:00 2001 From: Noah Kreiger Date: Fri, 8 Mar 2024 06:46:24 -0500 Subject: [PATCH 3/3] add options Signed-off-by: Noah Kreiger --- cmd/cosign/cli/options/fulcio.go | 2 +- doc/cosign_attest-blob.md | 2 +- doc/cosign_attest.md | 2 +- doc/cosign_sign-blob.md | 2 +- doc/cosign_sign.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go index 45312b8eeb1..139731a77ce 100644 --- a/cmd/cosign/cli/options/fulcio.go +++ b/cmd/cosign/cli/options/fulcio.go @@ -41,7 +41,7 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) { "identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.") cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "", - "fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment.") + "fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials") cmd.Flags().BoolVar(&o.InsecureSkipFulcioVerify, "insecure-skip-verify", false, "skip verifying fulcio published to the SCT (this should only be used for testing).") diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index a6baddae9f2..f9c50468be0 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -36,7 +36,7 @@ cosign attest-blob [flags] --bundle string write everything required to verify the blob to a FILE --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") --hash string hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash -h, --help help for attest-blob diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 27158c333d4..ccd9bd8043f 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -47,7 +47,7 @@ cosign attest [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for attest --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 8bd0c42075a..a53f34e4f9d 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -38,7 +38,7 @@ cosign sign-blob [flags] ``` --b64 whether to base64 encode the output (default true) --bundle string write everything required to verify the blob to a FILE - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign-blob --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted. diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 584be6cadf0..9e28e10fd25 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -79,7 +79,7 @@ cosign sign [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature - --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. + --fulcio-auth-flow string fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials --fulcio-url string address of sigstore PKI server (default "https://fulcio.sigstore.dev") -h, --help help for sign --identity-token string identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.