Skip to content

Add UseSignedTimestamps to CheckOpts, refactor TSA options #4006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 13, 2025
Merged

Add UseSignedTimestamps to CheckOpts, refactor TSA options #4006

merged 1 commit into from
Jan 13, 2025

Conversation

codysoyland
Copy link
Member

Summary

This PR adds UseSignedTimestamps to CheckOpts and refactors TSA options to improve readability, consistency, and error handling.

This is partially split out of #3889, where we will need CheckOpts.UseSignedTimestamps in order to set the options needed by sigstore-go's verifier.

Release Note

Documentation

@codecov Codecov
Copy link

codecov bot commented Jan 10, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 18.18182% with 27 lines in your changes missing coverage. Please review.

Project coverage is 36.51%. Comparing base (2ef6022) to head (16e1820).
Report is 278 commits behind head on main.

Files with missing lines Patch % Lines
pkg/cosign/verify.go 11.11% 7 Missing and 1 partial ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 14.28% 3 Missing and 3 partials ⚠️
cmd/cosign/cli/verify/verify_blob.go 44.44% 3 Missing and 2 partials ⚠️
cmd/cosign/cli/verify/verify.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/verify.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4006      +/-   ##
==========================================
- Coverage   40.10%   36.51%   -3.60%     
==========================================
  Files         155      209      +54     
  Lines       10044    13347    +3303     
==========================================
+ Hits         4028     4873     +845     
- Misses       5530     7853    +2323     
- Partials      486      621     +135

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@haydentherapper
Copy link
Contributor

This can be rebased to fix the conformance failure.

haydentherapper
haydentherapper approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, thanks for the cleanup!

When we document this change in the changelog, we should mention that it is a breaking API change if you're calling cosign.Verify with timestamps, but a) we have no semver for the API, and b) I don't think this is a common usecase.

@codysoyland
Add UseSignedTimestamps to CheckOpts, refactor TSA options
16e1820 
Signed-off-by: Cody Soyland <codysoyland@github.com>
@codysoyland codysoyland force-pushed the checkopts-use-signed-timestamps branch from 9d3753b to 16e1820 Compare January 13, 2025 20:18
@haydentherapper haydentherapper enabled auto-merge (squash) January 13, 2025 20:19
@haydentherapper haydentherapper merged commit accc80a into sigstore:main Jan 13, 2025
23 checks passed
@codysoyland codysoyland deleted the checkopts-use-signed-timestamps branch January 13, 2025 21:38
@codysoyland codysoyland mentioned this pull request Jan 23, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Feb 6, 2025
@tmeijn
build(deps): update cosign to v2.4.2
618e169 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cosign](https://github.com/sigstore/cosign) | patch | `2.4.1` -> `2.4.2` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>sigstore/cosign (cosign)</summary>

### [`v2.4.2`](https://github.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v242)

[Compare Source](sigstore/cosign@v2.4.1...v2.4.2)

#### Features

-   Updated open-policy-agent to 1.1.0 library ([#&#8203;4036](sigstore/cosign#4036))
    -   Note that only Rego v0 policies are supported at this time
-   Add UseSignedTimestamps to CheckOpts, refactor TSA options ([#&#8203;4006](sigstore/cosign#4006))
-   Add support for verifying root checksum in cosign initialize ([#&#8203;3953](sigstore/cosign#3953))
-   Detect if user supplied a valid protobuf bundle ([#&#8203;3931](sigstore/cosign#3931))
-   Add a log message if user doesn't provide `--trusted-root` ([#&#8203;3933](sigstore/cosign#3933))
-   Support mTLS towards container registry ([#&#8203;3922](sigstore/cosign#3922))
-   Add bundle create helper command ([#&#8203;3901](sigstore/cosign#3901))
-   Add trusted-root create helper command ([#&#8203;3876](sigstore/cosign#3876))

#### Bug Fixes

-   fix: set tls config while retaining other fields from default http transport ([#&#8203;4007](sigstore/cosign#4007))
-   policy fuzzer: ignore known panics ([#&#8203;3993](sigstore/cosign#3993))
-   Fix for multiple WithRemote options ([#&#8203;3982](sigstore/cosign#3982))
-   Add nightly conformance test workflow ([#&#8203;3979](sigstore/cosign#3979))
-   Fix copy --only for signatures + update/align docs ([#&#8203;3904](sigstore/cosign#3904))

#### Documentation

-   Remove usage.md from spec, point to client spec ([#&#8203;3918](sigstore/cosign#3918))
-   move reference from gcr to ghcr ([#&#8203;3897](sigstore/cosign#3897))

#### Contributors

-   AdamKorcz
-   Aditya Sirish
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Cody Soyland
-   Colleen Murphy
-   Hayden B
-   Jussi Kukkonen
-   Marco Franssen
-   Nianyu Shen
-   Slavek Kabrda
-   Søren Juul
-   Warren Hodgkinson
-   Zach Steindler

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNTguMSIsInVwZGF0ZWRJblZlciI6IjM5LjE1OC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@codysoyland @haydentherapper