From c9eb68d4d53ad6566e14175aea30d4011dffeecb Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Mon, 16 Dec 2024 19:06:23 +0100 Subject: [PATCH] Fix copy --only for signatures + update/align docs (#3904) See https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/copy/copy.go#L192 requires to have value `sig` instead of `sign`. Also aligned the option docs order to align with the order of the example. https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/copy.go#L40 Signed-off-by: Marco Franssen --- cmd/cosign/cli/copy/copy.go | 18 ++++++++++++++---- cmd/cosign/cli/options/copy.go | 2 +- doc/cosign_copy.md | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/cmd/cosign/cli/copy/copy.go b/cmd/cosign/cli/copy/copy.go index 6575c71fb4b..6e8d8391064 100644 --- a/cmd/cosign/cli/copy/copy.go +++ b/cmd/cosign/cli/copy/copy.go @@ -80,7 +80,10 @@ func CopyCmd(ctx context.Context, regOpts options.RegistryOptions, srcImg, dstIm } onlyFlagSet := false - tags := parseOnlyOpt(copyOnly, sigOnly) + tags, err := parseOnlyOpt(copyOnly, sigOnly) + if err != nil { + return err + } if len(tags) > 0 { onlyFlagSet = true } else { @@ -180,13 +183,20 @@ func remoteCopy(ctx context.Context, pusher *remote.Pusher, src, dest name.Refer return pusher.Push(ctx, dest, got) } -func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap { +func parseOnlyOpt(onlyFlag string, sigOnly bool) ([]tagMap, error) { var tags []tagMap tagSet := sets.New(strings.Split(onlyFlag, ",")...) if sigOnly { fmt.Fprintf(os.Stderr, "--sig-only is deprecated, use --only=sig instead") - tagSet.Insert("sign") + tagSet.Insert("sig") + } + + validTags := sets.New("sig", "sbom", "att") + for tag := range tagSet { + if !validTags.Has(tag) { + return nil, fmt.Errorf("invalid value for --only: %s, only following values are supported, %s", tag, validTags) + } } if tagSet.Has("sig") { @@ -198,5 +208,5 @@ func parseOnlyOpt(onlyFlag string, sigOnly bool) []tagMap { if tagSet.Has("att") { tags = append(tags, ociremote.AttestationTag) } - return tags + return tags, nil } diff --git a/cmd/cosign/cli/options/copy.go b/cmd/cosign/cli/options/copy.go index 7f4d5f373ca..94081863715 100644 --- a/cmd/cosign/cli/options/copy.go +++ b/cmd/cosign/cli/options/copy.go @@ -35,7 +35,7 @@ func (o *CopyOptions) AddFlags(cmd *cobra.Command) { o.Registry.AddFlags(cmd) cmd.Flags().StringVar(&o.CopyOnly, "only", "", - "custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att") + "custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom") cmd.Flags().BoolVar(&o.SignatureOnly, "sig-only", false, "[DEPRECATED] only copy the image signature") diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md index 3ba371fa016..e531cb05c48 100644 --- a/doc/cosign_copy.md +++ b/doc/cosign_copy.md @@ -36,7 +36,7 @@ cosign copy [flags] -f, --force overwrite destination image(s), if necessary -h, --help help for copy --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). - --only string custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att + --only string custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom --platform string only copy container image and its signatures for a specific platform image --registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry --registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry