fix: package publishing an already signed package (#2077)

## Description This fixes an issue with attempting to publish an already signed package through the CLI. ## Related Issue Fixes #N/A ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Lucas Rodriguez <[email protected]>
zarf-dev · Oct 26, 2023 · 168d085 · 168d085
1 parent 1926a21
commit 168d085
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 17 deletions.
diff --git a/.github/actions/slack/action.yaml b/.github/actions/slack/action.yaml
@@ -13,26 +13,26 @@ runs:
       with:
         payload: |
           {
-            "text": "The GitHub Action Workflow **'${{ github.workflow }}'** had a result of: `${{ job.status }}`.",
+            "text": "The GitHub Workflow *'${{ github.workflow }}'* had a result of: `${{ job.status }}`.\n\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Action Log>",
             "blocks": [
               {
                 "type": "section",
                 "text": {
                   "type": "mrkdwn",
-                  "text": "The GitHub Action Workflow **'${{ github.workflow }}'** had a result of: `${{ job.status }}`."
+                  "text": "The GitHub Workflow *'${{ github.workflow }}'* had a result of: `${{ job.status }}`."
                 }
               },
               {
                 "type": "section",
                 "text": {
                   "type": "mrkdwn",
-                  "text": "View Workflow Run"
+                  "text": " "
                 },
                 "accessory": {
                   "type": "button",
                   "text": {
                     "type": "plain_text",
-                    "text": "Click Me",
+                    "text": "View Action Log",
                     "emoji": true
                   },
                   "value": "click_me_workflow_run",
@@ -44,3 +44,4 @@ runs:
           }
       env:
         SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}
+        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
diff --git a/docs/2-the-zarf-cli/100-cli-commands/zarf_package_publish.md b/docs/2-the-zarf-cli/100-cli-commands/zarf_package_publish.md
@@ -22,16 +22,17 @@ zarf package publish { PACKAGE_SOURCE | SKELETON DIRECTORY } REPOSITORY [flags]
 ## Options
 
 ```
-  -h, --help              help for publish
-  -k, --key string        Path to private key file for signing packages
-      --key-pass string   Password to the private key file used for publishing packages
+  -h, --help                      help for publish
+      --signing-key string        Path to a private key file for signing or re-signing packages with a new key
+      --signing-key-pass string   Password to the private key file used for publishing packages
 ```
 
 ## Options inherited from parent commands
 
 ```
   -a, --architecture string   Architecture for OCI images and Zarf packages
       --insecure              Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -k, --key string            Path to public key file for validating signed packages
   -l, --log-level string      Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info")
       --no-color              Disable colors in output
       --no-log-file           Disable log file creation

diff --git a/src/cmd/package.go b/src/cmd/package.go
@@ -410,8 +410,8 @@ func bindRemoveFlags(v *viper.Viper) {
 
 func bindPublishFlags(v *viper.Viper) {
 	publishFlags := packagePublishCmd.Flags()
-	publishFlags.StringVarP(&pkgConfig.PublishOpts.SigningKeyPath, "key", "k", v.GetString(common.VPkgPublishSigningKey), lang.CmdPackagePublishFlagSigningKey)
-	publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPassword, "key-pass", v.GetString(common.VPkgPublishSigningKeyPassword), lang.CmdPackagePublishFlagSigningKeyPassword)
+	publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPath, "signing-key", v.GetString(common.VPkgPublishSigningKey), lang.CmdPackagePublishFlagSigningKey)
+	publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPassword, "signing-key-pass", v.GetString(common.VPkgPublishSigningKeyPassword), lang.CmdPackagePublishFlagSigningKeyPassword)
 }
 
 func bindPullFlags(v *viper.Viper) {

diff --git a/src/config/lang/english.go b/src/config/lang/english.go
@@ -288,7 +288,7 @@ const (
 	# Publish a skeleton package to a remote registry
 	zarf package publish ./path/to/dir oci://my-registry.com/my-namespace
 `
-	CmdPackagePublishFlagSigningKey         = "Path to private key file for signing packages"
+	CmdPackagePublishFlagSigningKey         = "Path to a private key file for signing or re-signing packages with a new key"
 	CmdPackagePublishFlagSigningKeyPassword = "Password to the private key file used for publishing packages"
 	CmdPackagePublishErr                    = "Failed to publish package: %s"
 

diff --git a/src/pkg/packager/publish.go b/src/pkg/packager/publish.go
@@ -26,7 +26,7 @@ import (
 // Publish publishes the package to a registry
 func (p *Packager) Publish() (err error) {
 	_, isOCISource := p.source.(*sources.OCISource)
-	if isOCISource {
+	if isOCISource && p.cfg.PublishOpts.SigningKeyPath == "" {
 		ctx := context.TODO()
 		// oci --> oci is a special case, where we will use oci.CopyPackage so that we can transfer the package
 		// w/o layers touching the filesystem

diff --git a/src/test/nightly/ecr_publish_test.go b/src/test/nightly/ecr_publish_test.go
@@ -56,7 +56,7 @@ func TestECRPublishing(t *testing.T) {
 	require.FileExists(t, testPackageLocation)
 
 	// Validate that we can publish the package to ECR without an issue
-	stdOut, stdErr, err = e2e.Zarf("package", "publish", testPackageLocation, registryURL)
+	stdOut, stdErr, err = e2e.Zarf("package", "publish", testPackageLocation, registryURL, keyFlag)
 	require.NoError(t, err, stdOut, stdErr)
 
 	// Ensure we get a warning when trying to inspect the online published package
@@ -65,12 +65,8 @@ func TestECRPublishing(t *testing.T) {
 	require.Contains(t, stdErr, "Checksums validated!")
 	require.Contains(t, stdErr, "Package signature validated!")
 
-	// Ensure we get an error when trying to pull the package without providing the public key
-	stdOut, stdErr, err = e2e.Zarf("package", "pull", upstreamPackageURL)
-	require.Error(t, err, stdOut, stdErr) //TODO: look for a specific error instead of just allowing ANY error
-
 	// Validate that we can pull the package down from ECR
-	stdOut, stdErr, err = e2e.Zarf("package", "pull", upstreamPackageURL, keyFlag)
+	stdOut, stdErr, err = e2e.Zarf("package", "pull", upstreamPackageURL)
 	require.NoError(t, err, stdOut, stdErr)
 	defer e2e.CleanFiles(testPackageFileName)