Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for verifying root checksum in cosign initialize #3953

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

bkabrda
Copy link
Contributor

@bkabrda bkabrda commented Dec 6, 2024

Summary

The motivation for this PR is explained in and closes #3946 - the ability to verify initial root checksum when downloading via a URL.

Some notes:

  • The DoInitialize function still works exactly the same; it's unused here, but may be used from elsewhere (like gitsign).
  • Once this PR is merged, I will send another one to utilize the new functionality in gitsign as well.
  • I wasn't sure what deprecation date to set here, so I'd be glad for advice.

Release Note

Add a new --root-checksum flag for cosign-initialize. This will ensure cosign verifies the checksum of the file provided via the --root argument before proceeding with initialization. Using this argument will be mandated in the future for initial root obtained from URL.

Documentation

I don't think this requires specific callout in docs, but do let me know if you think oterwise.

Copy link

codecov bot commented Dec 6, 2024

Codecov Report

Attention: Patch coverage is 47.91667% with 25 lines in your changes missing coverage. Please review.

Project coverage is 36.41%. Comparing base (2ef6022) to head (7bb0306).
Report is 243 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/initialize/init.go 0.00% 14 Missing ⚠️
pkg/blob/load.go 70.83% 5 Missing and 2 partials ⚠️
cmd/cosign/cli/options/initialize.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/initialize.go 85.71% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3953      +/-   ##
==========================================
- Coverage   40.10%   36.41%   -3.69%     
==========================================
  Files         155      209      +54     
  Lines       10044    13426    +3382     
==========================================
+ Hits         4028     4889     +861     
- Misses       5530     7910    +2380     
- Partials      486      627     +141     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Signed-off-by: Slavek Kabrda <[email protected]>
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!


const RootWithoutChecksumDeprecation = "WARNING: Fetching initial root from URL " +
"without providing its checksum is deprecated and will be disallowed in " +
"a Cosing release soon after TODO. Please provide the initial root checksum " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"a Cosing release soon after TODO. Please provide the initial root checksum " +
"a future Cosign release. Please provide the initial root checksum " +

@@ -36,4 +37,7 @@ func (o *InitializeOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.Root, "root", "",
"path to trusted initial root. defaults to embedded root")
_ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{})

cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "",
"checksum of the initial root, required if root is downloaded via http(s). expects sha512 by default, can be changed to sha256 by providing sha256:<checksum>")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we flip this and have sha256 as the default? sha512 is probably overkill.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow providing root.json checksum instead of a full root.json file for cosign initialize
2 participants