-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for verifying root checksum in cosign initialize #3953
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Slavek Kabrda <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3953 +/- ##
==========================================
- Coverage 40.10% 36.41% -3.69%
==========================================
Files 155 209 +54
Lines 10044 13426 +3382
==========================================
+ Hits 4028 4889 +861
- Misses 5530 7910 +2380
- Partials 486 627 +141 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Slavek Kabrda <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
|
||
const RootWithoutChecksumDeprecation = "WARNING: Fetching initial root from URL " + | ||
"without providing its checksum is deprecated and will be disallowed in " + | ||
"a Cosing release soon after TODO. Please provide the initial root checksum " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"a Cosing release soon after TODO. Please provide the initial root checksum " + | |
"a future Cosign release. Please provide the initial root checksum " + |
@@ -36,4 +37,7 @@ func (o *InitializeOptions) AddFlags(cmd *cobra.Command) { | |||
cmd.Flags().StringVar(&o.Root, "root", "", | |||
"path to trusted initial root. defaults to embedded root") | |||
_ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{}) | |||
|
|||
cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "", | |||
"checksum of the initial root, required if root is downloaded via http(s). expects sha512 by default, can be changed to sha256 by providing sha256:<checksum>") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we flip this and have sha256 as the default? sha512 is probably overkill.
Summary
The motivation for this PR is explained in and closes #3946 - the ability to verify initial root checksum when downloading via a URL.
Some notes:
DoInitialize
function still works exactly the same; it's unused here, but may be used from elsewhere (like gitsign).Release Note
Add a new
--root-checksum
flag forcosign-initialize
. This will ensure cosign verifies the checksum of the file provided via the--root
argument before proceeding with initialization. Using this argument will be mandated in the future for initial root obtained from URL.Documentation
I don't think this requires specific callout in docs, but do let me know if you think oterwise.