diff --git a/Dockerfile b/Dockerfile index 15927d991..9ca98bcae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,31 +14,17 @@ # # SPDX-License-Identifier: Apache-2.0 -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3@sha256:bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5 AS downloads - -ARG TARGETOS -ARG TARGETARCH - -ARG COSIGN_VERSION - -ADD https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-${TARGETOS}-${TARGETARCH} /opt/ -ADD https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign_checksums.txt /opt/ - -RUN cd /opt && \ - sha256sum --check <(grep -w "cosign-${TARGETOS}-${TARGETARCH}" < cosign_checksums.txt) && \ - mv cosign-$TARGETOS-$TARGETARCH cosign && \ - chmod +x cosign - FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3@sha256:bc552efb4966aaa44b02532be3168ac1ff18e2af299d0fe89502a1d9fabafbc5 ARG TARGETOS ARG TARGETARCH -COPY --from=downloads /opt/cosign /usr/local/bin/ -RUN cosign version - RUN microdnf -y install git-core jq && microdnf clean all COPY "dist/ec_"$TARGETOS"_"$TARGETARCH /usr/bin/ec +# Add a cosign wrapper command to handle "cosign initialize" for backwards +# compatibility with older task definitions +COPY hack/fake-cosign.sh /usr/local/bin/cosign + ENTRYPOINT ["/usr/bin/ec"] diff --git a/Dockerfile.dist b/Dockerfile.dist index 5eac82650..6d3330350 100644 --- a/Dockerfile.dist +++ b/Dockerfile.dist @@ -68,69 +68,37 @@ COPY . . # a PR is merged. # RUN \ - EC_GIT_SHA=$( git rev-parse --short HEAD ); \ - echo "EC_GIT_SHA=$EC_GIT_SHA"; \ - \ - EC_VERSION="v0.2"; \ - echo "EC_VERSION=$EC_VERSION"; \ - \ - EC_BASE_TAG="${EC_VERSION}-patch-base"; \ - echo "EC_BASE_TAG=$EC_BASE_TAG"; \ - git log -n1 --format="%h %s" "$EC_BASE_TAG"; \ - \ - EC_PATCH_NUM=$( git rev-list --merges --count ${EC_BASE_TAG}..HEAD ); \ - echo "EC_PATCH_NUM=$EC_PATCH_NUM"; \ - \ - EC_FULL_VERSION="${EC_VERSION}.${EC_PATCH_NUM}"; \ - echo "EC_FULL_VERSION=$EC_FULL_VERSION"; \ - \ - BUILDS="${BUILD_LIST}"; \ - echo "BUILDS=$BUILDS"; \ - \ - for os_arch in ${BUILDS}; do \ - export GOOS="${os_arch%_*}"; \ - export GOARCH="${os_arch#*_}"; \ - [ "$GOOS" = "windows" ] && DOT_EXE=".exe" || DOT_EXE=""; \ - BINFILE="ec_${GOOS}_${GOARCH}${DOT_EXE}"; \ - echo "Building ${BINFILE} for ${EC_FULL_VERSION}"; \ - go build \ - -trimpath \ - --mod=readonly \ - -ldflags="-s -w -X github.com/enterprise-contract/ec-cli/internal/version.Version=${EC_FULL_VERSION}" \ - -o "dist/${BINFILE}"; \ - done - -# Extract this so we can download the matching cosign version below -RUN go list --mod=readonly -f '{{.Version}}' -m github.com/sigstore/cosign/v2 | tee cosign_version.txt - -## Downloads - -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4@sha256:2636170dc55a0931d013014a72ae26c0c2521d4b61a28354b3e2e5369fa335a3 AS download - -# Pull any fixes that may not have propagated to the parent image yet. Note that the --security flag -# is not used because sometimes a security fix is not marked as a security fix :( -RUN microdnf update --nodocs --setopt=keepcache=0 -y - -ARG TARGETOS -ARG TARGETARCH - -WORKDIR /download - -COPY --from=build /build/cosign_version.txt /download/ - -# Download the matching version of cosign -# IMPORTANT: The version of cosign is hard-coded here because the version of cosign from go.mod -# pulls in a version of docker that contains a CVE. In the go.mod we can make it use a patched -# version of the docker library. However, the pre-compiled version of cosign will not contain the -# docker fix. The lowest version of cosign that contains the docker fix is v2.4.0. Unfortunately, -# that version requires go 1.22 which is not yet supported in the build chain. Thus, we cannot -# update go.mod to use it. For this reason, we use a different cosign version here. -RUN COSIGN_VERSION='v2.4.0' && \ - curl -sLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-${TARGETOS}-${TARGETARCH} && \ - curl -sLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign_checksums.txt && \ - sha256sum --check <(grep -w "cosign-${TARGETOS}-${TARGETARCH}" < cosign_checksums.txt) && \ - mv "cosign-${TARGETOS}-${TARGETARCH}" cosign && \ - chmod +x cosign + EC_GIT_SHA=$( git rev-parse --short HEAD ); \ + echo "EC_GIT_SHA=$EC_GIT_SHA"; \ + \ + EC_VERSION="v0.2"; \ + echo "EC_VERSION=$EC_VERSION"; \ + \ + EC_BASE_TAG="${EC_VERSION}-patch-base"; \ + echo "EC_BASE_TAG=$EC_BASE_TAG"; \ + git log -n1 --format="%h %s" "$EC_BASE_TAG"; \ + \ + EC_PATCH_NUM=$( git rev-list --merges --count ${EC_BASE_TAG}..HEAD ); \ + echo "EC_PATCH_NUM=$EC_PATCH_NUM"; \ + \ + EC_FULL_VERSION="${EC_VERSION}.${EC_PATCH_NUM}"; \ + echo "EC_FULL_VERSION=$EC_FULL_VERSION"; \ + \ + BUILDS="${BUILD_LIST}"; \ + echo "BUILDS=$BUILDS"; \ + \ + for os_arch in ${BUILDS}; do \ + export GOOS="${os_arch%_*}"; \ + export GOARCH="${os_arch#*_}"; \ + [ "$GOOS" = "windows" ] && DOT_EXE=".exe" || DOT_EXE=""; \ + BINFILE="ec_${GOOS}_${GOARCH}${DOT_EXE}"; \ + echo "Building ${BINFILE} for ${EC_FULL_VERSION}"; \ + go build \ + -trimpath \ + --mod=readonly \ + -ldflags="-s -w -X github.com/enterprise-contract/ec-cli/internal/version.Version=${EC_FULL_VERSION}" \ + -o "dist/${BINFILE}"; \ + done ## Final image @@ -150,10 +118,9 @@ LABEL \ # Pull any fixes that may not have propagated to the parent image yet. Note that the --security flag # is not used because sometimes a security fix is not marked as a security fix :( -# Also, install cosign and other tools we want to use in the Tekton task +# Also, install other tools we want to use in the Tekton task RUN microdnf update --nodocs --setopt=keepcache=0 -y && \ - microdnf -y --nodocs --setopt=keepcache=0 install git-core jq -COPY --from=download /download/cosign /usr/local/bin/cosign + microdnf -y --nodocs --setopt=keepcache=0 install git-core jq # Copy all the binaries so they're available to extract and download # (Beware if you're testing this locally it will copy everything from @@ -167,6 +134,10 @@ RUN gzip /usr/local/bin/ec_* # Copy the one ec binary that can run in this container COPY --from=build "/build/dist/ec_${TARGETOS}_${TARGETARCH}" /usr/local/bin/ec +# Add a cosign wrapper command to handle "cosign initialize" for backwards +# compatibility with older task definitions +COPY --from=build /build/hack/fake-cosign.sh /usr/local/bin/cosign + # OpenShift preflight check requires a license COPY --from=build /build/LICENSE /licenses/LICENSE @@ -174,6 +145,6 @@ COPY --from=build /build/LICENSE /licenses/LICENSE USER 1001 # Show some version numbers for troubleshooting purposes -RUN git version && jq --version && cosign version && ec version && ls -l /usr/local/bin +RUN git version && jq --version && ec version && ls -l /usr/local/bin ENTRYPOINT ["/usr/local/bin/ec"] diff --git a/cmd/root.go b/cmd/root.go index 7136bf2a4..04027004d 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -25,6 +25,7 @@ import ( "github.com/enterprise-contract/ec-cli/cmd/inspect" "github.com/enterprise-contract/ec-cli/cmd/opa" "github.com/enterprise-contract/ec-cli/cmd/root" + "github.com/enterprise-contract/ec-cli/cmd/sigstore" "github.com/enterprise-contract/ec-cli/cmd/test" "github.com/enterprise-contract/ec-cli/cmd/track" "github.com/enterprise-contract/ec-cli/cmd/validate" @@ -51,6 +52,7 @@ func init() { RootCmd.AddCommand(validate.ValidateCmd) RootCmd.AddCommand(version.VersionCmd) RootCmd.AddCommand(opa.OPACmd) + RootCmd.AddCommand(sigstore.SigstoreCmd) if utils.Experimental() { RootCmd.AddCommand(test.TestCmd) } diff --git a/cmd/sigstore/initialize.go b/cmd/sigstore/initialize.go new file mode 100644 index 000000000..75f02aea5 --- /dev/null +++ b/cmd/sigstore/initialize.go @@ -0,0 +1,77 @@ +// Copyright The Enterprise Contract Contributors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +package sigstore + +import ( + "context" + + hd "github.com/MakeNowJust/heredoc" + "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" + "github.com/spf13/cobra" +) + +type sigstoreInitializeFunc func(ctx context.Context, root, mirror string) error + +func sigstoreInitializeCmd(f sigstoreInitializeFunc) *cobra.Command { + + opts := &options.InitializeOptions{} + + cmd := &cobra.Command{ + Use: "initialize", + Short: "Initializes Sigstore root to retrieve trusted certificate and key targets for verification", + + Long: hd.Doc(` + Initializes Sigstore root to retrieve trusted certificate and key targets for verification. + + The following options are used by default: + - The current trusted Sigstore TUF root is embedded inside ec at the time of release. + - Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev. + + To provide an out-of-band trusted initial root.json, use the --root flag with a file or + URL reference. This will enable you to point ec to a separate TUF root. + + Any updated TUF repository will be written to $HOME/.sigstore/root/. + + Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates + with Fulcio root CA) are pulled form the trusted metadata. + + This command is mostly a wrapper around "cosign initialize". + `), + + Example: hd.Doc(` + ec initialize -mirror -out + + Initialize root with distributed root keys, default mirror, and default out path. + ec initialize + + Initialize with an out-of-band root key file, using the default mirror. + ec initialize -root + + Initialize with an out-of-band root key file and custom repository mirror. + ec initialize -mirror -root + `), + + Args: cobra.NoArgs, + RunE: func(cmd *cobra.Command, _ []string) error { + return f(cmd.Context(), opts.Root, opts.Mirror) + }, + } + + opts.AddFlags(cmd) + + return cmd +} diff --git a/cmd/sigstore/initialize_test.go b/cmd/sigstore/initialize_test.go new file mode 100644 index 000000000..033fe917d --- /dev/null +++ b/cmd/sigstore/initialize_test.go @@ -0,0 +1,83 @@ +// Copyright The Enterprise Contract Contributors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +//go:build unit + +package sigstore + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/enterprise-contract/ec-cli/cmd/root" +) + +func TestInitializeCmd(t *testing.T) { + cases := []struct { + name string + args []string + expectedRoot string + expectedMirror string + }{ + { + name: "no args", + expectedMirror: "https://tuf-repo-cdn.sigstore.dev", + }, + { + name: "with root", + args: []string{"--root", "/some/path/root.json"}, + expectedRoot: "/some/path/root.json", + expectedMirror: "https://tuf-repo-cdn.sigstore.dev", + }, + { + name: "with mirror", + args: []string{"--mirror", "https://tuf.local"}, + expectedMirror: "https://tuf.local", + }, + { + name: "with root and mirror", + args: []string{"--root", "/some/path/root.json", "--mirror", "https://tuf.local"}, + expectedRoot: "/some/path/root.json", + expectedMirror: "https://tuf.local", + }, + } + + for _, tt := range cases { + t.Run(tt.name, func(t *testing.T) { + initF := func(ctx context.Context, root, mirror string) error { + require.Equal(t, tt.expectedRoot, root) + require.Equal(t, tt.expectedMirror, mirror) + return nil + } + + sigInitCmd := sigstoreInitializeCmd(initF) + + sigCmd := NewSigstoreCmd() + sigCmd.AddCommand(sigInitCmd) + + rootCmd := root.NewRootCmd() + rootCmd.AddCommand(sigCmd) + + rootCmd.SetContext(context.Background()) + rootCmd.SetArgs(append([]string{"sigstore", "initialize"}, tt.args...)) + + err := rootCmd.Execute() + require.NoError(t, err) + }) + } +} diff --git a/cmd/sigstore/sigstore.go b/cmd/sigstore/sigstore.go new file mode 100644 index 000000000..07b0fd6dd --- /dev/null +++ b/cmd/sigstore/sigstore.go @@ -0,0 +1,39 @@ +// Copyright The Enterprise Contract Contributors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +package sigstore + +import ( + "github.com/sigstore/cosign/v2/cmd/cosign/cli/initialize" + "github.com/spf13/cobra" + + _ "github.com/enterprise-contract/ec-cli/internal/rego" +) + +var SigstoreCmd *cobra.Command + +func init() { + SigstoreCmd = NewSigstoreCmd() + SigstoreCmd.AddCommand(sigstoreInitializeCmd(initialize.DoInitialize)) +} + +func NewSigstoreCmd() *cobra.Command { + sigstoreCmd := &cobra.Command{ + Use: "sigstore", + Short: "Perform certain sigstore operations", + } + return sigstoreCmd +} diff --git a/docs/modules/ROOT/pages/ec_sigstore.adoc b/docs/modules/ROOT/pages/ec_sigstore.adoc new file mode 100644 index 000000000..c8c91f8ca --- /dev/null +++ b/docs/modules/ROOT/pages/ec_sigstore.adoc @@ -0,0 +1,19 @@ += ec sigstore + +Perform certain sigstore operations +== Options + +-h, --help:: help for sigstore (Default: false) + +== Options inherited from parent commands + +--debug:: same as verbose but also show function names and line numbers (Default: false) +--kubeconfig:: path to the Kubernetes config file to use +--quiet:: less verbose output (Default: false) +--timeout:: max overall execution duration (Default: 5m0s) +--trace:: enable trace logging (Default: false) +--verbose:: more verbose output (Default: false) + +== See also + + * xref:ec.adoc[ec - Enterprise Contract CLI] diff --git a/docs/modules/ROOT/pages/ec_sigstore_initialize.adoc b/docs/modules/ROOT/pages/ec_sigstore_initialize.adoc new file mode 100644 index 000000000..860686096 --- /dev/null +++ b/docs/modules/ROOT/pages/ec_sigstore_initialize.adoc @@ -0,0 +1,55 @@ += ec sigstore initialize + +Initializes Sigstore root to retrieve trusted certificate and key targets for verification== Synopsis + +Initializes Sigstore root to retrieve trusted certificate and key targets for verification. + +The following options are used by default: +- The current trusted Sigstore TUF root is embedded inside ec at the time of release. +- Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev. + +To provide an out-of-band trusted initial root.json, use the --root flag with a file or +URL reference. This will enable you to point ec to a separate TUF root. + +Any updated TUF repository will be written to $HOME/.sigstore/root/. + +Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates +with Fulcio root CA) are pulled form the trusted metadata. + +This command is mostly a wrapper around "cosign initialize". + +[source,shell] +---- +ec sigstore initialize [flags] +---- + +== Examples +ec initialize -mirror -out + +Initialize root with distributed root keys, default mirror, and default out path. +ec initialize + +Initialize with an out-of-band root key file, using the default mirror. +ec initialize -root + +Initialize with an out-of-band root key file and custom repository mirror. +ec initialize -mirror -root + +== Options + +-h, --help:: help for initialize (Default: false) +--mirror:: GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (Default: https://tuf-repo-cdn.sigstore.dev) +--root:: path to trusted initial root. defaults to embedded root + +== Options inherited from parent commands + +--debug:: same as verbose but also show function names and line numbers (Default: false) +--kubeconfig:: path to the Kubernetes config file to use +--quiet:: less verbose output (Default: false) +--timeout:: max overall execution duration (Default: 5m0s) +--trace:: enable trace logging (Default: false) +--verbose:: more verbose output (Default: false) + +== See also + + * xref:ec_sigstore.adoc[ec sigstore - Perform certain sigstore operations] diff --git a/features/__snapshots__/task_validate_image.snap b/features/__snapshots__/task_validate_image.snap index 1b6bdecf3..6d605df18 100755 --- a/features/__snapshots__/task_validate_image.snap +++ b/features/__snapshots__/task_validate_image.snap @@ -282,7 +282,6 @@ ${TIMESTAMP} Skipping step because a previous step failed [Initialize TUF fails:initialize-tuf - 1] Initializing TUF root... Error: Get "http://tuf.invalid/root.json": dial tcp: lookup tuf.invalid on 10.96.0.10:53: no such host -main.go:74: error during command execution: Get "http://tuf.invalid/root.json": dial tcp: lookup tuf.invalid on 10.96.0.10:53: no such host --- diff --git a/go.mod b/go.mod index b532c2c81..36a4b08fa 100644 --- a/go.mod +++ b/go.mod @@ -281,14 +281,14 @@ require ( github.com/zclconf/go-cty v1.14.1 // indirect go.mongodb.org/mongo-driver v1.13.1 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 // indirect - go.opentelemetry.io/otel v1.22.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect - go.opentelemetry.io/otel/metric v1.22.0 // indirect - go.opentelemetry.io/otel/sdk v1.22.0 // indirect - go.opentelemetry.io/otel/trace v1.22.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/otel v1.24.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 // indirect + go.opentelemetry.io/otel/metric v1.24.0 // indirect + go.opentelemetry.io/otel/sdk v1.24.0 // indirect + go.opentelemetry.io/otel/trace v1.24.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.step.sm/crypto v0.42.1 // indirect go.uber.org/atomic v1.11.0 // indirect diff --git a/go.sum b/go.sum index a428edc4b..e6f5b02c8 100644 --- a/go.sum +++ b/go.sum @@ -431,8 +431,6 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= -github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= @@ -517,8 +515,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.m github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= @@ -1214,22 +1210,22 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0 h1:UNQQKPfTDe1J81ViolILjTKPr9WetKW6uei2hFgJmFs= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.47.0/go.mod h1:r9vWsPS/3AQItv3OSlEJ/E4mbrhUbbw18meOjArPtKQ= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0 h1:sv9kVfal0MK0wBMCOGr+HeJm9v803BkJxGrk2au7j08= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.47.0/go.mod h1:SK2UL73Zy1quvRPonmOmRDiWk1KBV3LyIeeIxcEApWw= -go.opentelemetry.io/otel v1.22.0 h1:xS7Ku+7yTFvDfDraDIJVpw7XPyuHlB9MCiqqX5mcJ6Y= -go.opentelemetry.io/otel v1.22.0/go.mod h1:eoV4iAi3Ea8LkAEI9+GFT44O6T/D0GWAVFyZVCC6pMI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0= -go.opentelemetry.io/otel/metric v1.22.0 h1:lypMQnGyJYeuYPhOM/bgjbFM6WE44W1/T45er4d8Hhg= -go.opentelemetry.io/otel/metric v1.22.0/go.mod h1:evJGjVpZv0mQ5QBRJoBF64yMuOf4xCWdXjK8pzFvliY= -go.opentelemetry.io/otel/sdk v1.22.0 h1:6coWHw9xw7EfClIC/+O31R8IY3/+EiRFHevmHafB2Gw= -go.opentelemetry.io/otel/sdk v1.22.0/go.mod h1:iu7luyVGYovrRpe2fmj3CVKouQNdTOkxtLzPvPz1DOc= -go.opentelemetry.io/otel/trace v1.22.0 h1:Hg6pPujv0XG9QaVbGOBVHunyuLcCC3jN7WEhPx83XD0= -go.opentelemetry.io/otel/trace v1.22.0/go.mod h1:RbbHXVqKES9QhzZq/fE5UnOSILqRt40a21sPw2He1xo= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= +go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0 h1:9M3+rhx7kZCIQQhQRYaZCdNu1V73tm4TvXs2ntl98C4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.22.0/go.mod h1:noq80iT8rrHP1SfybmPiRGc9dc5M8RPmGvtwo7Oo7tc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0 h1:H2JFgRcGiyHg7H7bwcwaQJYrNFqCqrbTQ8K4p1OvDu8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.22.0/go.mod h1:WfCWp1bGoYK8MeULtI15MmQVczfR+bFkk0DF3h06QmQ= +go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI= +go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco= +go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= +go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= +go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI= +go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= diff --git a/hack/fake-cosign.sh b/hack/fake-cosign.sh new file mode 100755 index 000000000..7eeebcc86 --- /dev/null +++ b/hack/fake-cosign.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# For backwards compatibility with older task definitions that might still +# try to run `cosign initialize` + +set -euo pipefail + +if [ "${1:-""}" != "initialize" ]; then + echo "Wrapper script supports cosign initialize only!" + exit 1 +fi + +ec sigstore "$@"