Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yubikey management CLI #213

Merged
merged 1 commit into from
Apr 9, 2021
Merged

Yubikey management CLI #213

merged 1 commit into from
Apr 9, 2021

Conversation

dlorenc
Copy link
Member

@dlorenc dlorenc commented Apr 3, 2021
edited
Loading

This adds a new set of subcommands for working with PIV tokens. They currently live under: cosign piv-tool

Right now we have:

cosign piv-tool set-management-key
cosign piv-tool set-puk
cosign piv-tool set-pin
cosign piv-tool unblock
cosign piv-tool generate-key
cosign piv-tool attestation

They seem to work pretty well! Before merging, I want to do a bit more work on the UX itself, including:

  • Better prompting to avoid needing to pass the PINs, PUKs and management keys on the command line when possible
  • The management key is 24 bytes long, we should probably allow people to pass in a base64 encoded string, or pipe in /dev/random or something
  • We might want a mode to generate a random management key in the tool rather than using a user-provided one (and then optionally display it or throw it away!)
  • We might want a mode to generate a random management key in the tool rather than using a user-provided one (and then optionally display it or throw it away!)
  • If we throw the key away from above - we should probably have an all-in-one command to set the key to a random value, use that to generate a signing key and then throw it away
  • I think we still need a full "reset" command

Then a "nice to have" would be a way to disable OTP on the keys :) They get angry whenacciccccccrikcvulenljchtvbbetejhevulebrvbrrkrkevdentally pressed.

Also, tests and stuff probably.

Signed-off-by: Dan Lorenc dlorenc@google.com

@dlorenc dlorenc force-pushed the piv-key branch 13 times, most recently from bd3edd1 to ef42693 Compare April 9, 2021 14:31
@dlorenc dlorenc changed the title WIP Yubikey management CLI Yubikey management CLI Apr 9, 2021
@dlorenc
Copy link
Member Author

dlorenc commented Apr 9, 2021

Removing the WIP! This is good to go.

Wee can track the remaining TODOs (including actual signing support) in #108

priyawadhwa
priyawadhwa approved these changes Apr 9, 2021
View reviewed changes
Copy link
Contributor

@priyawadhwa priyawadhwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!! 🗝️ 💯

test/piv_test.go
"testing"

// Import the functions directly for testing.
. "github.com/sigstore/cosign/cmd/cosign/cli/pivcli"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool i haven't seen this before!

test/piv_test.go Show resolved Hide resolved
Yubikey management CLI
21d830a 
Signed-off-by: Dan Lorenc <dlorenc@google.com>
@dlorenc dlorenc merged commit 5364540 into sigstore:main Apr 9, 2021
@dlorenc dlorenc deleted the piv-key branch April 9, 2021 21:10
@cpanato cpanato added this to the 0.3.0 milestone Apr 11, 2021
lcarva pushed a commit to lcarva/cosign that referenced this pull request Sep 10, 2024
@lance
fix(SECURESIGN-1179): include version metadata (sigstore#213)
a98da91 
* fix(SECURESIGN-1179): include version metadata

The konflux build does not include all the necessary metadata for the
`cosign version` command. This change should ensure that the command
produces the correct information.

Signed-off-by: Lance Ball <lball@redhat.com>

* chore: remove k8s v1.24 from e2e tests

The upstream has completely refactored the e2e tests. We have not pulled
those changes in due to the fact that they haven't been included in a
released version yet. However, since the last pull from upstream, k8s
v1.24 is no longer supported in the version of kind being used in the
tests. This commit removes that version from the tests but otherwise
leaves them unchanged.

Signed-off-by: Lance Ball <lball@redhat.com>

* chore: update image for whitespace check

Signed-off-by: Lance Ball <lball@redhat.com>

---------

Signed-off-by: Lance Ball <lball@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@dlorenc @priyawadhwa @cpanato