Added support for attaching cert and cert chain in attach command Git…

[Mukuls77]

… Issue: 2267

Summary

Explain the motivation for making this change. What existing problem does the pull request solve? How can reviewers test this PR?
The motivation behind this Pull request is to support cosign usage with company private CA.
The use case we want to implement is as follows
Signer side

1. company has an existing private PKI setup.
2. Signer fetch the payload of the artifact from registry and submit it to the company Private CA.
3. Private CA sign the payload and return back the base64 formatted signature, Leaf Certificate and Cert chain.
4. Signer now uses the enhanced cosign attach command (due to this PR) to attach cert and cert chain along with the payload and signature in registry.
5. Signer share the root cert with clients(verifiers) out of band.
   Verifier side
6. verifier uses the root cert provided out of band to verify the cert chain -> cert -> signature using the enhanced Verify command (due to this PR)

Release Note

Add a release note for each of the following conditions:

• Config changes (additions, deletions, updates)
  Following files have been modified to include the given PR changes

1. cmd\cosign\cli\options\attach.go
   Enhanced AttachSignatureOptions structure to include cert and cert chain
   Enhanced AddFlags function to include cert and cert chain options
2. cmd\cosign\cli\attach.go
   Enhanced attach module function SignatureCmd to pass cert and cert Chain as argument
3. cmd\cosign\cli\attach\sig.go
   Enhanced SignatureCmd function to mutate the signature with cert and cert chain
4. cmd\cosign\cli\options\certificate.go
   Enhanced CertVerifyOptions structure to include RootCert
   Enhanced AddFlags function to include root-cert option
5. cmd\cosign\cli\verify.go
   Added print to show root-cert argument usage
   Enhanced VerifyCommand function to pass root-cert as argument
6. cmd\cosign\cli\verify\verify.go
   Enhanced VerifyCommand structure to include root-cert option
   Enhanced Verify Command Exec Function with following
   a) Allowed user to just pass root-cert as a single option in Verify command
   b) Add logic to extract root cert from local file
   c) Created a new variable to identify PKI based verification this variable is used later to print the output
   d) 4. Invoked new Print function for PKI based verification

• API additions—new endpoint, new response fields, or newly accepted request parameters

1. New parameters have been introduced in attach command to provide cert and cert chain along with existing payload and signature input parameters
   updated command look like as below
   cosign attach signature --signature --payload --cert --cert-chain
   The new arguments introduced are
   --certificate string path to the X.509 certificate in PEM format to include in the OCI Signature
   --certificate-chain string path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature

2. New parameters is introduced in Verify command to provide the root certificate.
   Updated command look like as below
   verify image with local root certificate
   cosign verify --root-cert root.crt
   in the case of private CA the transaction logging and SCT verification is not applicable so to execute the command the verify command should include the ignore option for tlog and sct. the example shown below

cosign verify --root-cert --insecure-ignore-sct --insecure-skip-tlog-verify

• Database changes (any) : No changes done in database
• Websocket additions or changes : No changes done in Websocket
• Anything noteworthy to an administrator running private sigstore instances (err on the side of over-communicating) : Nothing
• New features and improvements, including behavioral changes, UI changes and CLI changes
  Two new features are introduced

1. allowing support to attach cert and cert-chain in attach command. the Updated CLI command is as below
   cosign attach signature --signature --payload --cert --cert-chain
2. Allowing verifying the Image using local Root certificate. The Updated CLI command is as below
   cosign verify --root-cert --insecure-ignore-sct --insecure-skip-tlog-verify

• Bug fixes and fixes of previous known issues : None.
• Deprecation warnings, breaking changes, or compatibility notes
  The two features for Transparency log and Signed Certificate Timestamp would not be applicable when user is using a Private PKI, so when using --root-cert option in verify we need to use ignore option for tlog and sct verification.

Documentation

Does this change require an update to documentation? How will users implement your new feature?
As part of this feature we have introduced new input arguments in attach and verify command. so documentation related to these command may need to be updated.

[Mukuls77]

The PULL request provide the fix for the bug
#2267
Also it provide enhancement to verify command to verify the cert-chian->cert->signature using a root certificate

[haydentherapper]

We should have some tests for this.

[Mukuls77]

Hi I have performed following test in end to end setup
Payload file used: payload.json

{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":null}

Signed base 64 signature file: payload64.sig
IfuEJzvBkypcSiNKmljQuerhwkz3lNh5R3yHJB+GEMteDTtnJ4FV+gOUk2KPnuP688IMwH2xtWqB
KvOrBlPjtnEWtW0bWYgMetcYW38tW0xzQpKjvQQRlb2Yp9q4pswdVesJCIKfiRgo6nKZIod22osx
0B1eXY0DlLysnQ8NQkYcM94NeJYJUOO2B8Hl+GBJpy/N4isQaCL6c7s8q+Gd/SQAjFfr8VjQrgWq
TbwgvhUDunikdcqAwfJZBhpOej3oOf3GgEcmpAsQaw0A8r3wE2FCDD52weIlSarjvHOifpHUIbUk
U4564d78u7cW+diiAhKNQCZTEmukiyFlmv3RbA==

Leaf Certificate: LeafCA.crt

-----BEGIN CERTIFICATE-----
MIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ
KoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw
M1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w
DAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG
A1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W
BLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06
e/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib
63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs
i/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW
j9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL
VQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw
CQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD
VQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh
cm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui
wuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k
ZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+
Vwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ
tTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz
QetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu
B3ZlZ7xhkqYB2vHjk2c=
-----END CERTIFICATE-----

Intermediate CA Certificate: intermediateCA.crt
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN
MjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z
EfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom
LCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C
UmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp
dwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3
bRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB
AAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF
MAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD
ggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt
e1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m
ff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e
n8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr
QTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz
2itq2p3qLmcxj+YguGUCLLL0K1c=
-----END CERTIFICATE-----

Root CA Certificate: rootCA.crt
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN
MjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa
MEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf
of+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5
wPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf
yFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn
dc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT
MFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB
xLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I
YyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95
+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE
uZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc
X7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A
FuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=
-----END CERTIFICATE-----

Cert Cain:
I created Cert chain by concatenating Intermediate CA Crt + root CA Crt
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN
MjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z
EfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom
LCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C
UmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp
dwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3
bRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB
AAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF
MAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD
ggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt
e1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m
ff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e
n8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr
QTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz
2itq2p3qLmcxj+YguGUCLLL0K1c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO
MAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ
KoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN
MjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV
BAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD
DANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa
MEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf
of+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5
wPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf
yFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn
dc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT
MFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB
xLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I
YyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95
+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE
uZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc
X7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A
FuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=
-----END CERTIFICATE-----

Now i performed following test using updated attach and verify command

Attach Test

Step 1: Attach the Signature, payload , cert and cert chain (including root cert) in Registry
C:\Users\musharma\Desktop\DemoJan13>cosign.exe attach signature --signature C:\Users\musharma\Desktop\DemoJan13\attachTest\payload64.sig --payload C:\Users\musharma\Desktop\DemoJan13\attachTest\payload.json --cert C:\Users\musharma\Desktop\DemoJan13\attachTest\leafCA.crt --cert-chain C:\Users\musharma\Desktop\DemoJan13\attachTest\certChain.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry

Step2: using triangulate command to fetch the link for associated signature

C:\Users\musharma\Desktop\DemoJan13>cosign triangulate harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig

Step 3: fetch the manifest to validate if manifest contains all the required content

C:\Users\musharma\Desktop\crane>crane manifest harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig --insecure

{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 246,
"digest": "sha256:948bcd0bc30307e9877c7afffffc3a4ac1329eb11f506cd030424a4f33a4a51f"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 290,
"digest": "sha256:64efb696f2970c7bb90334c7c4414811d859800579e25b131236ee73b9d9b9ce",
"annotations": {
"dev.cosignproject.cosign/signature": "IfuEJzvBkypcSiNKmljQuerhwkz3lNh5R3yHJB+GEMteDTtnJ4FV+gOUk2KPnuP688IMwH2xtWqB\r\nKvOrBlPjtnEWtW0bWYgMetcYW38tW0xzQpKjvQQRlb2Yp9q4pswdVesJCIKfiRgo6nKZIod22osx\r\n0B1eXY0DlLysnQ8NQkYcM94NeJYJUOO2B8Hl+GBJpy/N4isQaCL6c7s8q+Gd/SQAjFfr8VjQrgWq\r\nTbwgvhUDunikdcqAwfJZBhpOej3oOf3GgEcmpAsQaw0A8r3wE2FCDD52weIlSarjvHOifpHUIbUk\r\nU4564d78u7cW+diiAhKNQCZTEmukiyFlmv3RbA==",
"dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ\nKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw\nM1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w\nDAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG\nA1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W\nBLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06\ne/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib\n63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs\ni/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW\nj9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL\nVQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw\nCQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD\nVQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh\ncm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud\nDwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui\nwuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k\nZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+\nVwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ\ntTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz\nQetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu\nB3ZlZ7xhkqYB2vHjk2c=\n-----END CERTIFICATE-----\n",
"dev.sigstore.cosign/chain": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN\nMjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z\nEfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom\nLCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C\nUmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp\ndwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3\nbRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB\nAAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF\nMAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD\nggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt\ne1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m\nff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e\nn8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr\nQTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz\n2itq2p3qLmcxj+YguGUCLLL0K1c=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN\nMjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa\nMEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf\nof+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5\nwPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf\nyFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn\ndc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT\nMFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB\nxLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL\nBQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I\nYyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95\n+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE\nuZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc\nX7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A\nFuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=\n-----END CERTIFICATE-----\n"
}
}
]
}

So we can see the cert and cert chain content is successfully attached in the Registry

Verify Test

Now on Verifier side we will just use to rootCert to validate the Cert-chain-> Cert and Signature present in the registry

Step1: Verify the Image using root cert.

C:\Users\musharma\Desktop\DemoJan13>cosign.exe verify --root-cert C:\Users\musharma\Desktop\DemoJan13\verifyTest\rootCA.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --insecure-ignore-sct --insecure-skip-tlog-verify --allow-insecure-registry harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711

Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
The following checks were performed on each of these signatures:

• The cosign claims were validated
• Any certificates were verified against the Bring your own PKI roots.

[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":""}}]

So we can see the Signature Claims were verified.

Verify Test with wrong Root Certificate

This is a failure test case to prove if we pass a wrong root cert in verify command which does not matches with cert and cert chain stored in registry the Verification fails

C:\Users\musharma\Desktop\DemoJan13>cosign.exe verify --root-cert C:\Users\musharma\Desktop\DemoJan13\wrongRoot\WrongRoot.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --insecure-ignore-sct --insecure-skip-tlog-verify --allow-insecure-registry harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
Error: no matching signatures:
x509: certificate signed by unknown authority
main.go:62: error during command execution: no matching signatures:
x509: certificate signed by unknown authority

So we can see that the verification failed as expected. This test case prove that is some adversary modify the signature, cert, cert chain in registry but still verifier has the source of Trust as the Root Cert present with them and they can verify the content with that source of Trust.

[haydentherapper]

We should also have this as unit and/or e2e tests.

[Mukuls77]

I have added end to end test cases for the attach scenario
The new files added are
test/e2e_test_attach.sh : This file contains the test case logic to test attach use case and verify using env variable.
test/testdata/test_attach_certchain.pem: This file contains the certchain used in attach test case
test/testdata/test_attach_leafcert.pem: This file contains the Leaf cert used in attach test case
test/testdata/test_attach_private_key: This file contains private key of leaf certificate used for signing the payload for attach test case
test/testdata/test_attach_rootcert.pem: This file contains the root cert used in attach test case.

I am sharing the execution result of the test case

/home/mukul/cosignAttachonlycode/cosign>./test/e2e_test_attach.sh

• go build -o cosign ./cmd/cosign
• go build -o sget ./cmd/sget
  ++ mktemp -d -t cosign-e2e-attach.XXXX
• tmp=/tmp/cosign-e2e-attach.lFrZ
• cp cosign /tmp/cosign-e2e-attach.lFrZ/
• cp sget /tmp/cosign-e2e-attach.lFrZ/
• cp ./test/testdata/test_attach_private_key /tmp/cosign-e2e-attach.lFrZ/private_key
• cp ./test/testdata/test_attach_leafcert.pem /tmp/cosign-e2e-attach.lFrZ/leafcert.pem
• cp ./test/testdata/test_attach_certchain.pem /tmp/cosign-e2e-attach.lFrZ/certchain.pem
• cp ./test/testdata/test_attach_rootcert.pem /tmp/cosign-e2e-attach.lFrZ/rootcert.pem
• pushd /tmp/cosign-e2e-attach.lFrZ
  /tmp/cosign-e2e-attach.lFrZ ~/cosignAttachonlycode/cosign
• pass=26924
• export COSIGN_PASSWORD=26924
• COSIGN_PASSWORD=26924
• SRC_IMAGE=busybox
  ++ crane digest busybox
• SRC_DIGEST=sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
  ++ uuidgen
  ++ head -c 8
  ++ tr A-Z a-z
• IMAGE_URI=ttl.sh/cosign-ci/d5d90e89
• crane cp busybox@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c ttl.sh/cosign-ci/d5d90e89:1h
  2023/01/18 13:59:42 Copying from busybox@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c to ttl.sh/cosign-ci/d5d90e89:1h
  2023/01/18 13:59:54 pushed blob: sha256:66ba00ad3de8677a3fa4bc4ea0fc46ebca0f14db46ca365e7f60833068dd0148
  2023/01/18 13:59:59 pushed blob: sha256:205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a
  2023/01/18 14:00:00 ttl.sh/cosign-ci/d5d90e89@sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754: digest: sha256:907ca53d7e2947e849b839b1cd258c98fd3916c60f2e6e70c30edbf741ab6754 size: 528
  2023/01/18 14:00:08 pushed blob: sha256:99ee43e96ff50e90c5753954d7ce2dfdbd7eb9711c1cd96de56d429cb628e343
  2023/01/18 14:00:13 pushed blob: sha256:4c45e4bb3be9dbdfb27c09ac23c050b9e6eb4c16868287c8c31d34814008df80
  2023/01/18 14:00:13 ttl.sh/cosign-ci/d5d90e89@sha256:dde8e930c7b6a490f728e66292bc9bce42efc9bbb5278bae40e4f30f6e00fe8c: digest: sha256:dde8e930c7b6a490f728e66292bc9bce42efc9bbb5278bae40e4f30f6e00fe8c size: 528
  2023/01/18 14:00:22 pushed blob: sha256:a22ab831b2b2565a624635af04e5f76b4554d9c84727bf7e6bc83306b3b339a9
  2023/01/18 14:00:24 pushed blob: sha256:b203a35cab50f0416dfdb1b2260f83761cb82197544b9b7a2111eaa9c755dbe7
  2023/01/18 14:00:25 ttl.sh/cosign-ci/d5d90e89@sha256:4ff685e2bcafdab0d2a9b15cbfd9d28f5dfe69af97e3bb1987ed483b0abf5a99: digest: sha256:4ff685e2bcafdab0d2a9b15cbfd9d28f5dfe69af97e3bb1987ed483b0abf5a99 size: 527
  2023/01/18 14:00:33 pushed blob: sha256:1d57ab16f681953c15d7485bf3ee79a49c2838e5f9394c43e20e9accbb1a2b20
  2023/01/18 14:00:36 pushed blob: sha256:46758452d3eef8cacb188405495d52d265f0c3a7580dfec51cb627c04c7bafc4
  2023/01/18 14:00:36 ttl.sh/cosign-ci/d5d90e89@sha256:77ed5ebc3d9d48581e8afcb75b4974978321bd74f018613483570fcd61a15de8: digest: sha256:77ed5ebc3d9d48581e8afcb75b4974978321bd74f018613483570fcd61a15de8 size: 528
  2023/01/18 14:00:44 pushed blob: sha256:abaa813f94fdeebd3b8e6aeea861ab474a5c4724d16f1158755ff1e3a4fde8b0
  2023/01/18 14:00:47 pushed blob: sha256:f78e6840ded1aafb6c9f265f52c2fc7c0a990813ccf96702df84a7dcdbe48bea
  2023/01/18 14:00:48 ttl.sh/cosign-ci/d5d90e89@sha256:5e42fbc46b177f10319e8937dd39702e7891ce6d8a42d60c1b4f433f94200bd2: digest: sha256:5e42fbc46b177f10319e8937dd39702e7891ce6d8a42d60c1b4f433f94200bd2 size: 528
  2023/01/18 14:00:56 pushed blob: sha256:9af22d424aada215bab8c43d48ba6c8e4ddae9018628ab2098f16520bfdcd6d8
  2023/01/18 14:01:03 pushed blob: sha256:0b41f34c76745eef3d807afe679bea40ad0d84c1f109578ff017c870f2137589
  2023/01/18 14:01:03 ttl.sh/cosign-ci/d5d90e89@sha256:1c8bbeaff20b74c3918ae3da99db0f0d8563adb33fcb346592e2882d82c28ab5: digest: sha256:1c8bbeaff20b74c3918ae3da99db0f0d8563adb33fcb346592e2882d82c28ab5 size: 528
  2023/01/18 14:01:40 pushed blob: sha256:2bc9dea49d1a226db134bce761bfa89dd456109555c3ee4c490db84ad48d53b0
  2023/01/18 14:01:57 pushed blob: sha256:7ef0bcd6b4899cdcc5d2c4e97aba3e60a0153a3201c1a9c810ed915975f3833e
  2023/01/18 14:01:58 ttl.sh/cosign-ci/d5d90e89@sha256:e954aa43bc3d58a30a967d36b0b0ebf408eea4b1283106d2ca553b0243858d6b: digest: sha256:e954aa43bc3d58a30a967d36b0b0ebf408eea4b1283106d2ca553b0243858d6b size: 528
  2023/01/18 14:02:06 pushed blob: sha256:93f830f96e6d4290268f3d7adb078a66ddc24c23dddbd4899fd72a8041a5a1c8
  2023/01/18 14:02:11 pushed blob: sha256:95a526907ab34a09463a07cd768039ac815d433029f181a7731ef8dba3095bc4
  2023/01/18 14:02:12 ttl.sh/cosign-ci/d5d90e89@sha256:db6ea0cbfcdfe2e7fff3f36b40c2c6ac27933977d71317b30c1905675ec29349: digest: sha256:db6ea0cbfcdfe2e7fff3f36b40c2c6ac27933977d71317b30c1905675ec29349 size: 528
  2023/01/18 14:02:19 pushed blob: sha256:c3505dfdb7a6ef524d17d0ee391749f94de950c43642e3286e06172577e184a3
  2023/01/18 14:02:24 pushed blob: sha256:688cd001103a44dc582d4fdc4647517422c0be7942c1278b5bb748395265375d
  2023/01/18 14:02:25 ttl.sh/cosign-ci/d5d90e89@sha256:8f23e10f4610afdde9b856b9367742f1f5ded5c35e2aaa0630d3c5d9ebc2e4cf: digest: sha256:8f23e10f4610afdde9b856b9367742f1f5ded5c35e2aaa0630d3c5d9ebc2e4cf size: 527
  2023/01/18 14:02:34 pushed blob: sha256:0af8c5262529b2acebe9e308296ea619f25b2b3b47c632f7ff154e931d18064c
  2023/01/18 14:02:40 pushed blob: sha256:b49eda688ce8c1226b6d7e02969f22361a8874cfee14c603e98ad855f1267a94
  2023/01/18 14:02:41 ttl.sh/cosign-ci/d5d90e89@sha256:069e43a261e5dd787655dbeba5eed96e40f4c9f80f024ecd5d2bd17aab357204: digest: sha256:069e43a261e5dd787655dbeba5eed96e40f4c9f80f024ecd5d2bd17aab357204 size: 528
  2023/01/18 14:02:43 ttl.sh/cosign-ci/d5d90e89:1h: digest: sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c size: 2295
• IMAGE_URI_DIGEST=ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• ./cosign initialize
  Root status:
  {
  "local": "/home/mukul/.sigstore/root",
  "remote": https://sigstore-tuf-root.storage.googleapis.com/,
  "metadata": {
  "root.json": {
  "version": 5,
  "len": 6388,
  "expiration": "18 Apr 23 18:13 UTC",
  "error": ""
  },
  "snapshot.json": {
  "version": 65,
  "len": 1973,
  "expiration": "05 Feb 23 00:08 UTC",
  "error": ""
  },
  "targets.json": {
  "version": 5,
  "len": 4188,
  "expiration": "18 Apr 23 18:13 UTC",
  "error": ""
  },
  "timestamp.json": {
  "version": 65,
  "len": 721,
  "expiration": "29 Jan 23 00:08 UTC",
  "error": ""
  }
  },
  "targets": [
  "fulcio_v1.crt.pem",
  "rekor.pub",
  "artifact.pub",
  "ctfe.pub",
  "ctfe_2022.pub",
  "fulcio.crt.pem",
  "fulcio_intermediate_v1.crt.pem"
  ]
  }
• ./cosign generate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• openssl dgst -sha256 -sign ./private_key -out payload.sig payload.json
• cat payload.sig
• base64
  ++ cat payloadbase64.sig
  ++ base64
• SIGNATURE='S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
  dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
  VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
  dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
  c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
  TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
  M29pZz09Cg=='
• echo 'Signature: S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
  dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
  VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
  dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
  c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
  TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
  M29pZz09Cg=='
  Signature: S2ZCZnJuZ1hjYkhENis1RGdDUG4vMEZPZnUrYVN0UjhiTHpRdkFRMUdSZys4TVJvRGNpVFQ5Rm5G
  dCtHM3o5U3VMdUExTk9UZUlxdQpsanlzcXFEZDhYVFlZZmxJaDdoZWozRFg0ekRUaGtsaU1WTVNa
  VHYxWjF1R1o0VjAvTUhHK1NYOVBySzlxZmpZSUhOcmN1cHhudWljCkNwc2MySm4vZXN2TUc3UjBo
  dm0wUlg2VFRqS3laUm0veDdQYllSbGc0UWZxZEFkS0J4RnhUcGNYVjFZNWhPR3laUktOVlJiS21p
  c28KdGRnZzVOK2E5b0xLc2g5UG0reHp1OVBOQmFrYUV6VlhGWUpCMUZtbXpPNGUvRm9lUzdSbW9i
  TVl4ajc5T1hZTi9WYVp2ZjJLT05SSgpwU25HZnlCUEVRWFVTWU1iK1FIYndoN29YQUVlZENkK0VI
  M29pZz09Cg==
  ++ cat payload.json
• PAYLOAD='{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null}'
• echo 'Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null}'
  Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":null}
• ./cosign attach signature --signature ./payloadbase64.sig --payload ./payload.json --cert ./leafcert.pem --cert-chain ./certchain.pem ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• grep -q application/vnd.oci.image.config.v1+json
  ++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
  ++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• grep -q dev.sigstore.cosign/certificate
• crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
• grep -q dev.sigstore.cosign/chain
  ++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• crane manifest ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
• export SIGSTORE_ROOT_FILE=./rootcert.pem
• SIGSTORE_ROOT_FILE=./rootcert.pem
• ./cosign verify ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp '.' --certificate-oidc-issuer-regexp '.' ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
  Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c --
The following checks were performed on each of these signatures:

• The cosign claims were validated
• Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d5d90e89"},"image":{"docker-manifest-digest":"sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c"},"type":"cosign container image signature"},"optional":{"Subject":foo@example.com}}]

• for image in $IMAGE_URI_DIGEST
  ++ ./cosign triangulate ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• crane delete ttl.sh/cosign-ci/d5d90e89:sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig
  Error: DELETE https://ttl.sh/v2/cosign-ci/d5d90e89/manifests/sha256-7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c.sig: DIGEST_INVALID: provided digest did not match uploaded content
• true
• crane delete ttl.sh/cosign-ci/d5d90e89@sha256:7b3ccabffc97de872a30dfd234fd972a66d247c8cfc69b0550f276481852627c
• echo SUCCESS
  SUCCESS

[haydentherapper]

@znewman01 I suspect you might disagree, but I don’t see a reason to have many different ways to pass the root, and two ways for the CLI flags

• via cert-chain
• Via the env var
• TUF root
• This option now

I don’t see the confusion with using cert-chain. It’s documented that you can either pass a root and verify should pick up any intermediates from the image annotation, or you pass the whole chain if intermediates aren’t stored on the image.

[haydentherapper]

The other issue with this is its being added only to verify and not the other verify-* commands. If this is only being added to support attach, the flag should be scoped as such, but I think that would cause confusion.

[haydentherapper]

I’d propose we either:

• Stick with passing a root via the cert chain flag
• refactor all verify commands to pass roots and intermediates separately, ala openssl-style (openssl is not what I’d use an example of good UX fwiw)

[haydentherapper]

One more idea: We can now link environment variables to flags, so a cleaner approach that would reduce duplication would be to link SIGSTORE_ROOT_FILE to a CLI flag for the trust root. For names, I’d pick “SIGSTORE_CA_TRUST_ROOT” and —ca-trust-root, what you proposed Zack. I also like this because it doesn’t treat fulcio differently than other CAs.

I can get this out tomorrow if this sounds good.

[Mukuls77]

As part of the given PR we want to solve the shortcoming we identified in cosign for the following use case.
Use case : A corporate has a private CA which is used for certificate generation and signing. The corporate want to use there existing infrastructure for signature signing and certificate generation but want to use cosign tool to upload the signature, cert, cert chain in registry and also to verify the image content at the verifier side.

while investigating the usage of cosign in the scenario of private CA we found following short comings

1. The attach signature command was not allowing attachment of certificate and Cert chain in the registry
2. if we use cosign sign command along with cert and cert-chain the cert and cert chain get updated in registry but when we use Verify command we have to explicitly pass the cert and cert-chain as an argument even if these things are already attached in the registry along with the image. One way to do this is to first download the cert and cert-chain from registry and then use them as the argument of verify command.
3. There should be a source of trust at Verifier side which should verify the cert-chain , cert and signature, as any adversary can modify the data in the registry by updating signature, cert and cert chain so we can not just rely on the data present in the registry the source of trust should be with verifier.

So to fix these short coming we propose following enhancement in this PR.

1. Attach command has been modified to allow attachment of Cert and cert chain(Including root certificate) along with signature and payload
2. Verify command has a new argument "--root-cert" which Verifier can use to verify the Cert-chain, cert and signature. The root certificate which we will used by verifier will be provided to the verifier using out of band mechanisms. and Verifier will use the trusted root certificate to verify the cert chain.

This is very similar to the fulcio root based verification approach where cosign fetch the root cert from fulcio to verify the stored cert-chain and cert attached with the signature. the only difference here is that use is using a locally stored root certificate to validate the certificate chain instead of using public CA like fulcio.

[haydentherapper]

Yep, I’m just talking about how you pass the root certificate to verify. This issue is a little orthogonal to this PR, we have another issue open to make “cert-chain” clearer, but adding another flag to provide a root will exacerbate the issue.

To unblock this PR, I would just stick with what options we already have for passing root material and not add an additional flag.

[Mukuls77]

Thanks for the update. so if i understood you correctly the proposal is that we would have an environment flag "SIGSTORE_CA_TRUST_ROOT" which will be set to the path of the local trusted root certificate. and than user can just
export SIGSTORE_CA_TRUST_ROOT=[PATH of trusted root cert]
execute the following command
cosign verify [path of IMAGE]
This will pick the Trusted root cert from the Env variable to a internal flag "—ca-trust-root" and use that to verify the cert-chain , cert and signature stored in the registry.
so this seems ok with me, as this will solve the requirement we need to be supported in the cosign tool. kindly clarify if my understanding is correct.

[haydentherapper]

I would propose that for this PR, you remove the added root-cert flags and rely on the existing certificate-chain flag to verify contents. You can remove your changes to verify.go. This keeps the PR small and focused just on improving attach.

There's more that we need to think through for the user experience for verifying certificates, and I wouldn't want to rush to add new verification flags if it will be confusing for users.

[Mukuls77]

i tried passing the root-cert with cert-chain option. but it tries to search for fulico root cert. so the command fails

C:\Users\musharma\Desktop\cosignCert>cosign.exe verify --cert-chain C:\Users\musharma\Desktop\cosignCert\rootCA.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .*
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Error: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open C:\Users\musharma.sigstore\root\targets\fulcio.crt.pem: The system cannot find the file specified.
main.go:62: error during command execution: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open C:\Users\musharma.sigstore\root\targets\fulcio.crt.pem: The system cannot find the file specified.

The working scenario with existing mechanism provided by cosign is to use env variable SIGSTORE_ROOT_FILE
to the Trusted local root certificate and use cosign verify command without any options.

C:\Users\musharma\Desktop\cosignCert>cosign.exe verify harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-skip-tlog-verify --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .*
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
The following checks were performed on each of these signatures:

• The cosign claims were validated
• Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":"foo@example.com"}}]

C:\Users\musharma\Desktop\cosignCert>echo %SIGSTORE_ROOT_FILE%
C:\Users\musharma\Desktop\cosignCert\rootCA.crt

As discussed before I have now reverted the changes done in the following files
cmd/cosign/cli/options/certificate.go
cmd/cosign/cli/verify.go
cmd/cosign/cli/verify/verify.go

[haydentherapper]

Can you add a comment about how these were generated? (with openssl?) At some point the certs will expire and will likely cause test failures and need to be regenerated

[Mukuls77]

yes the certificates are generated using openssl. I have added the instructions to generate the certificates and certificate chain in file
test/testdata/README.md

Generate Certificates and Certificate chain for Attach test

If the test/testdata/test_attach_leafcert.pem or test_attach_rootcert.pem or test_attach_certchain.pem expires than you can generate a new certificate and certificate using the given steps

1. Generate a private key for Root certificate
   openssl genrsa -des3 -out rootCA.key 2048
2. Generate Root certificate
   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.crt
   in Certificate generation set following values
   C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore, CN = sigstore, emailAddress = foo@example.com
3. Generate Private key for Intermediate certificate
   openssl genrsa -out intermediateCA.key 2048
4. Generate CSR for Intermediate certificate
   openssl req -new -key intermediateCA.key -out intermediateCA.csr
   in Certificate generation set following values
   C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore-sub, CN = sigstore-sub, emailAddress = foo@example.com
5. Create intermediate certificate config file by name "intermediateConfigFile" having content
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true, pathlen:0
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
6. Create intermediate certificate
   openssl x509 -req -in intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -CAserial intermediateca.srl -out intermediateCA.crt -days 1825 -sha256 -extfile intermediateConfigFile
7. Create Private key for leaf certificate
   openssl genrsa -out leafCA.key 2048
8. Create CSR for Leaf certificate
   openssl req -new -key leafCA.key -out leafCA.csr
   in certificate generation set following values
   C = IN, ST = DEL, L = DEL, O = example.com, OU = sigstore-leaf, CN = sigstore-leaf, emailAddress = foo@example.com
9. Create Leaf certificate config file by name "leafConfigFile" having content
   authorityKeyIdentifier=keyid,issuer
   basicConstraints=CA:FALSE
   keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   extendedKeyUsage=codeSigning
   subjectAltName=email:copy
   10.Create Leaf certificate
   openssl x509 -req -in leafCA.csr -CA intermediateCA.crt -CAkey intermediateCA.key -CAcreateserial -CAserial leafca.srl -out leafCA.crt -days 1825 -sha256 -extfile leafConfigFile
10. Generate Certificate chain by concatinating Intermediate certificate and Root certificate
    cat intermediateCA.crt rootCA.crt > certChain.crt
11. copy private key of Leaf certificate to test/testdata/test_attach_private.key
    cp leafCA.key test/testdata/test_attach_private.key
12. copy root certificate to test/testdata/test_attach_rootcert.pem
    cp rootCA.crt test/testdata/test_attach_rootcert.pem
13. copy cert chain to test/testdata/test_attach_certchain.pem
    cp certChain.crt test/testdata/test_attach_certchain.pem
14. copy Leaf certificate to test/testdata/test_attach_leafcert.pem
    cp leafCA.crt test/testdata/test_attach_leafcert.pem

[codecov-commenter]

Codecov Report

Merging #2602 (be4ed5d) into main (83bc542) will decrease coverage by 0.49%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2602      +/-   ##
==========================================
- Coverage   30.15%   29.66%   -0.49%     
==========================================
  Files         146      151       +5     
  Lines        9363     9647     +284     
==========================================
+ Hits         2823     2862      +39     
- Misses       6103     6348     +245     
  Partials      437      437              

Impacted Files	Coverage Δ
cmd/cosign/cli/attach.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/attach.go	0.00% <0.00%> (ø)
pkg/cosign/errors.go	60.00% <0.00%> (-40.00%)	⬇️
pkg/oci/remote/write.go	14.18% <0.00%> (-12.14%)	⬇️
pkg/oci/remote/remote.go	36.91% <0.00%> (-5.55%)	⬇️
internal/pkg/cosign/tsa/signer.go	50.98% <0.00%> (-2.05%)	⬇️
pkg/cosign/verify.go	37.22% <0.00%> (-2.01%)	⬇️
cmd/cosign/cli/sign/sign.go	14.85% <0.00%> (-0.04%)	⬇️
cmd/cosign/cli/options/sign.go	0.00% <0.00%> (ø)
cmd/cosign/cli/attest/attest.go	0.00% <0.00%> (ø)
... and 10 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[Mukuls77]

Hi please suggest if anything is further required from my side on this Pull request. As of now i have completed the required end to end test cases, comments on hot to create the certs etc. so please suggest if anything further is need from my side to this PR.

[Mukuls77]

Fixed the issue reported by CI Lint test.
in file cmd/cosign/cli/attach/sig.go : Added the handling for return error code
in file cmd/cosign/cli/options/attach.go : Removed an extra newline.
Also executed the docgen test case locally. and it is working fine.
docgen_output.txt
attaching the docgen result

Kindly retest the CI test cases.

[Mukuls77]

Thanks for executing the CI test again. I checked the two failures reported in last run
1. Lint Test failed
I checked the log of the test run. and could see following errors
Error: File is not gofmt-ed with -s (gofmt)
Error: File is not gofmt-ed with -s (gofmt)
Error: File is not goimports-ed (goimports)
Error: File is not goimports-ed (goimports)
Error: issues found
As this does not show the file names so i executed the Lint test on my local setup.
and found following errors

::error file=pkg/types/media.go,line=2::File is not gofmt-ed with -s (gofmt)
::error file=pkg/types/payload.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/providers/doc.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/providers/interface.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=cmd/sample/main.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/cosign/env/env.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/cosign/env/env_test.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/providers/filesystem/doc.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/providers/filesystem/filesystem.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=cmd/cosign/cli/fulcio/depcheck_test.go,line=1::File is not gofmt-ed with -s (gofmt)
::error file=pkg/types/media.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/types/payload.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/providers/doc.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/providers/interface.go,line=1::File is not goimports-ed (goimports)
::error file=cmd/sample/main.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/cosign/env/env.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/cosign/env/env_test.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/providers/filesystem/doc.go,line=1::File is not goimports-ed (goimports)
::error file=pkg/providers/filesystem/filesystem.go,line=1::File is not goimports-ed (goimports)
::error file=cmd/cosign/cli/fulcio/depcheck_test.go,line=1::File is not goimports-ed (goimports)

in addition to these there were many typecheck errors also reported on my local setup. i assume in CI environment test typecheck errors have been suppressed. now coming to goimport and gofmt error as i see this is being reported for files which have not been modified by me, so i assume this error is not coming due to changes done in this PR.

2. Docgen test failed.

I again executed the Docgen command on my local setup and it is working fine. so i am not clear why docgen test is failing in the CI environment.

[haydentherapper]

You might need to rebase.

[Mukuls77]

can you please update on the command to be used for rebasing .
As i used
/c/Users/musharma/cosign>git rebase origin
Current branch mukuls77-branch is up to date.

As it says the branch is up to date. so is this sufficient.

[haydentherapper]

You need to set upstream to sigstore/cosign, a guide like https://www.atlassian.com/git/tutorials/git-forks-and-upstreams should walk you through the process

[Mukuls77]

I have completed the rebase of the branch and also resolved the conflicts. executed following steps.

1. set upstream
   https://github.com/sigstore/cosign.git

2. check upstream
   /c/Users/musharma/cosign>git remote -v
   origin https://github.com/Mukuls77/cosign.git (fetch)
   origin https://github.com/Mukuls77/cosign.git (push)
   upstream https://github.com/sigstore/cosign.git (fetch)
   upstream https://github.com/sigstore/cosign.git (push)

3. fetch upstream
   /c/Users/musharma/cosign>git fetch upstream
   remote: Enumerating objects: 725, done.
   remote: Counting objects: 100% (468/468), done.
   remote: Compressing objects: 100% (105/105), done.
   remote: Total 725 (delta 395), reused 406 (delta 361), pack-reused 257
   Receiving objects: 100% (725/725), 518.20 KiB | 4.39 MiB/s, done.
   Resolving deltas: 100% (448/448), completed with 124 local objects.
   From https://github.com/sigstore/cosign

• [new branch] 1.0-fork -> upstream/1.0-fork
• [new branch] 2.0-docs -> upstream/2.0-docs
• [new branch] dependabot/go_modules/golang.org/x/oauth2-0.5.0 -> upstream/dependabot/go_modules/golang.org/x/oauth2-0.5.0
• [new branch] main -> upstream/main
• [new branch] release-1.13 -> upstream/release-1.13
• [new tag] cosigned-v0.0.1-dev -> cosigned-v0.0.1-dev
• [new tag] cosigned-v0.0.2-dev -> cosigned-v0.0.2-dev
• [new tag] cosigned-v0.0.3-dev -> cosigned-v0.0.3-dev
• [new tag] v0.1.0 -> v0.1.0
• [new tag] v0.2.0 -> v0.2.0
• [new tag] v0.3.0 -> v0.3.0
• [new tag] v0.3.1 -> v0.3.1
• [new tag] v0.4.0 -> v0.4.0
• [new tag] v0.5.0 -> v0.5.0
• [new tag] v0.6.0 -> v0.6.0
• [new tag] v1.0.0 -> v1.0.0
• [new tag] v1.0.1 -> v1.0.1
• [new tag] v1.1.0 -> v1.1.0
• [new tag] v1.10.0 -> v1.10.0
• [new tag] v1.10.0-rc.1 -> v1.10.0-rc.1
• [new tag] v1.10.1 -> v1.10.1
• [new tag] v1.11.0 -> v1.11.0
• [new tag] v1.11.1 -> v1.11.1
• [new tag] v1.12.0 -> v1.12.0
• [new tag] v1.12.1 -> v1.12.1
• [new tag] v1.13.0 -> v1.13.0
• [new tag] v1.13.1 -> v1.13.1
• [new tag] v1.2.0 -> v1.2.0
• [new tag] v1.2.1 -> v1.2.1
• [new tag] v1.3.0 -> v1.3.0
• [new tag] v1.3.1 -> v1.3.1
• [new tag] v1.4.0 -> v1.4.0
• [new tag] v1.4.1 -> v1.4.1
• [new tag] v1.5.0 -> v1.5.0
• [new tag] v1.5.1 -> v1.5.1
• [new tag] v1.6.0 -> v1.6.0
• [new tag] v1.7.0 -> v1.7.0
• [new tag] v1.7.1 -> v1.7.1
• [new tag] v1.7.2 -> v1.7.2
• [new tag] v1.8.0 -> v1.8.0
• [new tag] v1.9.0 -> v1.9.0
• [new tag] v2.0.0-rc.0 -> v2.0.0-rc.0
• [new tag] v2.0.0-rc.1 -> v2.0.0-rc.1

4. execute rebase and skipped the conflicting files.
   git rebase upstream/main
   /c/Users/musharma/cosign>git rebase upstream/main
   Auto-merging cmd/cosign/cli/verify.go
   CONFLICT (content): Merge conflict in cmd/cosign/cli/verify.go
   Auto-merging cmd/cosign/cli/verify/verify.go
   error: could not apply 9c3e558... Added support for attaching cert and cert chain in attach command Git Issue: 2267
   hint: Resolve all conflicts manually, mark them as resolved with
   hint: "git add/rm <conflicted_files>", then run "git rebase --continue".
   hint: You can instead skip this commit: run "git rebase --skip".
   hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
   Could not apply 9c3e558... Added support for attaching cert and cert chain in attach command Git Issue: 2267
   /c/Users/musharma/cosign>git rebase --skip
   dropping d53035e Reverted the changes done for supporting root-cert option in Verify command -- patch contents already upstream
   Auto-merging cmd/cosign/cli/verify.go
   CONFLICT (content): Merge conflict in cmd/cosign/cli/verify.go
   error: could not apply b774fc6... Reverte the changes done for supporting root-cert option in Verify command
   hint: Resolve all conflicts manually, mark them as resolved with
   hint: "git add/rm <conflicted_files>", then run "git rebase --continue".
   hint: You can instead skip this commit: run "git rebase --skip".
   hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
   Could not apply b774fc6... Reverte the changes done for supporting root-cert option in Verify command
   /c/Users/musharma/cosign>git rebase --skip
   Auto-merging cmd/cosign/cli/verify/verify.go
   CONFLICT (content): Merge conflict in cmd/cosign/cli/verify/verify.go
   error: could not apply 2845a08... reverted the changes done for supporting rrot-cert option in Verify command
   hint: Resolve all conflicts manually, mark them as resolved with
   hint: "git add/rm <conflicted_files>", then run "git rebase --continue".
   hint: You can instead skip this commit: run "git rebase --skip".
   hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
   Could not apply 2845a08... reverted the changes done for supporting rrot-cert option in Verify command
   /c/Users/musharma/cosign>git rebase --skip
   Auto-merging cmd/cosign/cli/attach/sig.go
   CONFLICT (content): Merge conflict in cmd/cosign/cli/attach/sig.go
   error: could not apply 2bff265... Fixed CI-Lint-test issue by adding handling for return error code
   hint: Resolve all conflicts manually, mark them as resolved with
   hint: "git add/rm <conflicted_files>", then run "git rebase --continue".
   hint: You can instead skip this commit: run "git rebase --skip".
   hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
   Could not apply 2bff265... Fixed CI-Lint-test issue by adding handling for return error code
   /c/Users/musharma/cosign>git rebase --skip
   Auto-merging cmd/cosign/cli/options/attach.go
   CONFLICT (content): Merge conflict in cmd/cosign/cli/options/attach.go
   error: could not apply b59801b... Fixed CI-Lint test issue by removing extra newline
   hint: Resolve all conflicts manually, mark them as resolved with
   hint: "git add/rm <conflicted_files>", then run "git rebase --continue".
   hint: You can instead skip this commit: run "git rebase --skip".
   hint: To abort and get back to the state before "git rebase", run "git rebase --abort".
   Could not apply b59801b... Fixed CI-Lint test issue by removing extra newline
   /c/Users/musharma/cosign>git rebase --skip
   Successfully rebased and updated refs/heads/mukuls77-branch.

5. Manually introduced changes for PR in conflict files

   cmd/cosign/cli/attach.go
   cmd/cosign/cli/attach/sig.go
   cmd/cosign/cli/options/attach.go

6. commit the changes and forced push the changes

/c/Users/musharma/cosign>git status
On branch mukuls77-branch
Your branch and 'origin/mukuls77-branch' have diverged,
and have 88 and 15 different commits each, respectively.
(use "git pull" to merge the remote branch into yours)

Changes not staged for commit:
(use "git add ..." to update what will be committed)
(use "git restore ..." to discard changes in working directory)
modified: cmd/cosign/cli/attach.go
modified: cmd/cosign/cli/attach/sig.go
modified: cmd/cosign/cli/options/attach.go

no changes added to commit (use "git add" and/or "git commit -a")
/c/Users/musharma/cosign>git add cmd/cosign/cli/attach.go
/c/Users/musharma/cosign>git add cmd/cosign/cli/attach/sig.go
/c/Users/musharma/cosign>git add cmd/cosign/cli/options/attach.go
/c/Users/musharma/cosign>git status
On branch mukuls77-branch
Your branch and 'origin/mukuls77-branch' have diverged,
and have 88 and 15 different commits each, respectively.
(use "git pull" to merge the remote branch into yours)

Changes to be committed:
(use "git restore --staged ..." to unstage)
modified: cmd/cosign/cli/attach.go
modified: cmd/cosign/cli/attach/sig.go
modified: cmd/cosign/cli/options/attach.go
/c/Users/musharma/cosign>git commit -s -m "Added support for attaching cert and cert chain in attach command"
[mukuls77-branch 307dd50] Added support for attaching cert and cert chain in attach command
Committer: Mukul Sharma (Nokia) mukul.sharma@nokia.com
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:

git config --global --edit

After doing this, you may fix the identity used for this commit with:

git commit --amend --reset-author

3 files changed, 38 insertions(+), 3 deletions(-)
/c/Users/musharma/cosign>git status
On branch mukuls77-branch
Your branch and 'origin/mukuls77-branch' have diverged,
and have 89 and 15 different commits each, respectively.
(use "git pull" to merge the remote branch into yours)

nothing to commit, working tree clean
/c/Users/musharma/cosign>git push -f origin mukuls77-branch
Enumerating objects: 65, done.
Counting objects: 100% (65/65), done.
Delta compression using up to 8 threads
Compressing objects: 100% (52/52), done.
Writing objects: 100% (52/52), 11.55 KiB | 1.28 MiB/s, done.
Total 52 (delta 38), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (38/38), completed with 10 local objects.
To https://github.com/Mukuls77/cosign.git

• b59801b...307dd50 mukuls77-branch -> mukuls77-branch (forced update)
  /c/Users/musharma/cosign>git status
  On branch mukuls77-branch
  Your branch is up to date with 'origin/mukuls77-branch'.

nothing to commit, working tree clean
/c/Users/musharma/cosign>

I also performed a quick attach and verify test on the updated binary

Test Done

1. Execute Attach command
   C:\Users\musharma\Desktop\DemoJan13\attachTest>cosign.exe attach signature --signature payload64.sig --payload payload.json --cert leafCA.crt --cert-chain certChain.crt harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry

2. execute cosign triangulate to locate signature
   C:\Users\musharma\Desktop\DemoJan13\attachTest>cosign triangulate harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711
   harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig

3. download manifest
   C:\Users\musharma\Desktop\crane>crane.exe manifest harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp:sha256-8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711.sig --insecure >manifest

4. check signature, cert attachment in manifest

/c/Users/musharma/Desktop/crane>cat manifest |jq
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 246,
"digest": "sha256:67076536d7727001f9cea0fe788130890ba633872fc8265f953c4f194a601367"
},
"layers": [
{
"mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
"size": 290,
"digest": "sha256:64efb696f2970c7bb90334c7c4414811d859800579e25b131236ee73b9d9b9ce",
"annotations": {
"dev.cosignproject.cosign/signature": "IfuEJzvBkypcSiNKmljQuerhwkz3lNh5R3yHJB+GEMteDTtnJ4FV+gOUk2KPnuP688IMwH2xtWqB\r\nKvOrBlPjtnEWtW0bWYgMetcYW38tW0xzQpKjvQQRlb2Yp9q4pswdVesJCIKfiRgo6nKZIod22osx\r\n0B1eXY0DlLysnQ8NQkYcM94NeJYJUOO2B8Hl+GBJpy/N4isQaCL6c7s8q+Gd/SQAjFfr8VjQrgWq\r\nTbwgvhUDunikdcqAwfJZBhpOej3oOf3GgEcmpAsQaw0A8r3wE2FCDD52weIlSarjvHOifpHUIbUk\r\nU4564d78u7cW+diiAhKNQCZTEmukiyFlmv3RbA==",
"dev.sigstore.cosign/certificate": "-----BEGIN CERTIFICATE-----\nMIIEWjCCA0KgAwIBAgIUalwY9QSFIWt2+DP9R5bwTZ71SQUwDQYJKoZIhvcNAQEL\nBQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSUwIwYJ\nKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29tMB4XDTIyMTExNzA2NDIw\nM1oXDTI1MDIxOTA2NDIwM1owfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4w\nDAYDVQQHDAVub2lkYTEOMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoG\nA1UEAwwDTkNEMSUwIwYJKoZIhvcNAQkBFhZtdWt1bC5zaGFybWFAbm9raWEuY29t\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq8LSBp7llnTCPXplnS2W\nBLzW/92hVawMuCpZeWHmIW6XeKkBnrQhPR3EQ1zgUJxrltUsxP45LwcZcUedUg06\ne/KHrqIyoWIv1CHFTND4N0z8qBrSAGaQwWDQw82Av26eTi5NiGe3ToRpLG1Ic4ib\n63l/SFLtdChdwfgicM/JmCj5ekFw9Lp0nC0X84TWThPVAvFkEF86WeAGNg0Zdtzs\ni/zcTypAOTDhdqJwNtr87ajo5iKRIh/wjxzirjjW3zSzzv6kwcRMv4ndYb1N0auW\nj9hCDx5ADKSZwM6khy9Ve+BvfvEBohaCzbtYtyxrWXMMAdPlsjYDc2u8Pwaw+pAL\nVQIDAQABo4HRMIHOMIGgBgNVHSMEgZgwgZWhfaR7MHkxCzAJBgNVBAYTAklOMQsw\nCQYDVQQIDAJVUDEOMAwGA1UEBwwFbm9pZGExDjAMBgNVBAoMBW5va2lhMQwwCgYD\nVQQLDANDTlMxDDAKBgNVBAMMA05DRDEhMB8GCSqGSIb3DQEJARYSbXVrdWwuc2hh\ncm1hQG5va2lhghRl+/SDGAklhZqyvmACldrfggAA6DAJBgNVHRMEAjAAMAsGA1Ud\nDwQEAwIE8DARBgNVHREECjAIggZsZWFmQ0EwDQYJKoZIhvcNAQELBQADggEBAFui\nwuM3BqbOKjr/UrvXBKppKWPFBcB/oIo2NfaSrL5HdDyBLVlNFL7Z/p+9VWE3Tb8k\nZaEEKghazJQnWIsh0UfPLyZ62fI+00ulVwBC3N5kS0avnmvXGXhRuSLKUWr2cFi+\nVwxx8/rjgKZ0WdnvZnVtHQB20KCIr6ksVJit0izIj2/hBuZ8DUI2k4YfR5JAM/BZ\ntTb8jgEvfX+9Q+0HZ/ZTOPWZszvtRq7brsBJfrkulA7WEfXHYAA6G4A7hsyxsqbz\nQetrZZklKSz5igxwxI9cbxaf9x7mAD0U4WY2EHRLZokE+qpKxCb3veO9X2RFzbOu\nB3ZlZ7xhkqYB2vHjk2c=\n-----END CERTIFICATE-----\n",
"dev.sigstore.cosign/chain": "-----BEGIN CERTIFICATE-----\nMIID0DCCArigAwIBAgIUZfv0gxgJJYWasr5gApXa34IAAOgwDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDYzODUxWhcN\nMjUwMjE5MDYzODUxWjB9MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxJTAjBgkqhkiG9w0BCQEWFm11a3VsLnNoYXJtYUBub2tpYS5jb20wggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpEjqBA0y2rb6GAkAAHC/dn/3Z\nEfvTMwhyk1pVnT1HCayTMI6d0+aXvvSFRAKm7ciJXEeSrsKERgGGyUEMF6/rvsom\nLCjDH8sgz74wJn4LOOORJV9y2dilUlUTu9HQ7I1fIV7YCrpvjxEzm7ct0Pwbfw4C\nUmYB/1eIPHZhJJFkAg4AJws/Be/2Wj01qT2QYdTFYec1q9JcqspLxmL8PWe88CBp\ndwlE62yWLiW3zscPqKpELC2wc3LM5K/+rki8NCFtAX1lx5U3WOvI9PqHj88mBet3\nbRezYbSQaqfIqJSZGUlgRWr6sqp3iRl8CqFF/nGl3MVbJvyDnPYuE+fiNorPAgMB\nAAGjTDBKMB8GA1UdIwQYMBaAFLmBxLrvwbbAiLHxEaNai3sS7d15MAwGA1UdEwQF\nMAMBAf8wGQYDVR0RBBIwEIIOaW50ZXJtZWRpYXRlQ0EwDQYJKoZIhvcNAQELBQAD\nggEBAGwnXydEWXyF4yN+9sFc8nB9lyTtRG+7mqd6TwAXc7/K0igojnLtDRGTJZyt\ne1PV9az/FPRjYBqajQgHlyqQ0A9h0emueHg+m255w6mOd6i/uVGTxfEEDBnVDq8m\nff1w7LJUOjRafQvsXHL5mleOdm9SSVOESv8F6zWlE/2utqoOIdoTg9g0goxJYT/e\nn8Gq0cpH0hU/FUr78v8GTBOwaT2i5Wn7c6u2nh3gGUA/A/3G86/oAPIzjSKdficr\nQTytfdvwRELbSp70qNi8c4zHqwat65mCH2tiUdJE3guXSHV0/JYsZkxBT/R4zhGz\n2itq2p3qLmcxj+YguGUCLLL0K1c=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIID0zCCArugAwIBAgIURrUdHZJMzykRUM9hDeLrLtyVxU8wDQYJKoZIhvcNAQEL\nBQAweTELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlVQMQ4wDAYDVQQHDAVub2lkYTEO\nMAwGA1UECgwFbm9raWExDDAKBgNVBAsMA0NOUzEMMAoGA1UEAwwDTkNEMSEwHwYJ\nKoZIhvcNAQkBFhJtdWt1bC5zaGFybWFAbm9raWEwHhcNMjIxMTE3MDU1NDA4WhcN\nMjcxMTE2MDU1NDA4WjB5MQswCQYDVQQGEwJJTjELMAkGA1UECAwCVVAxDjAMBgNV\nBAcMBW5vaWRhMQ4wDAYDVQQKDAVub2tpYTEMMAoGA1UECwwDQ05TMQwwCgYDVQQD\nDANOQ0QxITAfBgkqhkiG9w0BCQEWEm11a3VsLnNoYXJtYUBub2tpYTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwDtQ+CxpZmF4ruWWFMDHxJH564ZRYa\nMEtJOahJZ0lFTfNEqutRA0+NLZPPoc3jEX3b2k89VlDRir7o853NHLm/AtDsvekf\nof+qhw4BtrMstMQoom24fLld2XbcgAo8DwAYNQMUFKfNjZvJONEQgrcasEueLJn5\nwPDgLWr4sgx5gnsEONME6yumzgAPvff0lfJ8/A5k8VmTmJz8uLuKNxYRHb3o5cKf\nyFVaGAf7wCxEn8Jg5SRThyeG2uk0IFsX5L9BhJgfqeveNQh3WiynHYLqZJ3FACRn\ndc3gUio94Ec1UjZA1BKszNx89zUAf6KzrLkvx95IvUauq3habGKEz3cCAwEAAaNT\nMFEwHQYDVR0OBBYEFLmBxLrvwbbAiLHxEaNai3sS7d15MB8GA1UdIwQYMBaAFLmB\nxLrvwbbAiLHxEaNai3sS7d15MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL\nBQADggEBAMAoOL59+1x3GpU8PyIgjY3iyviaLOtdlA8wbCT21nP0fjGS2RNhsq5I\nYyPRf6w3WLTmgkXI7P3LpM9fYanBzSFrPNB6x0pNmaokgAEKxqKqqfUfgSYTtg95\n+5bdd9/ZQw210KGiD6AZf87Xp6x3U9n+uvSlg5CaIU2O2iOypj7az5EBSVyoBvIE\nuZHz+sHoShFU4iPZ6iuzS+r7P23b9Bl5gMR60ujSHUew0NLsZpBYdYkAERsScwrc\nX7Gh2duwSKgjSK0uh4G3sbKKqmZLj4aJGvyZI4iNIcePCKAJwJWlCkZrWhai33+A\nFuOC9rk2pAYN49IXN7EpNhgIvCp4O0A=\n-----END CERTIFICATE-----\n"
}
}
]
}

6. Set SIGSTORE_ROOT_FILE env to the trusted root certificate

C:\Users\musharma\Desktop\DemoJan13\attachTest>set SIGSTORE_ROOT_FILE=C:\Users\musharma\Desktop\DemoJan13\attachTest\rootCA.crt

C:\Users\musharma\Desktop\DemoJan13\attachTest>echo %SIGSTORE_ROOT_FILE%
C:\Users\musharma\Desktop\DemoJan13\attachTest\rootCA.crt

7. Test Verify command

C:\Users\musharma\Desktop\DemoJan13\attachTest>cosign.exe verify harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --allow-insecure-registry --insecure-ignore-sct --insecure-ignore-tlog --certificate-identity-regexp .* --certificate-oidc-issuer-regexp .*
Warning Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.

Verification for harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp@sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711 --
The following checks were performed on each of these signatures:

• The cosign claims were validated
• The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"harbor.ncdfp3.bpti.dyn.nesc.nokia.net/cosign-demo/fp3testcnf/orbs/orb-atp"},"image":{"docker-manifest-digest":"sha256:8cbd5009dff7db858c58d54c051fd99bfe7128aa4345d2cf5480dd55b9e7b711"},"type":"cosign container image signature"},"optional":{"Subject":""}}]

[haydentherapper]

It looks like you need to run make docgen again, and a few files need to be linted gofmt -s and goimports

[Mukuls77]

It looks like you need to run make docgen again, and a few files need to be linted gofmt -s and goimports
Thanks for the suggestion. can you please help in folder folder i need to execute the command 'make docgen' also for which files i need to execute 'gofmt-s and goimports as these files are not listed in error message

[haydentherapper]

run docgen from the root. You should be able to format all files, or just format the one you've modified. You can also run golangci-lint locally

[Mukuls77]

Thanks for the suggestion. I have fixed both the issues

1. executed make docgen
   the file changed was
   doc/cosign_attach_signature.md
2. fixed lint gofmt issue in the go files i have modified in this PR
   cmd/cosign/cli/attach/sig.go
   cmd/cosign/cli/options/attach.go
   test/e2e_test.go

[haydentherapper]

A few more lint failures then we should be good!

[Mukuls77]

I executed the exact golangci-lint command used in the workflows on my local setup
/c/Users/musharma/cosign>golangci-lint run --out-format=github-actions --timeout=5m
/c/Users/musharma/cosign>

and here i am not getting any error. in the CI test result also lint is not showing the file name for which it is failing the gofmt check so with this it is difficult to resolve this error. can you pls guide.

[Mukuls77]

can you pls retest the CI test cases

[Mukuls77]

Hayden B can you please review the Pull request. as now all the CI test are successful. thanks

[haydentherapper]

Looks good, just a small comment about cleaning up the readme!

[Mukuls77]

I have fixed the format issue in Readme.md file can you please check

[haydentherapper]

@znewman01 can you take a look for merging