From 939fbff01ecc377fbb4cbc280f3032989b9a426f Mon Sep 17 00:00:00 2001 From: Aditya Sirish Date: Fri, 21 Apr 2023 15:47:35 +0200 Subject: [PATCH] Add --verify to sign subcommand Signed-off-by: Aditya Sirish --- cmd/sign.go | 21 +++++++++++++++++++-- doc/in-toto_sign.md | 3 ++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/cmd/sign.go b/cmd/sign.go index 49f94811..2e5e4ca2 100644 --- a/cmd/sign.go +++ b/cmd/sign.go @@ -9,6 +9,7 @@ import ( var ( outputPath string + verifyFile bool ) var signCmd = &cobra.Command{ @@ -26,7 +27,7 @@ func init() { "output", "o", "", - `Path to store metadata file to be signed`, + `Path to store metadata file after signing`, ) signCmd.Flags().StringVarP( @@ -47,9 +48,15 @@ root layout's signature(s). Passing exactly one key using '--key' is required.`, ) + signCmd.Flags().BoolVar( + &verifyFile, + "verify", + false, + "Verify signature of signed file", + ) + signCmd.MarkFlagRequired("file") signCmd.MarkFlagRequired("key") - signCmd.MarkFlagRequired("output") } func sign(cmd *cobra.Command, args []string) error { @@ -64,6 +71,16 @@ func sign(cmd *cobra.Command, args []string) error { return fmt.Errorf("invalid key at %s: %w", keyPath, err) } + if verifyFile { + if err := layoutMb.VerifySignature(key); err != nil { + return fmt.Errorf("signature verification failed: %w", err) + } + return nil + } + + if len(outputPath) == 0 { + outputPath = layoutPath + } layoutMb.Sign(key) layoutMb.Dump(outputPath) diff --git a/doc/in-toto_sign.md b/doc/in-toto_sign.md index 9f906362..b198c9bd 100644 --- a/doc/in-toto_sign.md +++ b/doc/in-toto_sign.md @@ -18,7 +18,8 @@ in-toto sign [flags] -k, --key string Path to PEM formatted private key used to sign the passed root layout's signature(s). Passing exactly one key using '--key' is required. - -o, --output string Path to store metadata file to be signed + -o, --output string Path to store metadata file after signing + --verify Verify signature of signed file ``` ### SEE ALSO