Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: resolve --cert from URL #1245

Merged
merged 1 commit into from
Dec 22, 2021
Merged

feat: resolve --cert from URL #1245

merged 1 commit into from
Dec 22, 2021

Conversation

caarlos0
Copy link
Contributor

@caarlos0 caarlos0 commented Dec 22, 2021
edited
Loading

Summary

verify and verify-blob's --cert param should accept an URL as well, so we can verify without previously downloading files, e.g.:

cosign verify-blob \
  --cert https://github.com/goreleaser/supply-chain-example/releases/download/v1.0.0/checksums.txt.pem \
  --signature https://github.com/goreleaser/supply-chain-example/releases/download/v1.0.0/checksums.txt.sig \
  https://github.com/goreleaser/supply-chain-example/releases/download/v1.0.0/checksums.txt

Ticket Link

https://github.com/gythialy/golang-cross/pull/67/files#r774120479

Release Note

verify and verify-blob resolve --cert from URL

@caarlos0
feat: resolve --cert from URL
bb016fa 
Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
@caarlos0 caarlos0 mentioned this pull request Dec 22, 2021
Closed
developer-guy
developer-guy approved these changes Dec 22, 2021
View reviewed changes
Copy link
Member

@developer-guy developer-guy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dlorenc
Copy link
Member

dlorenc commented Dec 22, 2021

This is safe IMO - the cert itself is signed by fulcio and must be in a transparency log, so the location of it can be untrusted.

@dlorenc dlorenc merged commit 7e5abbf into sigstore:main Dec 22, 2021
@github-actions github-actions bot added this to the v1.5.0 milestone Dec 22, 2021
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jan 25, 2022
@bmwiedemann
Update cosign to version 1.5.0 / rev 2 via SR 949015
779bc4c 
https://build.opensuse.org/request/show/949015
by user msmeissn + dimstar_suse
- updated to 1.5.0
  ## Highlights
  * enable sbom generation when releasing (sigstore/cosign#1261)
  * feat: log error to stderr (sigstore/cosign#1260)
  * feat: support attach attestation (sigstore/cosign#1253)
  * feat: resolve --cert from URL (sigstore/cosign#1245)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1237)
  * feat: vuln attest support (sigstore/cosign#1168)
  * feat: add ambient credential detection with spiffe/spire (sigstore/cosign#1220)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1236)
  * feat: implement cosign download attestation (https
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developer-guy developer-guy developer-guy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@caarlos0 @dlorenc @developer-guy