diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go index 425a7c60a0a..61edb47d48b 100644 --- a/cmd/cosign/cli/options/registry.go +++ b/cmd/cosign/cli/options/registry.go @@ -44,6 +44,7 @@ type RegistryOptions struct { KubernetesKeychain bool RefOpts ReferenceOptions Keychain Keychain + AuthConfig authn.AuthConfig // RegistryClientOpts allows overriding the result of GetRegistryClientOpts. RegistryClientOpts []remote.Option @@ -62,6 +63,15 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.KubernetesKeychain, "k8s-keychain", false, "whether to use the kubernetes keychain instead of the default keychain (supports workload identity).") + cmd.Flags().StringVar(&o.AuthConfig.Username, "registry-username", "", + "registry basic auth username") + + cmd.Flags().StringVar(&o.AuthConfig.Password, "registry-password", "", + "registry basic auth password") + + cmd.Flags().StringVar(&o.AuthConfig.RegistryToken, "registry-token", "", + "registry bearer auth token") + o.RefOpts.AddFlags(cmd) } @@ -113,6 +123,10 @@ func (o *RegistryOptions) GetRegistryClientOpts(ctx context.Context) []remote.Op github.Keychain, ) opts = append(opts, remote.WithAuthFromKeychain(kc)) + case o.AuthConfig.Username != "" && o.AuthConfig.Password != "": + opts = append(opts, remote.WithAuth(&authn.Basic{Username: o.AuthConfig.Username, Password: o.AuthConfig.Password})) + case o.AuthConfig.RegistryToken != "": + opts = append(opts, remote.WithAuth(&authn.Bearer{Token: o.AuthConfig.RegistryToken})) default: opts = append(opts, remote.WithAuthFromKeychain(authn.DefaultKeychain)) } diff --git a/doc/cosign_attach_attestation.md b/doc/cosign_attach_attestation.md index ced29990a94..8498ed21370 100644 --- a/doc/cosign_attach_attestation.md +++ b/doc/cosign_attach_attestation.md @@ -29,6 +29,9 @@ cosign attach attestation [flags] --attestation stringArray path to the attestation envelope -h, --help help for attestation --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_attach_sbom.md b/doc/cosign_attach_sbom.md index 47d3362e7cc..07948123883 100644 --- a/doc/cosign_attach_sbom.md +++ b/doc/cosign_attach_sbom.md @@ -27,7 +27,10 @@ cosign attach sbom [flags] -h, --help help for sbom --input-format string type of sbom input format (json|xml|text) --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --sbom string path to the sbom, or {-} for stdin --type string type of sbom (spdx|cyclonedx|syft) (default "spdx") ``` diff --git a/doc/cosign_attach_signature.md b/doc/cosign_attach_signature.md index 4a354b3fd40..704825d59e7 100644 --- a/doc/cosign_attach_signature.md +++ b/doc/cosign_attach_signature.md @@ -23,6 +23,9 @@ cosign attach signature [flags] -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --payload string path to the payload covered by the signature + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-response string path to the rekor bundle --signature string path to the signature, or {-} for stdin --tsr string path to the Time Stamped Signature Response from RFC3161 compliant TSA diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index a613bcf5401..515748b4a99 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -62,6 +62,9 @@ cosign attest [flags] --oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --predicate string path to the predicate file. -r, --recursive if a multi-arch image is specified, additionally sign each discrete image + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --replace --sk whether to use a hardware security key diff --git a/doc/cosign_clean.md b/doc/cosign_clean.md index 75f618bd799..bbefe406d2d 100644 --- a/doc/cosign_clean.md +++ b/doc/cosign_clean.md @@ -21,6 +21,9 @@ cosign clean [flags] -f, --force do not prompt for confirmation -h, --help help for clean --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --type CLEAN_TYPE a type of clean: (sbom is deprecated) (default all) ``` diff --git a/doc/cosign_copy.md b/doc/cosign_copy.md index 9cfd71dae34..bd5ba29d80e 100644 --- a/doc/cosign_copy.md +++ b/doc/cosign_copy.md @@ -38,6 +38,9 @@ cosign copy [flags] --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --only string custom string array to only copy specific items, this flag is comma delimited. ex: --only=sbom,sign,att --platform string only copy container image and its signatures for a specific platform image + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --sig-only [DEPRECATED] only copy the image signature ``` diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md index cbf56dd61ee..9effe918abc 100644 --- a/doc/cosign_dockerfile_verify.md +++ b/doc/cosign_dockerfile_verify.md @@ -78,6 +78,9 @@ cosign dockerfile verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL diff --git a/doc/cosign_download_attestation.md b/doc/cosign_download_attestation.md index 8f046b0eab2..c1e8a656d9d 100644 --- a/doc/cosign_download_attestation.md +++ b/doc/cosign_download_attestation.md @@ -22,6 +22,9 @@ cosign download attestation [flags] --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --platform string download attestation for a specific platform image --predicate-type string download attestation with matching predicateType + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_download_sbom.md b/doc/cosign_download_sbom.md index d8862ae80cb..77bbaa8c2cf 100644 --- a/doc/cosign_download_sbom.md +++ b/doc/cosign_download_sbom.md @@ -27,6 +27,9 @@ cosign download sbom [flags] -h, --help help for sbom --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). --platform string download SBOM for a specific platform image + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_download_signature.md b/doc/cosign_download_signature.md index ec377718f26..fc830089c4f 100644 --- a/doc/cosign_download_signature.md +++ b/doc/cosign_download_signature.md @@ -20,6 +20,9 @@ cosign download signature [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for signature --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_generate.md b/doc/cosign_generate.md index 1d800592e0d..34b55f1daac 100644 --- a/doc/cosign_generate.md +++ b/doc/cosign_generate.md @@ -36,6 +36,9 @@ cosign generate [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for generate --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_load.md b/doc/cosign_load.md index a69f90be675..8051c461413 100644 --- a/doc/cosign_load.md +++ b/doc/cosign_load.md @@ -25,6 +25,9 @@ cosign load [flags] --dir string path to directory where the signed image is stored on disk -h, --help help for load --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md index 346d24fb727..c99332ae1f9 100644 --- a/doc/cosign_manifest_verify.md +++ b/doc/cosign_manifest_verify.md @@ -72,6 +72,9 @@ cosign manifest verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 803537b6ac0..a6cf4885536 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -94,7 +94,10 @@ cosign sign [flags] --output-signature string write the signature to FILE --payload string path to a payload file to use rather than generating one -r, --recursive if a multi-arch image is specified, additionally sign each discrete image + --registry-password string registry basic auth password --registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1 + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sign-container-identity string manually set the .critical.docker-reference field for the signed identity, which is useful when image proxies are being used where the pull reference should match the signature --sk whether to use a hardware security key diff --git a/doc/cosign_tree.md b/doc/cosign_tree.md index b726ab8496b..6af48f1290b 100644 --- a/doc/cosign_tree.md +++ b/doc/cosign_tree.md @@ -20,6 +20,9 @@ cosign tree [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for tree --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_triangulate.md b/doc/cosign_triangulate.md index 9e5acf5a25b..1f8e36874bc 100644 --- a/doc/cosign_triangulate.md +++ b/doc/cosign_triangulate.md @@ -20,6 +20,9 @@ cosign triangulate [flags] --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] -h, --help help for triangulate --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --type string related attachment to triangulate (attestation|sbom|signature|digest), default signature (sbom is deprecated) (default "signature") ``` diff --git a/doc/cosign_upload_blob.md b/doc/cosign_upload_blob.md index 9161ad591b5..0688d525624 100644 --- a/doc/cosign_upload_blob.md +++ b/doc/cosign_upload_blob.md @@ -41,6 +41,9 @@ cosign upload blob [flags] -f, --files strings :[platform/arch] -h, --help help for blob --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_upload_wasm.md b/doc/cosign_upload_wasm.md index 843faef4187..da99e0a8f96 100644 --- a/doc/cosign_upload_wasm.md +++ b/doc/cosign_upload_wasm.md @@ -21,6 +21,9 @@ cosign upload wasm [flags] -f, --file string path to the wasm file to upload -h, --help help for wasm --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity). + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username ``` ### Options inherited from parent commands diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md index e42262b45b5..7eca755162d 100644 --- a/doc/cosign_verify-attestation.md +++ b/doc/cosign_verify-attestation.md @@ -82,6 +82,9 @@ cosign verify-attestation [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --policy strings specify CUE or Rego files will be using for validation + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --sk whether to use a hardware security key diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md index 3265fb56ccb..1477ec1abb8 100644 --- a/doc/cosign_verify.md +++ b/doc/cosign_verify.md @@ -95,6 +95,9 @@ cosign verify [flags] --offline only allow offline verification -o, --output string output format for the signing image information (json|text) (default "json") --payload string payload path or remote URL + --registry-password string registry basic auth password + --registry-token string registry bearer auth token + --registry-username string registry basic auth username --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs. --signature string signature content or path or remote URL