sigs.k8s.io/release-sdk@v0.11.1-0.20240417074027-8061fb5e4952/sign/options.go

sigs.k8s.io/release-sdk@v0.11.1-0.20240417074027-8061fb5e4952/sign/options.go (about)

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package sign
    18  
    19  import (
    20  	"context"
    21  	"errors"
    22  	"time"
    23  
    24  	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
    25  	"github.com/sigstore/cosign/v2/pkg/cosign"
    26  	"github.com/sirupsen/logrus"
    27  )
    28  
    29  // Options can be used to modify the behavior of the signer.
    30  type Options struct {
    31  	// Logger is the custom logger to be used for message printing.
    32  	Logger *logrus.Logger
    33  
    34  	// Verbose can be used to enable a higher log verbosity
    35  	Verbose bool
    36  
    37  	// Timeout is the default timeout for network operations.
    38  	// Defaults to 3 minutes
    39  	Timeout time.Duration
    40  
    41  	AllowInsecure bool
    42  
    43  	// AttachSignature tells the signer to attach or not the new
    44  	// signature to its image
    45  	AttachSignature bool
    46  
    47  	OutputSignaturePath   string
    48  	OutputCertificatePath string
    49  	Annotations           []string
    50  	PrivateKeyPath        string
    51  	PublicKeyPath         string
    52  	IgnoreSCT             bool
    53  	IgnoreTlog            bool
    54  	CertIdentity          string
    55  	CertIdentityRegexp    string
    56  	CertOidcIssuer        string
    57  	CertOidcIssuerRegexp  string
    58  
    59  	// Identity token for keyless signing
    60  	IdentityToken string
    61  
    62  	// EnableTokenProviders tells signer to try to get a
    63  	// token from the cosign providers when needed.
    64  	EnableTokenProviders bool
    65  
    66  	// PassFunc is a function that returns a slice of bytes that will be used
    67  	// as a password for decrypting the cosign key. It is used only if PrivateKeyPath
    68  	// is provided (i.e. it's not used for keyless signing).
    69  	// Defaults to nil, which acts as having no password provided at all.
    70  	PassFunc cosign.PassFunc
    71  
    72  	// MaxRetries indicates the number of times to retry operations
    73  	// when transient failures occur
    74  	MaxRetries uint
    75  
    76  	// The amount of maximum workers for parallel executions.
    77  	// Defaults to 100.
    78  	MaxWorkers uint
    79  
    80  	// CacheTimeout is the timeout for the internal caches.
    81  	// Defaults to 2 hours.
    82  	CacheTimeout time.Duration
    83  
    84  	// MaxCacheItems is the maximumg amount of items the internal caches can hold.
    85  	// Defaults to 10000.
    86  	MaxCacheItems uint64
    87  
    88  	// If a multi-arch image is specified, additionally sign each discrete image.
    89  	// Defaults to false.
    90  	Recursive bool
    91  
    92  	// SignContainerIdentity can be used to manually set the
    93  	// .critical.docker-reference field for the signed identity, which is
    94  	// useful when image proxies are being used where the pull reference should
    95  	// match the signature
    96  	SignContainerIdentity string
    97  }
    98  
    99  // Default returns a default Options instance.
   100  func Default() *Options {
   101  	return &Options{
   102  		Logger:               logrus.StandardLogger(),
   103  		Timeout:              3 * time.Minute,
   104  		EnableTokenProviders: true,
   105  		AttachSignature:      true,
   106  		MaxRetries:           3,
   107  		MaxWorkers:           100,
   108  		CacheTimeout:         2 * time.Hour,
   109  		MaxCacheItems:        10000,
   110  		CertIdentityRegexp:   "(prow-build@k8s-infra-prow-build.iam.gserviceaccount.com)|((krel-trust|krel-staging)@k8s-releng-prod.iam.gserviceaccount.com)",
   111  		CertOidcIssuer:       "https://accounts.google.com",
   112  	}
   113  }
   114  
   115  func (o *Options) ToCosignRootOptions() options.RootOptions {
   116  	return options.RootOptions{
   117  		Timeout: o.Timeout,
   118  	}
   119  }
   120  
   121  // verifySignOptions checks that options have the minimum settings
   122  // for signing files or images:
   123  func (o *Options) verifySignOptions() error {
   124  	// Our library is not designed to run in interactive mode
   125  	// this means that we will only support signing if we get a keypair or
   126  	// identity token to run keyless signing:
   127  	if o.PrivateKeyPath != "" && o.IdentityToken == "" && !o.EnableTokenProviders {
   128  		return errors.New("signing can only be done if a key or identity token are set")
   129  	}
   130  
   131  	// Ensure that the private key file exists
   132  	i := defaultImpl{}
   133  	if o.PrivateKeyPath != "" && !i.FileExists(o.PrivateKeyPath) {
   134  		return errors.New("specified private key file not found")
   135  	}
   136  	return nil
   137  }
   138  
   139  // context creates a new context with the timeout set within the options.
   140  func (o *Options) context() (context.Context, context.CancelFunc) {
   141  	return context.WithTimeout(context.Background(), o.Timeout)
   142  }