From 33da3c372c44c986383b52dfe6a739563f0b9c8c Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Wed, 2 Apr 2025 17:43:59 +0200 Subject: [PATCH 01/11] cmd/cosign: add --signing-algorithm flag Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/options/key.go | 4 ++++ cmd/cosign/cli/options/signblob.go | 12 ++++++++++++ cmd/cosign/cli/sign/sign.go | 23 ++++++++++++++++++----- cmd/cosign/cli/signblob.go | 1 + pkg/cosign/keys.go | 25 +++++++++++++++++++++++++ 5 files changed, 60 insertions(+), 5 deletions(-) diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index bf8d78b77b1..80f00528411 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -72,4 +72,8 @@ type KeyOpts struct { // By default, Ed25519ph is used for ed25519 keys and RSA-PKCS1v15 is used // for RSA keys. DefaultLoadOptions *[]signature.LoadOption + + // SigningAlgorithm is the AlgorithmDetails string representation used to + // sign/hash the payload. + SigningAlgorithm string } diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index e1ad98089dd..ce846a8144a 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -16,6 +16,12 @@ package options import ( + "fmt" + "strings" + + "github.com/sigstore/cosign/v2/pkg/cosign" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + "github.com/sigstore/sigstore/pkg/signature" "github.com/spf13/cobra" ) @@ -43,6 +49,7 @@ type SignBlobOptions struct { TSAServerURL string RFC3161TimestampPath string IssueCertificate bool + SigningAlgorithm string UseSigningConfig bool SigningConfigPath string @@ -127,4 +134,9 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false, "issue a code signing certificate from Fulcio, even if a key is provided") + + keyAlgorithmTypes := cosign.GetSupportedAlgorithms() + keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", ")) + defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp) } diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index f3a2c31cc5a..35eba578029 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -18,7 +18,6 @@ package sign import ( "bytes" "context" - "crypto" "crypto/x509" "encoding/base64" "encoding/json" @@ -603,12 +602,26 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin return certSigner, nil } -func signerFromNewKey() (*SignerVerifier, error) { - privKey, err := cosign.GeneratePrivateKey() +func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + keyDetails, err := signature.ParseSignatureAlgorithmFlag(signingAlgorithm) + if err != nil { + return nil, fmt.Errorf("parsing signature algorithm: %w", err) + } + algo, err := signature.GetAlgorithmDetails(keyDetails) + if err != nil { + return nil, fmt.Errorf("getting algorithm details: %w", err) + } + + privKey, err := cosign.GeneratePrivateKeyWithAlgorithm(&algo) if err != nil { return nil, fmt.Errorf("generating cert: %w", err) } - sv, err := signature.LoadECDSASignerVerifier(privKey, crypto.SHA256) + + if defaultLoadOptions == nil { + // Cosign uses ED25519ph by default for ED25519 keys + defaultLoadOptions = &[]signature.LoadOption{signatureoptions.WithED25519ph()} + } + sv, err := signature.LoadSignerVerifierFromAlgorithmDetails(privKey, algo, *defaultLoadOptions...) if err != nil { return nil, err } @@ -680,7 +693,7 @@ func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath strin default: genKey = true ui.Infof(ctx, "Generating ephemeral keys...") - sv, err = signerFromNewKey() + sv, err = signerFromNewKey(ko.SigningAlgorithm, ko.DefaultLoadOptions) } if err != nil { return nil, err diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 90b886fef2b..23362777537 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -99,6 +99,7 @@ func SignBlob() *cobra.Command { TSAServerURL: o.TSAServerURL, RFC3161TimestampPath: o.RFC3161TimestampPath, IssueCertificateForExistingKey: o.IssueCertificate, + SigningAlgorithm: o.SigningAlgorithm, } if (o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "" { if o.TrustedRootPath != "" { diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go index 29d498b6a4a..02b74702c2d 100644 --- a/pkg/cosign/keys.go +++ b/pkg/cosign/keys.go @@ -28,6 +28,7 @@ import ( "fmt" "os" "path/filepath" + "sort" "github.com/secure-systems-lab/go-securesystemslib/encrypted" "github.com/sigstore/cosign/v2/pkg/oci/static" @@ -50,6 +51,16 @@ const ( RFC3161TimestampKey = static.RFC3161TimestampAnnotationKey ) +var SupportedKeyDetails = []v1.PublicKeyDetails{ + v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, + v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, + v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, + v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, + v1.PublicKeyDetails_PKIX_ED25519_PH, +} + // PassFunc is the function to be called to retrieve the signer password. If // nil, then it assumes that no password is provided. type PassFunc func(bool) ([]byte, error) @@ -297,3 +308,17 @@ func GetDefaultLoadOptions(defaultLoadOptions *[]signature.LoadOption) *[]signat } return defaultLoadOptions } + +// GetSupportedAlgorithms returns a list of supported algorithms sorted alphabetically. +func GetSupportedAlgorithms() []string { + algorithms := make([]string, 0, len(SupportedKeyDetails)) + for _, algorithm := range SupportedKeyDetails { + signatureFlag, err := signature.FormatSignatureAlgorithmFlag(algorithm) + if err != nil { + continue + } + algorithms = append(algorithms, signatureFlag) + } + sort.Strings(algorithms) + return algorithms +} From f6a5beb74d009234f5993c4915b4d6372ac739ec Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 8 Apr 2025 08:25:44 +0000 Subject: [PATCH 02/11] fix getHashFunction to use signingAlgorithm Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/sign/sign_blob.go | 33 ++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index b3d8103cdda..885510bd7f1 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -133,7 +133,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string } defer sv.Close() - hashFunction, err := getHashFunction(sv, ko.DefaultLoadOptions) + hashFunction, err := getHashFunction(sv, ko) if err != nil { return nil, err } @@ -342,18 +342,31 @@ func extractCertificate(ctx context.Context, sv *SignerVerifier) ([]byte, error) return nil, nil } -func getHashFunction(sv *SignerVerifier, defaultLoadOptions *[]signature.LoadOption) (crypto.Hash, error) { - pubKey, err := sv.PublicKey() - if err != nil { - return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) - } +func getHashFunction(sv *SignerVerifier, ko options.KeyOpts) (crypto.Hash, error) { + if ko.Sk || ko.KeyRef != "" { + pubKey, err := sv.PublicKey() + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err) + } + + defaultLoadOptions := cosign.GetDefaultLoadOptions(ko.DefaultLoadOptions) - defaultLoadOptions = cosign.GetDefaultLoadOptions(defaultLoadOptions) + // TODO: Ideally the SignerVerifier should have a method to get the hash function + algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...) + if err != nil { + return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err) + } + return algo.GetHashType(), nil + } - // TODO: Ideally the SignerVerifier should have a method to get the hash function - algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...) + // New key was generated, using the signing algorithm specified by the user + keyDetails, err := signature.ParseSignatureAlgorithmFlag(ko.SigningAlgorithm) + if err != nil { + return crypto.Hash(0), fmt.Errorf("parsing signature algorithm: %w", err) + } + algo, err := signature.GetAlgorithmDetails(keyDetails) if err != nil { - return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err) + return crypto.Hash(0), fmt.Errorf("getting algorithm details: %w", err) } return algo.GetHashType(), nil } From f5a6c54b2894c41ea33ee8220e1f069c52a7039a Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 8 Apr 2025 10:08:45 +0000 Subject: [PATCH 03/11] cmd/cosign: set default ko.SigningAlgorithm Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/sign/sign_blob.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 885510bd7f1..4a8035ae783 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -40,6 +40,7 @@ import ( cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -66,6 +67,13 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() + if ko.SigningAlgorithm == "" { + ko.SigningAlgorithm, err = signature.FormatSignatureAlgorithmFlag(v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + if err != nil { + return nil, fmt.Errorf("formatting signature algorithm: %w", err) + } + } + shouldUpload, err := ShouldUploadToTlog(ctx, ko, nil, tlogUpload) if err != nil { return nil, fmt.Errorf("upload to tlog: %w", err) From 417daab425f5b02df571190e72bb71efac055e7d Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 8 Apr 2025 15:48:48 +0000 Subject: [PATCH 04/11] cmd/cosign: set default ko.SigningAlgorithm 2 Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/sign/sign.go | 8 ++++++++ cmd/cosign/cli/sign/sign_blob.go | 8 -------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 35eba578029..86ebcb0c3ba 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -55,6 +55,7 @@ import ( "github.com/sigstore/cosign/v2/pkg/oci/walk" sigs "github.com/sigstore/cosign/v2/pkg/signature" "github.com/sigstore/cosign/v2/pkg/types" + pb_go_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore/pkg/cryptoutils" "github.com/sigstore/sigstore/pkg/signature" @@ -603,6 +604,13 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin } func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + if signingAlgorithm == "" { + var err error + signingAlgorithm, err = signature.FormatSignatureAlgorithmFlag(pb_go_v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) + if err != nil { + return nil, fmt.Errorf("formatting signature algorithm: %w", err) + } + } keyDetails, err := signature.ParseSignatureAlgorithmFlag(signingAlgorithm) if err != nil { return nil, fmt.Errorf("parsing signature algorithm: %w", err) diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 4a8035ae783..885510bd7f1 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -40,7 +40,6 @@ import ( cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" - v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/sigstore-go/pkg/sign" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -67,13 +66,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout) defer cancel() - if ko.SigningAlgorithm == "" { - ko.SigningAlgorithm, err = signature.FormatSignatureAlgorithmFlag(v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) - if err != nil { - return nil, fmt.Errorf("formatting signature algorithm: %w", err) - } - } - shouldUpload, err := ShouldUploadToTlog(ctx, ko, nil, tlogUpload) if err != nil { return nil, fmt.Errorf("upload to tlog: %w", err) From f29d57eb88c338fee4df03d7c72722d13370dca1 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Wed, 3 Sep 2025 11:05:48 +0200 Subject: [PATCH 05/11] Validate signing-algorithm immediately Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/signblob.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 23362777537..df20f8d2459 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -19,6 +19,7 @@ import ( "context" "fmt" "os" + "strings" "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" @@ -66,6 +67,21 @@ func SignBlob() *cobra.Command { if options.NOf(o.Key, o.SecurityKey.Use) > 1 { return &options.KeyParseError{} } + + // Check if the algorithm is in the list of supported algorithms + supportedAlgorithms := cosign.GetSupportedAlgorithms() + isValid := false + for _, algo := range supportedAlgorithms { + if algo == o.SigningAlgorithm { + isValid = true + break + } + } + if !isValid { + return fmt.Errorf("invalid signing algorithm: %s. Supported algorithms are: %s", + o.SigningAlgorithm, strings.Join(supportedAlgorithms, ", ")) + } + return nil }, RunE: func(_ *cobra.Command, args []string) error { From 5dc9d5edb201953ee08175dc8186e09381cc9354 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Wed, 3 Sep 2025 11:14:55 +0200 Subject: [PATCH 06/11] Use GetDefaultLoadOptions function Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/sign/sign.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 86ebcb0c3ba..d039f21ec8f 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -625,10 +625,7 @@ func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.L return nil, fmt.Errorf("generating cert: %w", err) } - if defaultLoadOptions == nil { - // Cosign uses ED25519ph by default for ED25519 keys - defaultLoadOptions = &[]signature.LoadOption{signatureoptions.WithED25519ph()} - } + defaultLoadOptions = cosign.GetDefaultLoadOptions(defaultLoadOptions) sv, err := signature.LoadSignerVerifierFromAlgorithmDetails(privKey, algo, *defaultLoadOptions...) if err != nil { return nil, err From ff27b5e28e63003131f936c0ce98129a6e67e2df Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Wed, 3 Sep 2025 11:26:37 +0200 Subject: [PATCH 07/11] Update documentation Signed-off-by: Riccardo Schirone --- doc/cosign_sign-blob.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 7078de609c6..87d29eec1a1 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -57,6 +57,7 @@ cosign sign-blob [flags] --output-signature string write the signature to FILE --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file + --signing-algorithm string signing algorithm to use for signing/hashing (allowed ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, ed25519-ph, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256) (default "ecdsa-sha2-256-nistp256") --signing-config string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) From b9ed0da7fa0da2cb617f1b57466c492fb27699df Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Mon, 29 Sep 2025 16:23:56 +0200 Subject: [PATCH 08/11] use v3 Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/options/signblob.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go index 2f621aa76c7..54122beb584 100644 --- a/cmd/cosign/cli/options/signblob.go +++ b/cmd/cosign/cli/options/signblob.go @@ -19,7 +19,7 @@ import ( "fmt" "strings" - "github.com/sigstore/cosign/v2/pkg/cosign" + "github.com/sigstore/cosign/v3/pkg/cosign" v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/signature" "github.com/spf13/cobra" From 8c6d5fb999b915570241e4380a798497f1188dfd Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Mon, 29 Sep 2025 16:26:45 +0200 Subject: [PATCH 09/11] Disable ed25519ph Signed-off-by: Riccardo Schirone --- pkg/cosign/keys.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go index b2bb5286879..8c299af1c01 100644 --- a/pkg/cosign/keys.go +++ b/pkg/cosign/keys.go @@ -58,7 +58,8 @@ var SupportedKeyDetails = []v1.PublicKeyDetails{ v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, - v1.PublicKeyDetails_PKIX_ED25519_PH, + // Ed25519ph is not supported by Fulcio, so we don't support it here for now. + // v1.PublicKeyDetails_PKIX_ED25519_PH, } // PassFunc is the function to be called to retrieve the signer password. If From 6626ad074ba993cead0f6064207f15f364a46df3 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Mon, 29 Sep 2025 16:50:39 +0200 Subject: [PATCH 10/11] Fix doc Signed-off-by: Riccardo Schirone --- doc/cosign_sign-blob.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 489d252f8d0..561ea86204e 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -57,7 +57,7 @@ cosign sign-blob [flags] --output-signature string write the signature to FILE --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev") --rfc3161-timestamp string write the RFC3161 timestamp to a file - --signing-algorithm string signing algorithm to use for signing/hashing (allowed ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, ed25519-ph, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256) (default "ecdsa-sha2-256-nistp256") + --signing-algorithm string signing algorithm to use for signing/hashing (allowed ecdsa-sha2-256-nistp256, ecdsa-sha2-384-nistp384, ecdsa-sha2-512-nistp521, rsa-sign-pkcs1-2048-sha256, rsa-sign-pkcs1-3072-sha256, rsa-sign-pkcs1-4096-sha256) (default "ecdsa-sha2-256-nistp256") --signing-config string path to a signing config file. Must provide --bundle, which will output verification material in the new format --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) From cf35b2340dc3ff228c7465433fda910967c055f4 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 30 Sep 2025 11:40:19 +0000 Subject: [PATCH 11/11] Fix getHashAlgorithm to have a default value for SigningAlgorithm Signed-off-by: Riccardo Schirone --- cmd/cosign/cli/sign/sign.go | 10 +++++++--- cmd/cosign/cli/sign/sign_blob.go | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index 63faa9b4a7f..bfe7530d1f3 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -688,15 +688,19 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin return certSigner, nil } -func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { +func ParseSignatureAlgorithmFlag(signingAlgorithm string) (pb_go_v1.PublicKeyDetails, error) { if signingAlgorithm == "" { var err error signingAlgorithm, err = signature.FormatSignatureAlgorithmFlag(pb_go_v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256) if err != nil { - return nil, fmt.Errorf("formatting signature algorithm: %w", err) + return pb_go_v1.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED, fmt.Errorf("formatting signature algorithm: %w", err) } } - keyDetails, err := signature.ParseSignatureAlgorithmFlag(signingAlgorithm) + return signature.ParseSignatureAlgorithmFlag(signingAlgorithm) +} + +func signerFromNewKey(signingAlgorithm string, defaultLoadOptions *[]signature.LoadOption) (*SignerVerifier, error) { + keyDetails, err := ParseSignatureAlgorithmFlag(signingAlgorithm) if err != nil { return nil, fmt.Errorf("parsing signature algorithm: %w", err) } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 394f6c414d6..c07acecbc47 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -387,7 +387,7 @@ func getHashFunction(sv *SignerVerifier, ko options.KeyOpts) (crypto.Hash, error } // New key was generated, using the signing algorithm specified by the user - keyDetails, err := signature.ParseSignatureAlgorithmFlag(ko.SigningAlgorithm) + keyDetails, err := ParseSignatureAlgorithmFlag(ko.SigningAlgorithm) if err != nil { return crypto.Hash(0), fmt.Errorf("parsing signature algorithm: %w", err) }