sigstore · haydentherapper · Oct 10, 2025 · Oct 13, 2025
@@ -22,10 +22,7 @@ import (
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/attest"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v3/internal/ui"
-	"github.com/sigstore/cosign/v3/pkg/cosign"
-	"github.com/sigstore/cosign/v3/pkg/cosign/env"
-	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
 	"github.com/spf13/cobra"
 )
 
@@ -102,45 +99,10 @@ func Attest() *cobra.Command {
 				IssueCertificateForExistingKey: o.IssueCertificate,
 				NewBundleFormat:                o.NewBundleFormat,
 			}
-			// If a signing config is used, then service URLs cannot be specified
-			if (o.UseSigningConfig || o.SigningConfigPath != "") &&
-				((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
-					(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
-					(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
-					o.TSAServerURL != "") {
-				return fmt.Errorf("cannot specify service URLs and use signing config")
-			}
-			// Signing config requires a bundle as output for verification materials since sigstore-go is used
-			if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
-				return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
-			}
-			// Fetch a trusted root when:
-			// * requesting a certificate and no CT log key is provided to verify an SCT
-			// * using a signing config and signing using sigstore-go
-			if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
-				(o.UseSigningConfig || o.SigningConfigPath != "") {
-				if o.TrustedRootPath != "" {
-					ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
-					if err != nil {
-						return fmt.Errorf("loading trusted root: %w", err)
-					}
-				} else {
-					ko.TrustedMaterial, err = cosign.TrustedRoot()
-					if err != nil {
-						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
-					}
-				}
-			}
-			if o.SigningConfigPath != "" {
-				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
-				if err != nil {
-					return fmt.Errorf("error reading signing config from file: %w", err)
-				}
-			} else if o.UseSigningConfig {
-				ko.SigningConfig, err = cosign.SigningConfig()
-				if err != nil {
-					return fmt.Errorf("error getting signing config from TUF: %w", err)
-				}
+			if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
+				o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
+				o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil {
+				return err
 			}
 
 			attestCommand := attest.AttestCommand{

@@ -16,15 +16,11 @@ package cli
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/attest"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
-	"github.com/sigstore/cosign/v3/internal/ui"
-	"github.com/sigstore/cosign/v3/pkg/cosign"
-	"github.com/sigstore/cosign/v3/pkg/cosign/env"
-	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
 	"github.com/spf13/cobra"
 )
 
@@ -90,45 +86,10 @@ func AttestBlob() *cobra.Command {
 				BundlePath:                     o.BundlePath,
 				NewBundleFormat:                o.NewBundleFormat,
 			}
-			// If a signing config is used, then service URLs cannot be specified
-			if (o.UseSigningConfig || o.SigningConfigPath != "") &&
-				((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
-					(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
-					(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
-					o.TSAServerURL != "") {
-				return fmt.Errorf("cannot specify service URLs and use signing config")
-			}
-			// Signing config requires a bundle as output for verification materials since sigstore-go is used
-			if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
-				return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
-			}
-			// Fetch a trusted root when:
-			// * requesting a certificate and no CT log key is provided to verify an SCT
-			// * using a signing config and signing using sigstore-go
-			if (o.Key == "" && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
-				(o.UseSigningConfig || o.SigningConfigPath != "") {
-				if o.TrustedRootPath != "" {
-					ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
-					if err != nil {
-						return fmt.Errorf("loading trusted root: %w", err)
-					}
-				} else {
-					ko.TrustedMaterial, err = cosign.TrustedRoot()
-					if err != nil {
-						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
-					}
-				}
-			}
-			if o.SigningConfigPath != "" {
-				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
-				if err != nil {
-					return fmt.Errorf("error reading signing config from file: %w", err)
-				}
-			} else if o.UseSigningConfig {
-				ko.SigningConfig, err = cosign.SigningConfig()
-				if err != nil {
-					return fmt.Errorf("error getting signing config from TUF: %w", err)
-				}
+			if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
+				o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
+				o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil {
+				return err
 			}
 
 			v := attest.AttestBlobCommand{

@@ -87,6 +87,7 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true,
 		"whether or not to upload to the tlog")
+	_ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services")
 
 	cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", rekorEntryTypes[0],
 		"specifies the type to be used for a rekor entry upload ("+strings.Join(rekorEntryTypes, "|")+")")

@@ -121,6 +121,7 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true,
 		"whether or not to upload to the tlog")
+	_ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services")
 
 	cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", rekorEntryTypes[0],
 		"specifies the type to be used for a rekor entry upload ("+strings.Join(rekorEntryTypes, "|")+")")

@@ -113,6 +113,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true,
 		"whether or not to upload to the tlog")
+	_ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services")
 
 	cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "",
 		"path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server")

@@ -100,6 +100,7 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().BoolVar(&o.TlogUpload, "tlog-upload", true,
 		"whether or not to upload to the tlog")
+	_ = cmd.Flags().MarkDeprecated("tlog-upload", "prefer using a --signing-config file with no transparency log services")
 
 	cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "",
 		"path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server")

@@ -23,10 +23,7 @@ import (
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/v3/internal/ui"
-	"github.com/sigstore/cosign/v3/pkg/cosign"
-	"github.com/sigstore/cosign/v3/pkg/cosign/env"
-	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
 	"github.com/spf13/cobra"
 )
 
@@ -132,45 +129,10 @@ race conditions or (worse) malicious tampering.
 				TSAServerURL:                   o.TSAServerURL,
 				IssueCertificateForExistingKey: o.IssueCertificate,
 			}
-			// If a signing config is used, then service URLs cannot be specified
-			if (o.UseSigningConfig || o.SigningConfigPath != "") &&
-				((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
-					(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
-					(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
-					o.TSAServerURL != "") {
-				return fmt.Errorf("cannot specify service URLs and use signing config")
-			}
-			// Signing config requires a bundle as output for verification materials since sigstore-go is used
-			if (o.UseSigningConfig || o.SigningConfigPath != "") && !o.NewBundleFormat {
-				return fmt.Errorf("must provide --new-bundle-format with --signing-config or --use-signing-config")
-			}
-			// Fetch a trusted root when:
-			// * requesting a certificate and no CT log key is provided to verify an SCT
-			// * using a signing config and signing using sigstore-go
-			if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
-				(o.UseSigningConfig || o.SigningConfigPath != "") {
-				if o.TrustedRootPath != "" {
-					ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
-					if err != nil {
-						return fmt.Errorf("loading trusted root: %w", err)
-					}
-				} else {
-					ko.TrustedMaterial, err = cosign.TrustedRoot()
-					if err != nil {
-						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
-					}
-				}
-			}
-			if o.SigningConfigPath != "" {
-				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
-				if err != nil {
-					return fmt.Errorf("error reading signing config from file: %w", err)
-				}
-			} else if o.UseSigningConfig {
-				ko.SigningConfig, err = cosign.SigningConfig()
-				if err != nil {
-					return fmt.Errorf("error getting signing config from TUF: %w", err)
-				}
+			if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
+				o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
+				o.NewBundleFormat, "", o.Key, o.IssueCertificate); err != nil {
+				return err
 			}
 
 			if err := sign.SignCmd(ro, ko, *o, args); err != nil {

@@ -23,10 +23,7 @@ import (
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/sign"
-	"github.com/sigstore/cosign/v3/internal/ui"
-	"github.com/sigstore/cosign/v3/pkg/cosign"
-	"github.com/sigstore/cosign/v3/pkg/cosign/env"
-	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/cosign/v3/cmd/cosign/cli/signcommon"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -100,45 +97,10 @@ func SignBlob() *cobra.Command {
 				RFC3161TimestampPath:           o.RFC3161TimestampPath,
 				IssueCertificateForExistingKey: o.IssueCertificate,
 			}
-			// If a signing config is used, then service URLs cannot be specified
-			if (o.UseSigningConfig || o.SigningConfigPath != "") &&
-				((o.Rekor.URL != "" && o.Rekor.URL != options.DefaultRekorURL) ||
-					(o.Fulcio.URL != "" && o.Fulcio.URL != options.DefaultFulcioURL) ||
-					(o.OIDC.Issuer != "" && o.OIDC.Issuer != options.DefaultOIDCIssuerURL) ||
-					o.TSAServerURL != "") {
-				return fmt.Errorf("cannot specify service URLs and use signing config")
-			}
-			// Signing config requires a bundle as output for verification materials since sigstore-go is used
-			if (o.UseSigningConfig || o.SigningConfigPath != "") && o.BundlePath == "" {
-				return fmt.Errorf("must provide --bundle with --signing-config or --use-signing-config")
-			}
-			// Fetch a trusted root when:
-			// * requesting a certificate and no CT log key is provided to verify an SCT
-			// * using a signing config and signing using sigstore-go
-			if ((o.Key == "" || o.IssueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
-				(o.UseSigningConfig || o.SigningConfigPath != "") {
-				if o.TrustedRootPath != "" {
-					ko.TrustedMaterial, err = root.NewTrustedRootFromPath(o.TrustedRootPath)
-					if err != nil {
-						return fmt.Errorf("loading trusted root: %w", err)
-					}
-				} else {
-					ko.TrustedMaterial, err = cosign.TrustedRoot()
-					if err != nil {
-						ui.Warnf(context.Background(), "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
-					}
-				}
-			}
-			if o.SigningConfigPath != "" {
-				ko.SigningConfig, err = root.NewSigningConfigFromPath(o.SigningConfigPath)
-				if err != nil {
-					return fmt.Errorf("error reading signing config from file: %w", err)
-				}
-			} else if o.UseSigningConfig {
-				ko.SigningConfig, err = cosign.SigningConfig()
-				if err != nil {
-					return fmt.Errorf("error getting signing config from TUF: %w", err)
-				}
+			if err := signcommon.LoadTrustedMaterialAndSigningConfig(context.Background(), &ko, o.UseSigningConfig, o.SigningConfigPath,
+				o.Rekor.URL, o.Fulcio.URL, o.OIDC.Issuer, o.TSAServerURL, o.TrustedRootPath, o.TlogUpload,
+				o.NewBundleFormat, o.BundlePath, o.Key, o.IssueCertificate); err != nil {
+				return err
 			}
 
 			for _, blob := range args {

@@ -39,6 +39,7 @@ import (
 	"github.com/sigstore/cosign/v3/internal/ui"
 	"github.com/sigstore/cosign/v3/pkg/cosign"
 	cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/v3/pkg/cosign/env"
 	"github.com/sigstore/cosign/v3/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/v3/pkg/cosign/pkcs11key"
 	ociremote "github.com/sigstore/cosign/v3/pkg/oci/remote"
@@ -581,3 +582,54 @@ func ParseOCIReference(ctx context.Context, refStr string, opts ...name.Option)
 	}
 	return ref, nil
 }
+
+// LoadTrustedMaterialAndSigningConfig loads the trusted material and signing config from the given options.
+func LoadTrustedMaterialAndSigningConfig(ctx context.Context, ko *options.KeyOpts, useSigningConfig bool, signingConfigPath string,
+	rekorURL, fulcioURL, oidcIssuer, tsaServerURL, trustedRootPath string,
+	tlogUpload bool, newBundleFormat bool, bundlePath string, keyRef string, issueCertificate bool) error {
+	var err error
+	// If a signing config is used, then service URLs cannot be specified
+	if (useSigningConfig || signingConfigPath != "") &&
+		((rekorURL != "" && rekorURL != options.DefaultRekorURL) ||
+			(fulcioURL != "" && fulcioURL != options.DefaultFulcioURL) ||
+			(oidcIssuer != "" && oidcIssuer != options.DefaultOIDCIssuerURL) ||
+			tsaServerURL != "") {
+		return fmt.Errorf("cannot specify service URLs and use signing config")
+	}
+	if (useSigningConfig || signingConfigPath != "") && !tlogUpload {
+		return fmt.Errorf("--tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config without a transparency log service")
+	}
+	// Signing config requires a bundle as output for verification materials since sigstore-go is used
+	if (useSigningConfig || signingConfigPath != "") && !newBundleFormat && bundlePath == "" {
+		return fmt.Errorf("must provide --new-bundle-format or --bundle where applicable with --signing-config or --use-signing-config")
+	}
+	// Fetch a trusted root when:
+	// * requesting a certificate and no CT log key is provided to verify an SCT
+	// * using a signing config and signing using sigstore-go
+	if ((keyRef == "" || issueCertificate) && env.Getenv(env.VariableSigstoreCTLogPublicKeyFile) == "") ||
+		(useSigningConfig || signingConfigPath != "") {
+		if trustedRootPath != "" {
+			ko.TrustedMaterial, err = root.NewTrustedRootFromPath(trustedRootPath)
+			if err != nil {
+				return fmt.Errorf("loading trusted root: %w", err)
+			}
+		} else {
+			ko.TrustedMaterial, err = cosign.TrustedRoot()
+			if err != nil {
+				ui.Warnf(ctx, "Could not fetch trusted_root.json from the TUF repository. Continuing with individual targets. Error from TUF: %v", err)
+			}
+		}
+	}
+	if signingConfigPath != "" {
+		ko.SigningConfig, err = root.NewSigningConfigFromPath(signingConfigPath)
+		if err != nil {
+			return fmt.Errorf("error reading signing config from file: %w", err)
+		}
+	} else if useSigningConfig {
+		ko.SigningConfig, err = cosign.SigningConfig()
+		if err != nil {
+			return fmt.Errorf("error getting signing config from TUF: %w", err)
+		}
+	}
+	return nil
+}