diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index 13182b93d31..17d618b9338 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -76,6 +76,7 @@ func Attest() *cobra.Command { OIDCClientID: o.OIDC.ClientID, OIDCClientSecret: oidcClientSecret, OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCProvider: o.OIDC.Provider, } for _, img := range args { if err := attest.AttestCmd(cmd.Context(), ko, o.Registry, img, o.Cert, o.CertChain, o.NoUpload, diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index 21f7530f21f..97263df8c24 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -124,9 +124,18 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { } idToken := ko.IDToken + var provider providers.Interface // If token is not set in the options, get one from the provders if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders { - idToken, err = providers.Provide(ctx, "sigstore") + if ko.OIDCProvider != "" { + provider, err = providers.ProvideFrom(ctx, ko.OIDCProvider) + if err != nil { + return nil, fmt.Errorf("getting provider: %w", err) + } + idToken, err = provider.Provide(ctx, "sigstore") + } else { + idToken, err = providers.Provide(ctx, "sigstore") + } if err != nil { return nil, fmt.Errorf("fetching ambient OIDC credentials: %w", err) } diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index 55edca28569..04e2892a38f 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -29,7 +29,8 @@ type KeyOpts struct { OIDCClientID string OIDCClientSecret string OIDCRedirectURL string - OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer + OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer + OIDCProvider string // Specify which OIDC credential provider to use for keyless signer BundlePath string // FulcioAuthFlow is the auth flow to use when authenticating against // Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index b5c87fb2158..71ae2abeada 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -32,6 +32,7 @@ type OIDCOptions struct { ClientID string clientSecretFile string RedirectURL string + Provider string DisableAmbientProviders bool } @@ -67,6 +68,9 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "", "[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") + cmd.Flags().StringVar(&o.Provider, "oidc-provider", "", + "[EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem]") + cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false, "[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read") } diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go index a4ab3710891..bddb8844f44 100644 --- a/cmd/cosign/cli/policy_init.go +++ b/cmd/cosign/cli/policy_init.go @@ -188,6 +188,7 @@ func signPolicy() *cobra.Command { OIDCClientID: o.OIDC.ClientID, OIDCClientSecret: oidcClientSecret, OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCProvider: o.OIDC.Provider, }) if err != nil { return err diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index f9355b2891c..3eb14a7a866 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -96,6 +96,7 @@ func Sign() *cobra.Command { OIDCClientSecret: oidcClientSecret, OIDCRedirectURL: o.OIDC.RedirectURL, OIDCDisableProviders: o.OIDC.DisableAmbientProviders, + OIDCProvider: o.OIDC.Provider, } annotationsMap, err := o.AnnotationsMap() if err != nil { diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index 53e266a4bc3..7d3d2b86514 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -55,6 +55,7 @@ cosign attest [flags] --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --predicate string path to the predicate file. -r, --recursive if a multi-arch image is specified, additionally sign each discrete image diff --git a/doc/cosign_policy_sign.md b/doc/cosign_policy_sign.md index 053b465a358..4e5f547a63f 100644 --- a/doc/cosign_policy_sign.md +++ b/doc/cosign_policy_sign.md @@ -27,6 +27,7 @@ cosign policy sign [flags] --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --out string output policy locally (default "o") --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev") diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index 9d98514e883..d462f89b0fc 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -47,6 +47,7 @@ cosign sign-blob [flags] --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output string write the signature to FILE --output-certificate string write the certificate to FILE diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 10ad09ad8af..47bdfef1ecf 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -72,6 +72,7 @@ cosign sign [flags] --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") + --oidc-provider string [EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem] --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-certificate string write the certificate to FILE --output-signature string write the signature to FILE