Move cosign download to cosign download signature. (#392)

This is in preparation for other attachment types, like SBOMs and attestations.

Signed-off-by: Dan Lorenc <[email protected]>

Author: dlorenc

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 * BREAKING: Move `cosign upload-blob` to `cosign upload blob`.
 * BREAKING: Move `cosign upload` to `cosign attach signature`.
+* BREAKING: Move `cosign download` to `cosign download signature`.
 
 ### Bug Fixes
 

EXAMPLES.md

@@ -14,7 +14,7 @@ $ cat gcpkms.sig | base64 | cosign attach signature -signature - us-central1-doc
 Now (on another machine) download the public key, payload, signatures and verify it!
 
 ```shell
-$ cosign download us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > signatures.json
+$ cosign download signature us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > signatures.json
 # There could be multiple signatures, let's pretend it's the last one.
 # Extract the payload and signature, base64 decoding them.
 $ cat signatures.json | tail -1 | jq -r .Payload | base64 -D > payload

USAGE.md

@@ -205,7 +205,7 @@ invalid or missing annotation in claim: map[sig:original]
 Each signature is printed to stdout in a json format:
 
 ```
-$ cosign download us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
+$ cosign download signature us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
 {"Base64Signature":"Ejy6ipGJjUzMDoQFePWixqPBYF0iSnIvpMWps3mlcYNSEcRRZelL7GzimKXaMjxfhy5bshNGvDT5QoUJ0tqUAg==","Payload":"eyJDcml0aWNhbCI6eyJJZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiIn0sIkltYWdlIjp7IkRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiI4N2VmNjBmNTU4YmFkNzliZWVhNjQyNWEzYjI4OTg5ZjAxZGQ0MTcxNjQxNTBhYjNiYWFiOThkY2JmMDRkZWY4In0sIlR5cGUiOiIifSwiT3B0aW9uYWwiOm51bGx9"}
 ```
 

cmd/cosign/cli/attach/sig.go

@@ -80,7 +80,7 @@ func SignatureCmd(ctx context.Context, sigRef, payloadRef, imageRef string) erro
 	repo := ref.Context()
 	img := repo.Digest(get.Digest.String())
 
-	sigRepo, err := cli.SignatureRepositoryForImage(ref)
+	sigRepo, err := cli.TargetRepositoryForImage(ref)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/clean.go

@@ -58,7 +58,7 @@ func CleanCmd(_ context.Context, imageRef string) error {
 		return err
 	}
 
-	sigRepo, err := SignatureRepositoryForImage(ref)
+	sigRepo, err := TargetRepositoryForImage(ref)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/copy.go

@@ -76,7 +76,7 @@ func CopyCmd(ctx context.Context, srcImg, dstImg string, sigOnly, force bool) er
 		return err
 	}
 
-	srcSigRepo, err := SignatureRepositoryForImage(srcRef)
+	srcSigRepo, err := TargetRepositoryForImage(srcRef)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/download/download.go

@@ -0,0 +1,40 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package download
+
+import (
+	"context"
+	"flag"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+func Download() *ffcli.Command {
+	var (
+		flagset = flag.NewFlagSet("cosign download", flag.ExitOnError)
+	)
+
+	return &ffcli.Command{
+		Name:        "download",
+		ShortUsage:  "cosign download",
+		ShortHelp:   "download contains tools to download artifacts and attached artifacts in a registry",
+		FlagSet:     flagset,
+		Subcommands: []*ffcli.Command{Signature()},
+		Exec: func(ctx context.Context, args []string) error {
+			return flag.ErrHelp
+		},
+	}
+}

cmd/cosign/cli/download.go renamed to cmd/cosign/cli/download/signature.go

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package cli
+package download
 
 import (
 	"context"
@@ -25,34 +25,34 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/peterbourgon/ff/v3/ffcli"
-
+	"github.com/sigstore/cosign/cmd/cosign/cli"
 	"github.com/sigstore/cosign/pkg/cosign"
 )
 
-func Download() *ffcli.Command {
+func Signature() *ffcli.Command {
 	var (
-		flagset = flag.NewFlagSet("cosign download", flag.ExitOnError)
+		flagset = flag.NewFlagSet("cosign download signature", flag.ExitOnError)
 	)
 	return &ffcli.Command{
-		Name:       "download",
-		ShortUsage: "cosign download <image uri>",
+		Name:       "signature",
+		ShortUsage: "cosign download signature <image uri>",
 		ShortHelp:  "Download signatures from the supplied container image",
 		FlagSet:    flagset,
 		Exec: func(ctx context.Context, args []string) error {
 			if len(args) != 1 {
 				return flag.ErrHelp
 			}
-			return DownloadCmd(ctx, args[0])
+			return SignatureCmd(ctx, args[0])
 		},
 	}
 }
 
-func DownloadCmd(ctx context.Context, imageRef string) error {
+func SignatureCmd(ctx context.Context, imageRef string) error {
 	ref, err := name.ParseReference(imageRef)
 	if err != nil {
 		return err
 	}
-	sigRepo, err := SignatureRepositoryForImage(ref)
+	sigRepo, err := cli.TargetRepositoryForImage(ref)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/sign.go

@@ -308,7 +308,7 @@ func SignCmd(ctx context.Context, so SignOpts,
 			continue
 		}
 
-		sigRepo, err := SignatureRepositoryForImage(ref)
+		sigRepo, err := TargetRepositoryForImage(ref)
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/triangulate.go

@@ -58,7 +58,7 @@ func MungeCmd(_ context.Context, imageRef string) error {
 		return err
 	}
 
-	sigRepo, err := SignatureRepositoryForImage(ref)
+	sigRepo, err := TargetRepositoryForImage(ref)
 	if err != nil {
 		return err
 	}