Add Rekor to e2e test

Make constant for cosign sign in-toto predicate
Update experimental OCI help string

Signed-off-by: Zach Steindler <[email protected]>

Author: steiza

cmd/cosign/cli/options/verify.go

@@ -54,7 +54,7 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"skip transparency log verification when verifying artifacts in a privately deployed infrastructure")
 
 	cmd.Flags().BoolVar(&o.ExperimentalOCI11, "experimental-oci11", false,
-		"set to true to enable experimental OCI 1.1 behaviour")
+		"set to true to enable experimental OCI 1.1 behaviour (unrelated to bundle format)")
 
 	cmd.Flags().IntVar(&o.MaxWorkers, "max-workers", cosign.DefaultMaxWorkers,
 		"the amount of maximum workers for parallel executions")

cmd/cosign/cli/sign/sign.go

@@ -239,12 +239,11 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt
 	subject := intotov1.ResourceDescriptor{
 		Digest: map[string]string{digestParts[0]: digestParts[1]},
 	}
-	predicateType := "https://sigstore.dev/cosign/sign/v1"
 
 	statement := &intotov1.Statement{
 		Type:          intotov1.StatementTypeUri,
 		Subject:       []*intotov1.ResourceDescriptor{&subject},
-		PredicateType: predicateType,
+		PredicateType: types.CosignSignPredicateType,
 	}
 
 	payload, err := protojson.Marshal(statement)
@@ -316,7 +315,7 @@ func signDigestBundle(ctx context.Context, digest name.Digest, ko options.KeyOpt
 	if err != nil {
 		return err
 	}
-	return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, predicateType, ociremoteOpts...)
+	return ociremote.WriteAttestationNewBundleFormat(digest, bundleBytes, types.CosignSignPredicateType, ociremoteOpts...)
 }
 
 func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts, signOpts options.SignOptions,

doc/cosign_dockerfile_verify.md

@@ -76,7 +76,7 @@ func MakeProtobufBundle(hint string, rawCert []byte, rekorEntry *models.LogEntry
 }
 
 func MakeNewBundle(pubKey *crypto.PublicKey, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) {
-	// Determine if signature is certificate or not
+	// Determine if the signer is a certificate or not
 	var hint string
 	var rawCert []byte
 

doc/cosign_manifest_verify.md

@@ -0,0 +1,20 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package types //nolint: revive // that is a valid package name :)
+
+const (
+	CosignSignPredicateType = "https://sigstore.dev/cosign/sign/v1"
+)