def Args(parser):
flags.AddArtifactUrlFlag(parser, required=False)
mutex_group = parser.add_mutually_exclusive_group(required=True)
flags.AddConcepts(
mutex_group,
flags.GetAuthorityPresentationSpec(
base_name='attestation-authority',
required=False, # one-of requirement is set in mutex_group.
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestation Authority whose Container Analysis Note will be
queried for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
flags.GetAuthorityNotePresentationSpec(
base_name='attestation-authority-note',
required=False, # one-of requirement is set in mutex_group.
positional=False,
group_help=textwrap.dedent("""\
The Container Analysis ATTESTATION_AUTHORITY Note that will be
queried for attestations. When this option is passed, only
occurrences with kind ATTESTATION_AUTHORITY will be returned. The
occurrences might be from any project, not just the project where
the note lives. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")
),
)
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
flags.GetCryptoKeyVersionPresentationSpec(
base_name='keyversion',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Cloud KMS (Key Management Service) CryptoKeyVersion to use to
sign the attestation payload.""")),
)
parser.add_argument('--public-key-id-override',
type=str,
help=textwrap.dedent("""\
If provided, the ID of the public key that will be used to verify the
Attestation instead of the default generated one. This ID should match
the one found on the Attestor resource(s) which will use this
Attestation.
This parameter is only necessary if the `--public-key-id-override`
flag was provided when this KMS key was added to the Attestor."""))
def Args(parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--pgp-key-fingerprint',
type=str,
required=True,
help=textwrap.dedent("""\
The cryptographic ID of the key used to generate the signature. For
Binary Authorization, this must be the version 4, full 160-bit
fingerprint, expressed as a 40 character hexidecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
parser.add_argument('--payload-file',
required=False,
type=str,
help=textwrap.dedent("""\
Path to file containing the payload over which the signature was
calculated.
This defaults to the output of the standard payload command:
$ {grandparent_command} create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or
formatting, you must explicitly provide the payload content via this
flag.
"""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--public-key-id',
required=True,
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
parser.add_argument('--validate',
action='store_true',
default=False,
help=textwrap.dedent("""\
Whether to validate that the Attestation can be verified by the
provided Attestor.
"""))
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser, required=False)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be queried
for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")),
)
def Args(cls, parser):
parser.display_info.AddFormat("""
table(
attestation.attestation.pgpSignedAttestation.pgpKeyId,
resource.uri:label=ARTIFACT_URL:sort=1
)
""")
flags.AddArtifactUrlFlag(parser, required=False)
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be queried
for attestations. Note that the caller must have the
`containeranalysis.notes.listOccurrences` permission on the note
being queried.""")),
)
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument('--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
parser.add_argument('--public-key-id',
required=True,
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID should match the one found on the
Attestor resource(s) which will use this Attestation.
For PKIX keys, this will be the URI-formatted `id` field of the
associated Attestor public key.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser):
binauthz_flags.AddArtifactUrlFlag(parser)
parser.display_info.AddFormat('json')
def Args(cls, parser):
flags.AddArtifactUrlFlag(parser)
parser.add_argument(
'--signature-file',
required=True,
type=str,
help=textwrap.dedent("""\
Path to file containing the signature to store, or `-` to read
signature from stdin."""))
parser.add_argument(
'--payload-file',
required=False,
type=str,
help=textwrap.dedent("""\
Path to file containing the payload over which the signature was
calculated.
This defaults to the output of the standard payload command:
$ {grandparent_command} create-signature-payload
NOTE: If you sign a payload with e.g. different whitespace or
formatting, you must explicitly provide the payload content via this
flag.
"""))
flags.AddConcepts(
parser,
flags.GetAttestorPresentationSpec(
base_name='attestor',
required=True,
positional=False,
use_global_project_flag=False,
group_help=textwrap.dedent("""\
The Attestor whose Container Analysis Note will be used to host
the created attestation. In order to successfully attach the
attestation, the active gcloud account (core/account) must
be able to read this attestor and must have the
`containeranalysis.notes.attachOccurrence` permission for the
Attestor's underlying Note resource (usually via the
`containeranalysis.notes.attacher` role).""")),
)
# TODO(b/133451183): Remove deprecated flag.
if cls.ReleaseTrack() == base.ReleaseTrack.GA:
parser.add_argument(
'--public-key-id',
type=str,
required=True,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
else:
mutex_group = parser.add_mutually_exclusive_group(required=True)
mutex_group.add_argument(
'--pgp-key-fingerprint',
action=actions.DeprecationAction(
'pgp-key-fingerprint',
warn='This flag is deprecated. Use --public-key-id instead.'),
type=str,
help=textwrap.dedent("""\
The cryptographic ID of the key used to generate the signature. For
Binary Authorization, this must be the version 4, full 160-bit
fingerprint, expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
mutex_group.add_argument(
'--public-key-id',
type=str,
help=textwrap.dedent("""\
The ID of the public key that will be used to verify the signature
of the created Attestation. This ID must match the one found on the
Attestor resource(s) which will verify this Attestation.
For PGP keys, this must be the version 4, full 160-bit fingerprint,
expressed as a 40 character hexadecimal string. See
https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
