def Args(parser): flags.AddArtifactUrlFlag(parser, required=False) mutex_group = parser.add_mutually_exclusive_group(required=True) flags.AddConcepts( mutex_group, flags.GetAuthorityPresentationSpec( base_name='attestation-authority', required=False, # one-of requirement is set in mutex_group. positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestation Authority whose Container Analysis Note will be queried for attestations. Note that the caller must have the `containeranalysis.notes.listOccurrences` permission on the note being queried.""") ), flags.GetAuthorityNotePresentationSpec( base_name='attestation-authority-note', required=False, # one-of requirement is set in mutex_group. positional=False, group_help=textwrap.dedent("""\ The Container Analysis ATTESTATION_AUTHORITY Note that will be queried for attestations. When this option is passed, only occurrences with kind ATTESTATION_AUTHORITY will be returned. The occurrences might be from any project, not just the project where the note lives. Note that the caller must have the `containeranalysis.notes.listOccurrences` permission on the note being queried.""") ), )
def Args(cls, parser): flags.AddArtifactUrlFlag(parser) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).""")), flags.GetCryptoKeyVersionPresentationSpec( base_name='keyversion', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Cloud KMS (Key Management Service) CryptoKeyVersion to use to sign the attestation payload.""")), ) parser.add_argument('--public-key-id-override', type=str, help=textwrap.dedent("""\ If provided, the ID of the public key that will be used to verify the Attestation instead of the default generated one. This ID should match the one found on the Attestor resource(s) which will use this Attestation. This parameter is only necessary if the `--public-key-id-override` flag was provided when this KMS key was added to the Attestor."""))
def Args(parser): flags.AddArtifactUrlFlag(parser) parser.add_argument('--signature-file', required=True, type=str, help=textwrap.dedent("""\ Path to file containing the signature to store, or `-` to read signature from stdin.""")) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).""")), ) parser.add_argument('--pgp-key-fingerprint', type=str, required=True, help=textwrap.dedent("""\ The cryptographic ID of the key used to generate the signature. For Binary Authorization, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexidecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser): flags.AddArtifactUrlFlag(parser) parser.add_argument('--signature-file', required=True, type=str, help=textwrap.dedent("""\ Path to file containing the signature to store, or `-` to read signature from stdin.""")) parser.add_argument('--payload-file', required=False, type=str, help=textwrap.dedent("""\ Path to file containing the payload over which the signature was calculated. This defaults to the output of the standard payload command: $ {grandparent_command} create-signature-payload NOTE: If you sign a payload with e.g. different whitespace or formatting, you must explicitly provide the payload content via this flag. """)) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).""")), ) parser.add_argument('--public-key-id', required=True, type=str, help=textwrap.dedent("""\ The ID of the public key that will be used to verify the signature of the created Attestation. This ID must match the one found on the Attestor resource(s) which will verify this Attestation. For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details.""")) parser.add_argument('--validate', action='store_true', default=False, help=textwrap.dedent("""\ Whether to validate that the Attestation can be verified by the provided Attestor. """))
def Args(cls, parser): flags.AddArtifactUrlFlag(parser, required=False) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be queried for attestations. Note that the caller must have the `containeranalysis.notes.listOccurrences` permission on the note being queried.""")), )
def Args(cls, parser): parser.display_info.AddFormat(""" table( attestation.attestation.pgpSignedAttestation.pgpKeyId, resource.uri:label=ARTIFACT_URL:sort=1 ) """) flags.AddArtifactUrlFlag(parser, required=False) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be queried for attestations. Note that the caller must have the `containeranalysis.notes.listOccurrences` permission on the note being queried.""")), )
def Args(cls, parser): flags.AddArtifactUrlFlag(parser) parser.add_argument('--signature-file', required=True, type=str, help=textwrap.dedent("""\ Path to file containing the signature to store, or `-` to read signature from stdin.""")) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec(base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).""")), ) parser.add_argument('--public-key-id', required=True, type=str, help=textwrap.dedent("""\ The ID of the public key that will be used to verify the signature of the created Attestation. This ID should match the one found on the Attestor resource(s) which will use this Attestation. For PKIX keys, this will be the URI-formatted `id` field of the associated Attestor public key. For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))
def Args(cls, parser): binauthz_flags.AddArtifactUrlFlag(parser) parser.display_info.AddFormat('json')
def Args(cls, parser): flags.AddArtifactUrlFlag(parser) parser.add_argument( '--signature-file', required=True, type=str, help=textwrap.dedent("""\ Path to file containing the signature to store, or `-` to read signature from stdin.""")) parser.add_argument( '--payload-file', required=False, type=str, help=textwrap.dedent("""\ Path to file containing the payload over which the signature was calculated. This defaults to the output of the standard payload command: $ {grandparent_command} create-signature-payload NOTE: If you sign a payload with e.g. different whitespace or formatting, you must explicitly provide the payload content via this flag. """)) flags.AddConcepts( parser, flags.GetAttestorPresentationSpec( base_name='attestor', required=True, positional=False, use_global_project_flag=False, group_help=textwrap.dedent("""\ The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).""")), ) # TODO(b/133451183): Remove deprecated flag. if cls.ReleaseTrack() == base.ReleaseTrack.GA: parser.add_argument( '--public-key-id', type=str, required=True, help=textwrap.dedent("""\ The ID of the public key that will be used to verify the signature of the created Attestation. This ID must match the one found on the Attestor resource(s) which will verify this Attestation. For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details.""")) else: mutex_group = parser.add_mutually_exclusive_group(required=True) mutex_group.add_argument( '--pgp-key-fingerprint', action=actions.DeprecationAction( 'pgp-key-fingerprint', warn='This flag is deprecated. Use --public-key-id instead.'), type=str, help=textwrap.dedent("""\ The cryptographic ID of the key used to generate the signature. For Binary Authorization, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details.""")) mutex_group.add_argument( '--public-key-id', type=str, help=textwrap.dedent("""\ The ID of the public key that will be used to verify the signature of the created Attestation. This ID must match the one found on the Attestor resource(s) which will verify this Attestation. For PGP keys, this must be the version 4, full 160-bit fingerprint, expressed as a 40 character hexadecimal string. See https://tools.ietf.org/html/rfc4880#section-12.2 for details."""))