remove previously deprecated attach/download sbom commands

Signed-off-by: hectorj2f <[email protected]>

cmd/cosign/cli/attach.go

@@ -16,9 +16,6 @@
 package cli
 
 import (
- "fmt"
- "os"
-
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach"
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
  "github.com/spf13/cobra"
@@ -32,7 +29,6 @@ func Attach() *cobra.Command {
 
  cmd.AddCommand(
  attachSignature(),
- attachSBOM(),
  attachAttestation(),
  )
 
@@ -75,32 +71,6 @@ func attachSignature() *cobra.Command {
  return cmd
 }
 
-func attachSBOM() *cobra.Command {
- o := &options.AttachSBOMOptions{}
-
- cmd := &cobra.Command{
- Use: "sbom",
- Short: "DEPRECATED: Attach sbom to the supplied container image",
- Long: "Attach sbom to the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
- Example: " cosign attach sbom <image uri>",
- Args: cobra.ExactArgs(1),
- PersistentPreRun: options.BindViper,
- RunE: func(cmd *cobra.Command, args []string) error {
- fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
- mediaType, err := o.MediaType()
- if err != nil {
- return err
- }
- fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate %s --key <key path>'.\n", o.SBOM)
- return attach.SBOMCmd(cmd.Context(), o.Registry, o.RegistryExperimental, o.SBOM, mediaType, args[0])
- },
- }
-
- o.AddFlags(cmd)
-
- return cmd
-}
-
 func attachAttestation() *cobra.Command {
  o := &options.AttachAttestationOptions{}
 

cmd/cosign/cli/download.go

@@ -16,9 +16,6 @@
 package cli
 
 import (
- "fmt"
- "os"
-
  "github.com/spf13/cobra"
 
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/download"
@@ -33,7 +30,6 @@ func Download() *cobra.Command {
 
  cmd.AddCommand(
  downloadSignature(),
- downloadSBOM(),
  downloadAttestation(),
  )
 
@@ -59,31 +55,6 @@ func downloadSignature() *cobra.Command {
  return cmd
 }
 
-func downloadSBOM() *cobra.Command {
- o := &options.RegistryOptions{}
- do := &options.SBOMDownloadOptions{}
-
- cmd := &cobra.Command{
- Use: "sbom",
- Short: "DEPRECATED: Download SBOMs from the supplied container image",
- Long: "Download SBOMs from the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
- Example: " cosign download sbom <image uri>",
- Args: cobra.ExactArgs(1),
- PersistentPreRun: options.BindViper,
- RunE: func(cmd *cobra.Command, args []string) error {
- fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
- fmt.Fprintln(os.Stderr, "WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.")
- _, err := download.SBOMCmd(cmd.Context(), *o, *do, args[0], cmd.OutOrStdout())
- return err
- },
- }
-
- do.AddFlags(cmd)
- o.AddFlags(cmd)
-
- return cmd
-}
-
 func downloadAttestation() *cobra.Command {
  o := &options.RegistryOptions{}
  ao := &options.AttestationDownloadOptions{}

test/e2e_attach_test.go

@@ -39,7 +39,6 @@ import (
  "github.com/google/go-containerregistry/pkg/name"
  "github.com/google/go-containerregistry/pkg/v1/types"
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/attach"
- "github.com/sigstore/cosign/v2/cmd/cosign/cli/download"
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
  "github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
  cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
@@ -402,95 +401,3 @@ func TestUploadDownload(t *testing.T) {
  })
  }
 }
-
-func TestAttachSBOM_bom_flag(t *testing.T) {
- repo, stop := reg(t)
- defer stop()
- td := t.TempDir()
- ctx := context.Background()
- bomData, err := os.ReadFile("./testdata/bom-go-mod.spdx")
- must(err, t)
-
- testCases := map[string]struct {
- bom string
- bomType attach.SignatureArgType
- expectedErr bool
- }{
- "stdin containing bom": {
- bom: string(bomData),
- bomType: attach.StdinSignature,
- expectedErr: false,
- },
- "file containing bom": {
- bom: string(bomData),
- bomType: attach.FileSignature,
- expectedErr: false,
- },
- "raw bom as argument": {
- bom: string(bomData),
- bomType: attach.RawSignature,
- expectedErr: true,
- },
- "empty bom as argument": {
- bom: "",
- bomType: attach.RawSignature,
- expectedErr: true,
- },
- }
-
- for testName, testCase := range testCases {
- t.Run(testName, func(t *testing.T) {
- imgName := path.Join(repo, "sbom-image")
- img, _, cleanup := mkimage(t, imgName)
- var sbomRef string
- restoreStdin := func() {}
- switch {
- case testCase.bomType == attach.FileSignature:
- sbomRef = mkfile(testCase.bom, td, t)
- case testCase.bomType == attach.StdinSignature:
- sbomRef = "-"
- restoreStdin = mockStdin(testCase.bom, td, t)
- default:
- sbomRef = testCase.bom
- }
-
- out := bytes.Buffer{}
- _, errPl := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{Platform: "darwin/amd64"}, img.Name(), &out)
- if errPl == nil {
- t.Fatalf("Expected error when passing Platform to single arch image")
- }
- _, err := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, img.Name(), &out)
- if err == nil {
- t.Fatal("Expected error")
- }
- t.Log(out.String())
- out.Reset()
-
- // Upload it!
- err = attach.SBOMCmd(ctx, options.RegistryOptions{}, options.RegistryExperimentalOptions{}, sbomRef, "spdx", imgName)
- restoreStdin()
-
- if testCase.expectedErr {
- mustErr(err, t)
- } else {
- sboms, err := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, imgName, &out)
- if err != nil {
- t.Fatal(err)
- }
- t.Log(out.String())
- if len(sboms) != 1 {
- t.Fatalf("Expected one sbom, got %d", len(sboms))
- }
- want, err := os.ReadFile("./testdata/bom-go-mod.spdx")
- if err != nil {
- t.Fatal(err)
- }
- if diff := cmp.Diff(string(want), sboms[0]); diff != "" {
- t.Errorf("diff: %s", diff)
- }
- }
-
- cleanup()
- })
- }
-}