sigstore · scop · Jan 29, 2025 · Jan 29, 2025 · haydentherapper · Feb 3, 2025
@@ -80,7 +80,7 @@ func (o *AttachSBOMOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.SBOM, "sbom", "",
 		"path to the sbom, or {-} for stdin")
-	_ = cmd.Flags().SetAnnotation("sbom", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("sbom", sbomExts...)
 
 	cmd.Flags().StringVar(&o.SBOMType, "type", "spdx",
 		"type of sbom (spdx|cyclonedx|syft)")

@@ -54,18 +54,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{"key"})
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.NoUpload, "no-upload", false,
 		"do not upload the generated attestation")

@@ -58,33 +58,34 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{"key"})
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
-	_ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("output-signature", signatureExts...)
 
 	cmd.Flags().StringVar(&o.OutputAttestation, "output-attestation", "",
 		"write the attestation to FILE")
+	// _ = cmd.MarkFlagFilename("output-attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
 		"write the certificate to FILE")
-	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("key", certificateExts...)
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"write everything required to verify the blob to a FILE")
-	_ = cmd.Flags().SetAnnotation("bundle", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	// TODO: have this default to true as a breaking change
 	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false,
@@ -107,5 +108,5 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
 		"path to an RFC 3161 timestamp bundle FILE")
-	_ = cmd.Flags().SetAnnotation("rfc3161-timestamp-bundle", cobra.BashCompFilenameExt, []string{})
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle") // no typical extensions
 }
@@ -39,33 +39,41 @@ var _ Interface = (*BundleCreateOptions)(nil)
 func (o *BundleCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Artifact, "artifact", "",
 		"path to artifact FILE")
+	// _ = cmd.MarkFlagFilename("artifact") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AttestationPath, "attestation", "",
 		"path to attestation FILE")
+	// _ = cmd.MarkFlagFilename("attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"path to old format bundle FILE")
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	cmd.Flags().StringVar(&o.CertificatePath, "certificate", "",
 		"path to the signing certificate, likely from Fulco.")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
 		"ignore transparency log verification, to be used when an artifact "+
 			"signature has not been uploaded to the transparency log.")
 
 	cmd.Flags().StringVar(&o.KeyRef, "key", "",
 		"path to the public key file, KMS URI or Kubernetes Secret")
+	_ = cmd.MarkFlagFilename("key", publicKeyExts...)
 
 	cmd.Flags().StringVar(&o.Out, "out", "", "path to output bundle")
+	_ = cmd.MarkFlagFilename("out", bundleExts...)
 
 	cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "https://rekor.sigstore.dev",
 		"address of rekor STL server")
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
 		"path to RFC3161 timestamp FILE")
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp") // no typical extensions
 
 	cmd.Flags().StringVar(&o.SignaturePath, "signature", "",
 		"path to base64-encoded signature over attestation in DSSE format")
+	_ = cmd.MarkFlagFilename("signature", signatureExts...)
 
 	cmd.Flags().BoolVar(&o.Sk, "sk", false,
 		"whether to use a hardware security key")

@@ -46,7 +46,7 @@ var _ Interface = (*RekorOptions)(nil)
 func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.")
-	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
 		"The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.")
@@ -82,24 +82,25 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 			"when building the certificate chains for the signing certificate. "+
 			"The flag is optional and must be used together with --ca-roots, conflicts with "+
 			"--certificate-chain.")
-	_ = cmd.Flags().SetAnnotation("ca-intermediates", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("ca-intermediates", certificateExts...)
 	cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
 		"path to a bundle file of CA certificates in PEM format which will be needed "+
 			"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
-	_ = cmd.Flags().SetAnnotation("ca-roots", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("ca-roots", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.")
-	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
 	cmd.Flags().StringVar(&o.SCT, "sct", "",
 		"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+
 			"If a certificate contains an SCT, verification will check both the detached and embedded SCTs.")
+	// _ = cmd.MarkFlagFilename("sct") // no typical extensions
 	cmd.Flags().BoolVar(&o.IgnoreSCT, "insecure-ignore-sct", false,
 		"when set, verification will not check that a certificate contains an embedded SCT, a proof of "+
 			"inclusion in a certificate transparency log")

@@ -54,5 +54,5 @@ func (o *FilesOptions) String() string {
 func (o *FilesOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringSliceVarP(&o.Files, "files", "f", nil,
 		"<filepath>:[platform/arch]")
-	_ = cmd.Flags().SetAnnotation("files", cobra.BashCompFilenameExt, []string{})
+	// _ = cmd.MarkFlagFilename("files") // no typical extensions
 }
@@ -39,6 +39,7 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
 		"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")
+	// _ = cmd.MarkFlagFilename("identity-token") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
 		"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials")

@@ -36,11 +36,11 @@ var _ Interface = (*ImportKeyPairOptions)(nil)
 func (o *ImportKeyPairOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVarP(&o.Key, "key", "k", "",
 		"import key pair to use for signing")
-	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVarP(&o.OutputKeyPrefix, "output-key-prefix", "o", "import-cosign",
 		"name used for outputted key pairs")
-	_ = cmd.Flags().SetAnnotation("output-key-prefix", cobra.BashCompFilenameExt, []string{})
+	// _ = cmd.MarkFlagFilename("output-key-prefix") // no typical extensions
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for overwriting existing key")

@@ -36,7 +36,7 @@ func (o *InitializeOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Root, "root", "",
 		"path to trusted initial root. defaults to embedded root")
-	_ = cmd.Flags().SetAnnotation("root", cobra.BashCompSubdirsInDir, []string{})
+	_ = cmd.MarkFlagDirname("root")
 
 	cmd.Flags().StringVar(&o.RootChecksum, "root-checksum", "",
 		"checksum of the initial root, required if root is downloaded via http(s). expects sha256 by default, can be changed to sha512 by providing sha512:<checksum>")

@@ -32,6 +32,6 @@ func (o *LoadOptions) AddFlags(cmd *cobra.Command) {
 	o.Registry.AddFlags(cmd)
 	cmd.Flags().StringVar(&o.Directory, "dir", "",
 		"path to directory where the signed image is stored on disk")
-	_ = cmd.Flags().SetAnnotation("dir", cobra.BashCompSubdirsInDir, []string{})
+	_ = cmd.MarkFlagDirname("dir")
 	_ = cmd.MarkFlagRequired("dir")
 }
@@ -64,7 +64,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "",
 		"Path to file containing OIDC client secret for application")
-	_ = cmd.Flags().SetAnnotation("oidc-client-secret-file", cobra.BashCompFilenameExt, []string{})
+	// _ = cmd.MarkFlagFilename("oidc-client-secret-file") // no typical extensions
 
 	cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
 		"OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")

@@ -21,3 +21,37 @@ type Interface interface {
 	// AddFlags adds this options' flags to the cobra command.
 	AddFlags(cmd *cobra.Command)
 }
+
+var bundleExts = []string{
+	"bundle",
+}
+var certificateExts = []string{
+	"cert",
+	"crt",
+	"pem",
+}
+var logExts = []string{
+	"log",
+}
+var moduleExts = []string{
+	"dll",
+	"dylib",
+	"so",
+}
+var privateKeyExts = []string{
+	"key",
+}
+var publicKeyExts = []string{
+	"pub",
+}
+var sbomExts = []string{
+	"json",
+	"xml",
+	"spdx",
+}
+var signatureExts = []string{
+	"sig",
+}
+var wasmExts = []string{
+	"wasm",
+}
@@ -31,7 +31,7 @@ var _ Interface = (*PKCS11ToolListTokensOptions)(nil)
 func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
-	_ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("module-path", moduleExts...)
 }
 
 // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options.
@@ -47,7 +47,7 @@ var _ Interface = (*PKCS11ToolListKeysUrisOptions)(nil)
 func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
-	_ = cmd.Flags().SetAnnotation("module-path", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("module-path", moduleExts...)
 
 	cmd.Flags().UintVar(&o.SlotID, "slot-id", 0,
 		"id of the PKCS11 slot, uses 0 if empty")

@@ -94,6 +94,7 @@ func (o *PredicateLocalOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Path, "predicate", "",
 		"path to the predicate file.")
+	_ = cmd.MarkFlagFilename("predicate", sbomExts...)
 	_ = cmd.MarkFlagRequired("predicate")
 }
 

@@ -34,9 +34,9 @@ func (o *PublicKeyOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.OutFile, "outfile", "",
 		"path to a payload file to use rather than generating one")
-	_ = cmd.Flags().SetAnnotation("outfile", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("outfile", publicKeyExts...)
 }
@@ -80,12 +80,15 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RegistryCACert, "registry-cacert", "",
 		"path to the X.509 CA certificate file in PEM format to be used for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-cacert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.RegistryClientCert, "registry-client-cert", "",
 		"path to the X.509 certificate file in PEM format to be used for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-client-cert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.RegistryClientKey, "registry-client-key", "",
 		"path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-client-key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.RegistryServerName, "registry-server-name", "",
 		"SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry")

@@ -44,7 +44,7 @@ var _ Interface = (*RootOptions)(nil)
 func (o *RootOptions) AddFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&o.OutputFile, "output-file", "",
 		"log output to a file")
-	_ = cmd.Flags().SetAnnotation("output-file", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("output-file", logExts...)
 
 	cmd.PersistentFlags().BoolVarP(&o.Verbose, "verbose", "d", false,
 		"log debug output")

@@ -32,6 +32,6 @@ func (o *SaveOptions) AddFlags(cmd *cobra.Command) {
 	o.Registry.AddFlags(cmd)
 	cmd.Flags().StringVar(&o.Directory, "dir", "",
 		"path to dir where the signed image should be stored on disk")
-	_ = cmd.Flags().SetAnnotation("dir", cobra.BashCompSubdirsInDir, []string{})
+	_ = cmd.MarkFlagDirname("dir")
 	_ = cmd.MarkFlagRequired("dir")
 }