Deprecation notices to get ready for cosign v4

[steiza]

Description

We're in the midst of some major Cosign changes as we move from v2 to v3 to v4, as described on #4221.

As we wrap up Cosign v3 releases, we want to go through and deprecate a lot of functionality, to prepare for removing it in v4. This issue will track all the flags we want to deprecate.

I think for now we will not deprecate flags that are an alternative to using signing config, but I'm happy to get feedback on that.

• Deprecate rekor-entry-type flag #4691
• --attachment verification looks for OCI 1.1 referrers instead
• --attachment-tag-prefix use OCI 1.1 referrers instead
• --b64 we're moving from detached signatures to signatures in the bundle
• --ca-intermediates use a trusted root
• --ca-roots use a trusted root
• --certificate use a trusted root
• --certificate-chain use a trusted root
• --experimental-oci11 we always treat this as true with new bundle format
• --issue-certificate we aren't supporting going forward
• --new-bundle-format we're only supporting the new bundle format in v4+
• --oidc-issuer we aren't supporting going forward
• --output we're moving from detached signatures to signatures in the bundle
• --output-certificate we're moving from detached certificates to certificates in the bundle
• --output-payload use --bundle instead
• --output-signature we're moving from detached signatures to signatures in the bundle
• --private-infrastructure use --insecure-ignore-tlog instead
• --record-creation-timestamp not used with sigstore-go
• --rekor-url use transparency log entry in bundle
• --replace not needed with OCI 1.1 referrers
• --rfc3161-timestamp we're moving from detached signed timestamps to signed timestamps in the bundle
• --sct included in bundle format
• --signature included in bundle format
• --signature-digest-algorithm included in bundle format
• --sign-container-identity OCI 1.1 referrers do not contain this information
• --timestamp-certificate-chain use a trusted root

[Hayden-IO]

we aren't supporting timestamp authority mTLS going forward

We should be able to keep this - #4620

[steiza]

we aren't supporting timestamp authority mTLS going forward

We should be able to keep this - #4620

Are folks using this? I didn't think they were (and told @piceri they were not). But I could be wrong!

[Hayden-IO]

This was added by dmitris originally, my understanding was they used it for their private deployment.

[steiza]

This was added by dmitris originally, my understanding was they used it for their private deployment.

Alright, I removed them from the list for now. I do want us to be aware of the quantity of flags that we're adding to support a feature (4 flags is a lot for a private deployment!) But maybe this is something we can be more aware of in the future.

[steiza]

Ah, sorry, it looks like GitHub took the "Resolves #4696" literally and automatically closed this when I merged that PR. 😞

I did go through this issue description and check off the flags that PR updated.

[Hayden-IO]

I'd like to propose we deprecate the signing URLs in favor of the signing config. As an organization, it's a one-time extra step to generate a config, and we have a command that helps with that construction. And signing configs allow for requesting timestamps or logging entries to multiple instances, something that the flags do not support.

If so, that would mean we deprecate:

• --fulcio-url
• --rekor-url (you noted rekor-url already for verification)
• --timestamp-server-url
• --oidc-issuer (Actually, you had this already)

What about --upload for sign/attest? Either we need to support outputting bundles for containers, or we should deprecate this flag because you should always record the bundle.

Also, we need to deprecate all the relevant env vars from https://github.com/sigstore/cosign/blob/main/pkg/cosign/env/env.go.