Assume cosign.key as key field in signing secret

simonbaird · claude · simonbaird · commit ea7bd24c4e75 · 2025-12-15T16:38:46.000-05:00
I want to use this and have it dwim: --vsa-signing-key k8s://conforma/vsa-signing-key Ref: https://issues.redhat.com/browse/EC-1589 Co-authored-by: Claude Code <noreply@anthropic.com>
diff --git a/internal/utils/private_key.go b/internal/utils/private_key.go
@@ -18,6 +18,8 @@ package utils
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	"github.com/spf13/afero"
 )
@@ -26,7 +28,16 @@ import (
 // This follows the same pattern as cosignSig.PublicKeyFromKeyRef but for private keys.
 // Supported formats:
 // - File path: "/path/to/private-key.pem"
+// - Kubernetes secret: "k8s://namespace/secret-name"
 // - Kubernetes secret: "k8s://namespace/secret-name/key-field"
 func PrivateKeyFromKeyRef(ctx context.Context, keyRef string, fs afero.Fs) ([]byte, error) {
-	return KeyFromKeyRef(ctx, keyRef, fs)
+	// If the key-field is not specified assume it is "cosign.key"
+	adjustedKeyRef := keyRef
+	if strings.HasPrefix(keyRef, "k8s://") {
+		parts := strings.Split(strings.TrimPrefix(keyRef, "k8s://"), "/")
+		if len(parts) == 2 {
+			adjustedKeyRef = fmt.Sprintf("%s/cosign.key", keyRef)
+		}
+	}
+	return KeyFromKeyRef(ctx, adjustedKeyRef, fs)
 }
diff --git a/internal/utils/private_key_test.go b/internal/utils/private_key_test.go
@@ -63,13 +63,29 @@ func TestPrivateKeyFromKeyRef(t *testing.T) {
 			expectErr: false,
 		},
 		{
-			name:   "k8s secret with multiple keys (no key field specified)",
+			name:   "k8s secret with multiple keys (no key field specified, defaults to cosign.key)",
 			keyRef: "k8s://test-namespace/multi-key-secret",
 			setup: func(fs afero.Fs, ctx context.Context) {
 				// This will be handled in the test loop
 			},
 			expectErr: true,
-			errMsg:    "contains multiple keys, please specify the key field",
+			errMsg:    "key field \"cosign.key\" not found in secret",
+		},
+		{
+			name:   "k8s secret with default cosign.key field",
+			keyRef: "k8s://test-namespace/cosign-key-secret",
+			setup: func(fs afero.Fs, ctx context.Context) {
+				// This will be handled in the test loop
+			},
+			expectErr: false,
+		},
+		{
+			name:   "k8s secret with cosign.key among multiple keys (defaults to cosign.key)",
+			keyRef: "k8s://test-namespace/mixed-secret",
+			setup: func(fs afero.Fs, ctx context.Context) {
+				// This will be handled in the test loop
+			},
+			expectErr: false,
 		},
 		{
 			name:      "invalid k8s format",
@@ -127,6 +143,28 @@ func TestPrivateKeyFromKeyRef(t *testing.T) {
 							"key2": []byte("key2 content"),
 						},
 					})
+				} else if tt.keyRef == "k8s://test-namespace/cosign-key-secret" {
+					secrets = append(secrets, &v1.Secret{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "cosign-key-secret",
+							Namespace: "test-namespace",
+						},
+						Data: map[string][]byte{
+							"cosign.key": []byte("default cosign key content"),
+						},
+					})
+				} else if tt.keyRef == "k8s://test-namespace/mixed-secret" {
+					secrets = append(secrets, &v1.Secret{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "mixed-secret",
+							Namespace: "test-namespace",
+						},
+						Data: map[string][]byte{
+							"cosign.key":   []byte("mixed secret cosign key content"),
+							"other-key":    []byte("other key content"),
+							"another-key":  []byte("another key content"),
+						},
+					})
 				}
 
 				if len(secrets) > 0 {
@@ -158,6 +196,10 @@ func TestPrivateKeyFromKeyRef(t *testing.T) {
 					assert.Equal(t, []byte("single key content"), keyBytes)
 				} else if tt.keyRef == "k8s://test-namespace/test-secret/private-key" {
 					assert.Equal(t, []byte("test private key content"), keyBytes)
+				} else if tt.keyRef == "k8s://test-namespace/cosign-key-secret" {
+					assert.Equal(t, []byte("default cosign key content"), keyBytes)
+				} else if tt.keyRef == "k8s://test-namespace/mixed-secret" {
+					assert.Equal(t, []byte("mixed secret cosign key content"), keyBytes)
 				}
 			}
 		})
