From 3dda9f830b23a1b287065ff7cd88531e06b31683 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Fri, 10 Dec 2021 18:31:15 +0900
Subject: [PATCH] cosign: fix docs and shell completions

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 README.md           |  7 ++++++-
 cmd/nerdctl/pull.go | 13 +++++++++----
 cmd/nerdctl/push.go | 11 +++++++----
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index fed760cc84b..a93c5f3d432 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,7 @@ Major:
 - [P2P image distribution using IPFS](./docs/ipfs.md): `nerdctl run ipfs://CID`
 - Recursive read-only (RRO) bind-mount: `nerdctl run -v /mnt:/mnt:rro` (make children such as `/mnt/usb` to be read-only, too).
   Requires kernel >= 5.12, and crun >= 1.4 or runc >= 1.1 (PR [#3272](https://github.com/opencontainers/runc/pull/3272)).
+- [Cosign integration](./docs/cosign.md): `nerdctl pull --verify=cosign` and `nerdctl push --sign=cosign`
 
 Minor:
 - Namespacing: `nerdctl --namespace=<NS> ps` .
@@ -718,6 +719,8 @@ Flags:
 - :nerd_face: `--all-platforms`: Pull content for all platforms
 - :nerd_face: `--unpack`: Unpack the image for the current single platform (auto/true/false)
 - :whale: `-q, --quiet`: Suppress verbose output
+- :nerd_face: `--verify`: Verify the image (none|cosign). See [`docs/cosign.md`](./docs/cosign.md) for details.
+- :nerd_face: `--cosign-key`: Path to the public key file, KMS, URI or Kubernetes Secret for `--verify=cosign`
 
 Unimplemented `docker pull` flags: `--all-tags`, `--disable-content-trust` (default true)
 
@@ -731,6 +734,8 @@ Usage: `nerdctl push [OPTIONS] NAME[:TAG]`
 Flags:
 - :nerd_face: `--platform=(amd64|arm64|...)`: Push content for a specific platform
 - :nerd_face: `--all-platforms`: Push content for all platforms
+- :nerd_face: `--sign`: Sign the image (none|cosign). See [`docs/cosign.md`](./docs/cosign.md) for details.
+- :nerd_face: `--cosign-key`: Path to the private key file, KMS, URI or Kubernetes Secret for `--sign=cosign`
 
 Unimplemented `docker push` flags: `--all-tags`, `--disable-content-trust` (default true), `--quiet`
 
@@ -1222,7 +1227,7 @@ Image:
 
 - `docker image prune`
 
-- `docker trust *`
+- `docker trust *` (Instead, nerdctl supports `nerdctl pull --verify=cosign` and `nerdctl push --sign=cosign`. See [`./docs/cosign.md`](docs/cosign.md).)
 - `docker manifest *`
 
 Network management:
diff --git a/cmd/nerdctl/pull.go b/cmd/nerdctl/pull.go
index a28740e2794..6ffcd9140b6 100644
--- a/cmd/nerdctl/pull.go
+++ b/cmd/nerdctl/pull.go
@@ -45,9 +45,6 @@ func newPullCommand() *cobra.Command {
 		SilenceErrors: true,
 	}
 	pullCommand.Flags().String("unpack", "auto", "Unpack the image for the current single platform (auto/true/false)")
-	pullCommand.Flags().String("cosign-key", "",
-		"path to the public key file, KMS, URI or Kubernetes Secret")
-
 	pullCommand.RegisterFlagCompletionFunc("unpack", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return []string{"auto", "true", "false"}, cobra.ShellCompDirectiveNoFileComp
 	})
@@ -57,8 +54,16 @@ func newPullCommand() *cobra.Command {
 	pullCommand.Flags().StringSlice("platform", nil, "Pull content for a specific platform")
 	pullCommand.RegisterFlagCompletionFunc("platform", shellCompletePlatforms)
 	pullCommand.Flags().Bool("all-platforms", false, "Pull content for all platforms")
-	pullCommand.Flags().String("verify", "none", "Verify the image with none|cosign. Default none")
 	// #endregion
+
+	// #region verify flags
+	pullCommand.Flags().String("verify", "none", "Verify the image (none|cosign)")
+	pullCommand.RegisterFlagCompletionFunc("verify", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"none", "cosign"}, cobra.ShellCompDirectiveNoFileComp
+	})
+	pullCommand.Flags().String("cosign-key", "", "Path to the public key file, KMS, URI or Kubernetes Secret for --verify=cosign")
+	// #endregion
+
 	pullCommand.Flags().BoolP("quiet", "q", false, "Suppress verbose output")
 
 	return pullCommand
diff --git a/cmd/nerdctl/push.go b/cmd/nerdctl/push.go
index 55bc36a8cf4..2c8ec4379c1 100644
--- a/cmd/nerdctl/push.go
+++ b/cmd/nerdctl/push.go
@@ -64,10 +64,13 @@ func newPushCommand() *cobra.Command {
 	pushCommand.Flags().Bool("estargz", false, "Convert the image into eStargz")
 	pushCommand.Flags().Bool("ipfs-ensure-image", true, "Ensure the entire contents of the image is locally available before push")
 
-	pushCommand.Flags().String("sign", "none", "Sign the image with none|cosign. Default none")
-
-	pushCommand.Flags().String("cosign-key", "",
-		"path to the private key file, KMS URI or Kubernetes Secret")
+	// #region sign flags
+	pushCommand.Flags().String("sign", "none", "Sign the image (none|cosign")
+	pushCommand.RegisterFlagCompletionFunc("sign", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+		return []string{"none", "cosign"}, cobra.ShellCompDirectiveNoFileComp
+	})
+	pushCommand.Flags().String("cosign-key", "", "Path to the private key file, KMS URI or Kubernetes Secret for --sign=cosign")
+	// #endregion
 
 	return pushCommand
 }