Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add cosign binary to nerdctl-full #680

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

developer-guy
Copy link
Contributor

@developer-guy developer-guy commented Jan 8, 2022

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

fixes #679

cc: @Dentrax

@AkihiroSuda
Copy link
Member

Please remove this

COPY --from=gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fdea547f4c9a27139276cc373165c26842bc594b8bd /ko-app/cosign /usr/local/bin/cosign

@developer-guy
Copy link
Contributor Author

Please remove this

COPY --from=gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fdea547f4c9a27139276cc373165c26842bc594b8bd /ko-app/cosign /usr/local/bin/cosign

thank you for bringing it to my attention, I've removed this line. ✌️

echo "- IPFS: ${IPFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md \
ARG COSIGN_VERSION
RUN fname="cosign-${TARGETOS:-linux}-${TARGETARCH:-amd64}" && \
curl -o "${fname}" -fSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}" && \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

404

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it says so because it seems that COSIGN_VERSION is not replaced in the URL, why is that? I've defined it as an ARG with a value of v1.4.1.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did I do something wrong?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kindly ping 🙋🏻‍♂️

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe try to echo the same string in your Dockerfile to say if it is expected.

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Jan 11, 2022

cosign-linux-amd64 81.4 MB

Why is this binary so large?
https://github.com/sigstore/cosign/releases/tag/v1.4.1

@developer-guy
Copy link
Contributor Author

cosign-linux-amd64 81.4 MB

Why is this binary so large? sigstore/cosign@v1.4.1 (release)

idk actually :(

@developer-guy
Copy link
Contributor Author

kindly ping @AkihiroSuda 🙋🏻‍♂️

@developer-guy
Copy link
Contributor Author

kindly ping @AkihiroSuda 🙋🏻‍♂️

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Feb 16, 2022

Sorry for going back and forth, but I'd like to see binary footprint to be reduced

I'd expect it to be around 10MB

@dlorenc
Copy link

dlorenc commented Mar 1, 2022

There's an issue tracking size reduction here: sigstore/cosign#1462

FWIW I don't think 10mb is doable today, the Go binaries are just too large. I've seen it hit ~20mb with compression and stripping out some features.

@developer-guy
Copy link
Contributor Author

WDYT @AkihiroSuda? 🙋🏻‍♂️

@AkihiroSuda
Copy link
Member

Thanks, 20MB is probably fine

@developer-guy
Copy link
Contributor Author

I know @AkihiroSuda you don't want to add cosign until its binary size shrinks, but according to the issue1, once we generate an SBOM of an image, we should use cosign to attach it to the registry along with an image by default. Also, there is an ongoing issue in Syft to support uploading SBOM results directly to an OCI registry.2

Footnotes

  1. https://github.com/containerd/nerdctl/issues/669

  2. https://github.com/anchore/syft/issues/592

@developer-guy
Copy link
Contributor Author

kindly ping @AkihiroSuda

@developer-guy
Copy link
Contributor Author

With the latest improvements, the binary size of cosign is shrunk to approximately ~70MB.

exiftool $(which cosign)
ExifTool Version Number         : 12.42
File Name                       : cosign
Directory                       : /Users/batuhan.apaydin/.nix-profile/bin
File Size                       : 71 MB
File Modification Date/Time     : 1970:01:01 02:00:01+02:00
File Access Date/Time           : 2022:11:04 14:17:49+03:00
File Inode Change Date/Time     : 2022:11:04 14:15:38+03:00
File Permissions                : -r-xr-xr-x
File Type                       : Mach-O executable
File Type Extension             :
MIME Type                       : application/octet-stream
CPU Architecture                : 64 bit
CPU Byte Order                  : Little endian
CPU Type                        : x86 64-bit
CPU Subtype                     : i386 (all) 64-bit
Object File Type                : Demand paged executable
Object Flags                    : No undefs, Dyld link, Two level

Is it still big enough for adding this binary into lima VM?

@AkihiroSuda
Copy link
Member

Mach-O executable

This is a darwin binary, not for Linux

@developer-guy
Copy link
Contributor Author

for Linux, it is even better, ~64 MB 🙉

$ docker container run --rm -ti nixery.dev/shell/which/exiftool/cosign sh
Unable to find image 'nixery.dev/shell/which/exiftool/cosign:latest' locally
latest: Pulling from shell/which/exiftool/cosign
cc73b673c757: Already exists
29ffb7f35e12: Already exists
822072e9bbcc: Already exists
63dfabb54096: Already exists
db4ba31bfdcb: Already exists
ec7b47b7b623: Already exists
9697a32c6d89: Already exists
59940a9e2484: Already exists
c59b85fffe3e: Already exists
122f0022d7c7: Already exists
465fd702f8d3: Already exists
5c9dd42b7d8d: Pull complete
d14455596f87: Pull complete
Digest: sha256:3bcdf13f245285fd58f0502c97cf4892b49d03a919c9c85755c243a7520eb9d7
Status: Downloaded newer image for nixery.dev/shell/which/exiftool/cosign:latest
sh-5.1# exiftool $(which cosign)
ExifTool Version Number         : 12.49
File Name                       : cosign
Directory                       : /bin
File Size                       : 64 MB
File Modification Date/Time     : 1970:01:01 00:00:01+00:00
File Access Date/Time           : 1970:01:01 00:00:01+00:00
File Inode Change Date/Time     : 2022:11:09 09:31:19+00:00
File Permissions                : -r-xr-xr-x
File Type                       : ELF executable
File Type Extension             :
MIME Type                       : application/octet-stream
CPU Architecture                : 64 bit
CPU Byte Order                  : Little endian
Object File Type                : Executable file
CPU Type                        : AMD x86-64
sh-5.1#

@developer-guy developer-guy mentioned this pull request Nov 16, 2022
6 tasks
@developer-guy
Copy link
Contributor Author

Hello @AkihiroSuda, this PR will fix the problems related to signing&verifying images with cosign because, at the moment, people can't use the new features of nerdctl and nerdctl compose for signing.

#1508
#556

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
@AkihiroSuda
Copy link
Member

I think you should try to get the distros to support aptgetting cosign.

If it faces difficulty we can revisit this PR.

@apostasie
Copy link
Contributor

Looks like cosign is now providing deb and rpm packages (although delivered from github).

Is this here still relevant in that context?

cc @developer-guy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

install cosign binary to nerdctl-full release to make it extractable in lima
5 participants