-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add cosign binary to nerdctl-full #680
base: main
Are you sure you want to change the base?
Conversation
Please remove this Line 243 in e785883
|
thank you for bringing it to my attention, I've removed this line. ✌️ |
echo "- IPFS: ${IPFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md \ | ||
ARG COSIGN_VERSION | ||
RUN fname="cosign-${TARGETOS:-linux}-${TARGETARCH:-amd64}" && \ | ||
curl -o "${fname}" -fSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}" && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
404
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it says so because it seems that COSIGN_VERSION is not replaced in the URL, why is that? I've defined it as an ARG with a value of v1.4.1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did I do something wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The URL that I'm trying to construct is correct:
- fname=cosign-linux-amd64
- COSIGN_VERSION=v1.4.1
- https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}
👉 https://github.com/sigstore/cosign/releases/download/v1.4.1/cosign-linux-amd64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kindly ping 🙋🏻♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe try to echo the same string in your Dockerfile to say if it is expected.
Why is this binary so large? |
idk actually :( |
kindly ping @AkihiroSuda 🙋🏻♂️ |
kindly ping @AkihiroSuda 🙋🏻♂️ |
Sorry for going back and forth, but I'd like to see binary footprint to be reduced I'd expect it to be around 10MB |
There's an issue tracking size reduction here: sigstore/cosign#1462 FWIW I don't think 10mb is doable today, the Go binaries are just too large. I've seen it hit ~20mb with compression and stripping out some features. |
WDYT @AkihiroSuda? 🙋🏻♂️ |
Thanks, 20MB is probably fine |
I know @AkihiroSuda you don't want to add cosign until its binary size shrinks, but according to the issue1, once we generate an SBOM of an image, we should use cosign to attach it to the registry along with an image by default. Also, there is an ongoing issue in Syft to support uploading SBOM results directly to an OCI registry.2 Footnotes |
kindly ping @AkihiroSuda |
With the latest improvements, the binary size of cosign is shrunk to approximately ~70MB. exiftool $(which cosign)
ExifTool Version Number : 12.42
File Name : cosign
Directory : /Users/batuhan.apaydin/.nix-profile/bin
File Size : 71 MB
File Modification Date/Time : 1970:01:01 02:00:01+02:00
File Access Date/Time : 2022:11:04 14:17:49+03:00
File Inode Change Date/Time : 2022:11:04 14:15:38+03:00
File Permissions : -r-xr-xr-x
File Type : Mach-O executable
File Type Extension :
MIME Type : application/octet-stream
CPU Architecture : 64 bit
CPU Byte Order : Little endian
CPU Type : x86 64-bit
CPU Subtype : i386 (all) 64-bit
Object File Type : Demand paged executable
Object Flags : No undefs, Dyld link, Two level Is it still big enough for adding this binary into lima VM? |
This is a darwin binary, not for Linux |
for Linux, it is even better, ~64 MB 🙉
|
Hello @AkihiroSuda, this PR will fix the problems related to signing&verifying images with cosign because, at the moment, people can't use the new features of nerdctl and nerdctl compose for signing. |
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
I think you should try to get the distros to support aptgetting cosign. If it faces difficulty we can revisit this PR. |
Looks like cosign is now providing deb and rpm packages (although delivered from github). Is this here still relevant in that context? |
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com
fixes #679
cc: @Dentrax