-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cosign 2.0 Tracking #2376
Comments
I'd like to propose another thing: conglomerating all the env vars we use for pinning rekor/ct/fulcio keys and creating a Root provider interfact, that either uses TUF or populates with any env vars that are enabled. This would be a MAJOR cleanup and help people use cosign in special environments. All commands should ingest a Root provider options in the sign/verify/etc options |
See also: #2365 especially the proposal to separate the CLI versioning and the library versioning, and the proposal to provide no guarantees about API stability. I'm in favor of a quick, relatively narrow 2.0 (scoped to CLI only) because dropping COSIGN_EXPERIMENTAL is a big win and because a long-lived |
Thanks for opening this tracking issue @haydentherapper! +1 to a narrow-scoped 2.0, I think all the tagged issues are in-scope. For the root provider refactor, I'm ok not making it a requirement for 2.0 but if it gets in by the time we're ready to release that would be awesome :) |
I think that's fair: if we can make the requirement of ripping out any TUF calls from the internal verification functions I think that would suffice! Doing it quickly makes sense. @vaikas |
This would be great: #2222 I can work on it soon |
To some degree, all bugs should technically be fixed before a major release. I think it should be replaced with https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify_blob_attestation.go and we should remove the verify-blob support for attestations. |
This too: #2219 @bobcallaway |
I'd like to add #2382 - This would require that an SCT is provided as proof the certificate is logged in a CT log, unless an insecure flag is provided. This was what we always should have done, but couldn't because old certs didn't have embedded SCTs. |
+1 to bugs being fixed, should we set up some time to triage open bugs? |
Agreed, that is dependent on Rekor changes sigstore/rekor#1139 and sigstore/rekor#1144 going live in production |
Would like to add #1762 so that Cosign stops calling the legacy API for Fulcio |
Another AI, we need to update documentation and blog posts |
We did some triaging in the GA sync for PRs and issues that we would like to include in 2.0 and a 2.0 release candidate:
Maybe blockers:
|
Okay, all our RC-blockers are merged. CC @cpanato can you help cut a 2.0 rc1 when you get a chance? |
For 2.0, I’d like to also update the timestamp verification to use the latest version once we cut a new release. We should also verify the timestamp on signing, #2488 |
We need to remove references to |
I have updated the list of pending issues:
Maybe blockers:
|
Happy new year! Going to ping everyone for status updates for the remaining PRs:
|
I do want to get #2482 done, but I can probably only return to that next month or so. IIRC there are no functional changes remaining (the timestamp semantics changes have already been merged), it’s “just” structural cleanup now. |
Thanks, so I think we can remove it as a blocker then if it’s just internal cleanup. |
FWIW, my wish for 2.0 would be to change the cosign payload, and the I realize this is probably not the time or place (and I haven’t done any work towards this), I’m bringing it up just in case circumstances happen to align… |
Do you want to chime in on #2047 about that? |
I'm curious if it's worth to include the #1532 for legacy annotation changes. |
I’d lean towards not including it to minimize more breaking changes and making it harder to adopt, but we should track that for a future major release (we’ve talked about reworking CLI flags for that for example) |
I've updated #2376 (comment) to move two issues into a fast followup release, as they aren't breaking changes but we do want to resolve them soon. |
Where are we at with Cosign 2.0? RC1 has been available for the better part of a week: https://github.com/sigstore/cosign/releases/tag/v2.0.0-rc.1 I would actually like to request including #2674 which fixes a regression for prompts on Windows but otherwise I'm ready to pull the trigger. CC @priyawadhwa |
Adding proper error codes would be a great improvement for any type of integration: #2742. At Connaisseur, we tend to struggle with parsing the unhandled and frequently changing outputs of cosign which complicates interpretation of the validation result. I would propose returning proper error codes. Would be great to improve compatibility. |
2.0 is out, so closing |
Description
This is an issue to track Cosign 2.0, with the primary change being the removal of the experimental flag. I've added some initial issues I think would be in scope, feel free to discuss and edit. We should also triage open bugs.
cosign inspect
command. #2210cosign verify
invocations #2056There's also the open question of sigstore-go - Should Cosign 2.0 also involve the redesign of the Cosign API? I'm thinking no, let's narrowly scope 2.0 to focus on client work to support GA, and a 3.0 release could be focused on library redesign.
cc @znewman01 @priyawadhwa
The text was updated successfully, but these errors were encountered: