-
Notifications
You must be signed in to change notification settings - Fork 553
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support the protobuf bundle format in Cosign #3139
Comments
@haydentherapper I'm interested in working on this. Can we move this forward? A summary of this patch is:
This patch is a work in progress, and if you agree with the direction, I could add support for attest-blob and verify, refactor redundant implementations, add tests, etc. Having said that, I'm concerned about the following points at the moment:
|
Hey @wata727, sorry for the delay, I will reply to this next week! I do have lots of thoughts on this and really appreciate you taking a look! |
@wata727 are you still working on this? Do you want to go ahead and submit your patch as a PR so it can be reviewed?
My understanding is eventually cosign will leverage sigstore-go more and more, so it should be fine to add as a dependency. |
My original motivation was solved by GitHub introducing Artifact Attestations, so to be honest I don't have any motivation to move forward with this right now. So if you have your own plans, feel free to reject my patch. However, if you think my patch could be useful in your work, I'd be happy to submit a PR. |
One other previous attempt: #3138 |
@cmurphy I'm thinking about making a pull request for:
but I wanted to check with you first to see if you've already started on that. If not, I could break that item out into a separate issue and assign that to myself? Otherwise, if I should just be patient, that's fine too. |
@steiza I have not started on this, go for it |
FYI while #3752 is waiting for reviews I am also starting to work on:
It's quite a bit harder! Additionally, I think we should add something like |
For identity flags, are they under https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify.go#L113? |
This pull requests addresses the first part of #3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob. Signed-off-by: Zach Steindler <steiza@github.com>
Part of sigstore#3139 Signed-off-by: Zach Steindler <steiza@github.com>
Okay, while waiting for reviews on #3796, I started working on conformance testing. For the most part it went smoothly, but there's one last test failure that might be a bit tricky to resolve. I was assuming that for conformance testing, However, there are conformance tests that use
|
I know we've agreed that we should tread lightly to avoid regression in cosign's existing verification logic as we add bundle support, but I do think it would be smart to begin adding support for the TrustedRoot for existing verification code paths with a plan to deprecate the existing TUF custom metadata format. We can't upgrade to go-tuf v2 until we do that, as go-tuf v2 is more opinionated about following spec and disallows iterating over targets as we are currently doing. |
…#3796) * Add new bundle support to `verify-blob` and `verify-blob-attestation` Part of #3139 Signed-off-by: Zach Steindler <steiza@github.com> * fix error message Signed-off-by: Zach Steindler <steiza@github.com> * Use sigstore-go v0.5.1 for cert issuer regex support Signed-off-by: Zach Steindler <steiza@github.com> * Use more specific `WithIntegratedTimestamps` with tlog verification Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>
I am very supportive of adding support for the trusted root format in Cosign. The only regression to consider is for private instances that have deployed their own TUF repos using the custom metadata for target selection. We can make any changes to the internals of Cosign for selection of which trusted root, eg changing fulcio root selection to use the Adding support for specifying a trusted root via CLI should be straightforward. For fetching roots via TUF, I'd recommend we initialize two TUF clients, the new and old one, and merge targets fetched from the old TUF client (which would handle private deployments with the custom metadata) into the How does that sound? |
…#3752) This pull requests addresses the first part of sigstore#3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob. Signed-off-by: Zach Steindler <steiza@github.com>
…sigstore#3796) * Add new bundle support to `verify-blob` and `verify-blob-attestation` Part of sigstore#3139 Signed-off-by: Zach Steindler <steiza@github.com> * fix error message Signed-off-by: Zach Steindler <steiza@github.com> * Use sigstore-go v0.5.1 for cert issuer regex support Signed-off-by: Zach Steindler <steiza@github.com> * Use more specific `WithIntegratedTimestamps` with tlog verification Signed-off-by: Zach Steindler <steiza@github.com> --------- Signed-off-by: Zach Steindler <steiza@github.com>
Background
Sigstore created a common format in sigstore/protobuf-specs for the output from Sigstore clients. sigstore-python, sigstore-java and sigstore-js currently support the bundle format. Golang currently does not support the bundle: sigstore-go is under active development, and Cosign has defined its own format.
Requirements
cosign sign-blob
orcosign attest-blob
cosign verify-blob
orcosign verify-blob-attestation
Secondary goals
cosign sign
orcosign attest
cosign verify
orcosign verify-attestation
Nice to haves
cosign attach
Resources
Justification for sign-blob being a P0 and sign being a P1 is that OCI handles storage already, so it's less critical to have a new format.
The text was updated successfully, but these errors were encountered: