Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Publish cosign binaries to Sonatype OSSRH #74

Closed
vlsi opened this issue Aug 10, 2022 · 8 comments
Closed

Publish cosign binaries to Sonatype OSSRH #74

vlsi opened this issue Aug 10, 2022 · 8 comments
Labels
enhancement New feature or request

Comments

@vlsi
Copy link
Collaborator

vlsi commented Aug 10, 2022

Description

I suggest adding a module to publish cosign binaries to Central.
That would enable consumers to download the needed binaries and execute cosign CLI.

See how protobuf plugin locates protoc binary: https://github.com/google/protobuf-gradle-plugin#locate-external-executables

An alternative option is to add publishing to cosign project itself.

@vlsi vlsi added the enhancement New feature or request label Aug 10, 2022
@loosebazooka
Copy link
Member

An alternative option is to add publishing to cosign project itself.

I think this makes the most sense. I wonder if we can write the action here and execute on cosign releases?

@vlsi
Copy link
Collaborator Author

vlsi commented Aug 10, 2022

I have not explored how cosign is released, however, I just assumed that publishing cosign-as-jar would be easier from Gradle-based project (it could include Gradle Metadata for easier usage by consumers), and adding Gradle build to cosign might sound strange

@loosebazooka
Copy link
Member

Yeah I don't mind doing it here if we can trigger by watching for new "releases" from cosign

@vlsi
Copy link
Collaborator Author

vlsi commented Aug 10, 2022

I guess it implies the current project should becomes multi-module one

@loosebazooka
Copy link
Member

It could also just be multiple projects (or a new repo)

@vlsi
Copy link
Collaborator Author

vlsi commented Aug 10, 2022

I'm inclined that co-locating into a single repo might be easier to manage.

For instance, what if people want to have rekor-api and fulcio-api as separate dependencies?
What if they want cosign-binary-wrapped-as-java-api as yet another dependency?
It looks like having a single repo makes it easier to slice the modules (e.g. to reduce the attack surface), and it would probably reduce the buildscript churn.

Frankly speaking, I think it might be fine to have both low-level Java libraries, Gradle, and maybe even Maven plugins within a single repository.

@vlsi
Copy link
Collaborator Author

vlsi commented Sep 20, 2022

It turns out cosign binaries are like 80-140 MiB, so I'm not sure we want to duplicate those releases to Central.
We might want to wait on the outcome of sigstore/cosign#1462 first.

https://github.com/sigstore/cosign/releases/tag/v1.12.0

88.5 MB cosign-darwin-amd64
82.1 MB cosign-linux-arm64
144 MB cosign-windows-amd64.exe

@loosebazooka
Copy link
Member

probably not doing this in the near future

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants