-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syft attest --output cyclonedx-json incompatible with cosign #1268
Comments
See related comment: in-toto/attestation#82 (comment) |
This addresses Issue anchore#1268 Signed-off-by: Arnaud J Le Hors <[email protected]>
It turns out that syft is using the predicate the CycloneDX project has selected (see CycloneDX/specification#132) so the issue ends up being more on the cosign side. I submitted a PR to update in-toto after which the incompatibility will disappear. It would still be good for syft to pull the definition from the in-toto project directly rather than have its own definition so I suggest keeping this open until that change is made with PR #1270 |
Fixed with PR #1270 |
Thank you @lehors for all the help on this one! |
What happened:
Produced an attestation with syft but cosign verify-attestation couldn't find it.
What you expected to happen:
cosign verify-attestation should successfully verify the attestation produced by syft
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
The problem comes from syft using "https://cyclonedx.org/bom" as the predicate while cosign uses "https://cyclonedx.org/schema" defined in-toto-golang
Environment:
syft version
:Application: syft
Version: 0.58.0
JsonSchemaVersion: 4.0.0
BuildDate: 2022-09-29T19:59:22Z
GitCommit: b9b13d5
GitDescription: v0.58.0
Platform: darwin/amd64
GoVersion: go1.18.6
Compiler: gc
cat /etc/os-release
or similar):MacOs
The text was updated successfully, but these errors were encountered: