Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: Drop the
CosignPredicate
wrapper around SBOM attestations.
🐛 This change drops the `CosignPredicate` that `cosign` wraps around SPDX/CycloneDX attestations. Currently `cosign` wraps SPDX and CycloneDX attestations produced via their shortnames (`cosign attest --type {spdxjson|cyclonedx}`) in a `CosignPredicate` envelope. However, the whole point of the in-toto `predicateType` is to specify the schema of the `predicate`, and despite using the SPDX and Cyclone predicate type URIs, this envelope violates their schema with the extra layer. Moreover, if users were to attest these SBOMs with the explicit predicate type URI: ``` cosign attest --type https://spdx.dev/Document ... ``` Then `cosign` will NOT add this additional envelope, which makes it effectively impossible to know the schema to use for policy validation based strictly on the `predicateType` because even `cosign` will produce these attestations both ways. Fixes: #2126 /kind bug Signed-off-by: Matt Moore <[email protected]>
- Loading branch information