Skip to content

Commit

Permalink
.cosign -> .sig (#287)
Browse files Browse the repository at this point in the history
Signed-off-by: Jake Sanders <[email protected]>
  • Loading branch information
Jake Sanders authored Apr 30, 2021
1 parent ef10689 commit e96653f
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 10 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

## v0.4.0 (pending)

### Action Required

* Signatures created with `cosign` before v0.4.0 are not compatible with those created after

### Enhancements

* Support for Hashicorp vault as a KMS provider has been added
Expand Down
6 changes: 3 additions & 3 deletions SPEC.md
Original file line number Diff line number Diff line change
Expand Up @@ -124,14 +124,14 @@ If the object is referenced by tag, the tag must first be resolved to a digest.
Then the digest of the object (of the form `sha256:abcdef...`) is encoded into a tag name using the following rules:

* Replace the `:` character with a `-`
* Append the `.cosign` suffix
* Append the `.sig` suffix

Example digest->tag mapping:

1. Start with `gcr.io/dlorenc-vmtest2/demo:latest`
2. Resolve this to a digest: `sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`
3. Follow the encoding rules: `sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.cosign`
4. Signature can be found at `gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.cosign`
3. Follow the encoding rules: `sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig`
4. Signature can be found at `gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig`

Implementations MAY store signatures objects in the same OCI repository as the target image or a different one.

Expand Down
2 changes: 1 addition & 1 deletion pkg/cosign/fetch.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ type SignedPayload struct {
func Munge(desc v1.Descriptor) string {
// sha256:... -> sha256-...
munged := strings.ReplaceAll(desc.Digest.String(), ":", "-")
munged += ".cosign"
munged += ".sig"
return munged
}

Expand Down
12 changes: 6 additions & 6 deletions pkg/cosign/upload_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,32 +34,32 @@ func TestDestinationTag(t *testing.T) {
{
desc: "don't specify repo",
image: "gcr.io/test/test",
want: "gcr.io/test/test:sha256-digest.cosign",
want: "gcr.io/test/test:sha256-digest.sig",
}, {
desc: "replace repo",
image: "gcr.io/test/image",
repo: "gcr.io/new",
want: "gcr.io/new/image:sha256-digest.cosign",
want: "gcr.io/new/image:sha256-digest.sig",
}, {
desc: "image has subrepos",
image: "gcr.io/test/image/sub",
repo: "gcr.io/new",
want: "gcr.io/new/image/sub:sha256-digest.cosign",
want: "gcr.io/new/image/sub:sha256-digest.sig",
}, {
desc: "repo has subrepos",
image: "gcr.io/test/image/sub",
repo: "gcr.io/new/subrepo",
want: "gcr.io/new/subrepo/image/sub:sha256-digest.cosign",
want: "gcr.io/new/subrepo/image/sub:sha256-digest.sig",
}, {
desc: "replace not gcr repo",
image: "test/image",
repo: "newrepo",
want: "index.docker.io/newrepo/image:sha256-digest.cosign",
want: "index.docker.io/newrepo/image:sha256-digest.sig",
}, {
desc: "e2e test",
image: "us-central1-docker.pkg.dev/projectsigstore/cosign-ci/test",
repo: "us-central1-docker.pkg.dev/projectsigstore/subrepo",
want: "us-central1-docker.pkg.dev/projectsigstore/subrepo/cosign-ci/test:sha256-digest.cosign",
want: "us-central1-docker.pkg.dev/projectsigstore/subrepo/cosign-ci/test:sha256-digest.sig",
},
}

Expand Down
2 changes: 2 additions & 0 deletions test/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ func TestDuplicateSign(t *testing.T) {
}

func TestKeyURLVerify(t *testing.T) {
// TODO: re-enable once distroless images are being signed by the new client
t.Skip()
// Verify that an image can be verified via key url
keyRef := "https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub"
img := "gcr.io/distroless/base:latest"
Expand Down

0 comments on commit e96653f

Please sign in to comment.