-
Notifications
You must be signed in to change notification settings - Fork 548
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cosign signing bundles #2131
Comments
This initiative is great, and as I'm working on a similar concept but for attestations, where the actual payload is captured in the signature file, I was inspired by this and so created this proposal: #2147. |
Fantastic! Attestations was a distant blip on my radar for blobs but I was getting an uneasy feeling that they applied here. I'm very happy to see you connect the dots with this proposal. It makes complete sense to me that simple signatures couple be folded into some kind of attestation type so that we can use the same format across these very similar use-cases. Merging these proposals seem trivial at first glance assuming that the binary signature as an attestation makes sense to the sigstore experts. |
What would be the next step? I read through the linked google doc again, the Filespec table is what needs to be updated. The sections on cli signing and verification is still valid I reckon. The need we have right now, is not to introduce a new cli option (that can come at a later phase if it's desired). Aligning on detached, actionable signature files is what I would like to see now. So the two attestations type known to me right now are: attestation/blob
attestation/dsse
In this proposal, there is a version field, in the example I could find this: |
The only real downside to using attestations for everything is that then you'll need DSSE, which means its a bit harder of a transtion for folks. You can't really directly verify it with openssl or other command line tools. |
I'd argue that that's a plus—openssl can't verify the timestamps from Rekor, so it's a little bit of false security. Useful for debugging but we don't really want regular users doing this. IMO if we want that functionality, it belongs behind a |
This would only be true for the the |
Seems like everybody is onboard. @kommendorkapten I just gave you edit access to the doc. Feel free to update or suggest changes to the spec and I'll fold them in. |
Confirmed with @patflynn this doesn't require any changes to rekor, dropping ga-candidate. |
As an update: there is a draft of the signature file format in this repo: https://github.com/sigstore/protobuf-specs We are experimenting with it in various Sigstore clients. |
We're ready to pull this into Cosign, gated behind a |
Closing as dupe of (newer but more concise) #3139 |
Details of this proposal available in this Google Doc.
Summary
The current
sign-blob
command and documentation steer the user towards producing two files (raw sig and cert) for each signing operation. This is not ideal because:cosign sign
command for OCI images which produces just one signing artifact.These issues are likely to exacerbate inconsistencies across package manager and language ecosystems as each platform could produce a different combination of sig|cert|bundle.
Our proposal produces a default blob signing and verification path that produces just one complete artifact supporting all verification use-cases.
At this stage mainly looking for feedback/sanity check. Some details left to be worked out. Very happy to take suggestions for improvements.
The text was updated successfully, but these errors were encountered: