Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Annotation Support for Attestations #2476

Open
chaospuppy opened this issue Nov 21, 2022 · 2 comments
Open

Custom Annotation Support for Attestations #2476

chaospuppy opened this issue Nov 21, 2022 · 2 comments
Labels
enhancement New feature or request oci Integration between Sigstore and OCI registries/images

Comments

@chaospuppy
Copy link
Contributor

chaospuppy commented Nov 21, 2022
edited
Loading

Description

Currently, when using cosign download attestation, every attestation attached to the artifact is returned, which forces additional parsing to take place client-side using tools like jq to decode and filter out only the desired attestation (based on predicateType, for example). Adding support for annotations on artifact layers would achieve a few things:

  1. It would make retrieval of the desired attestation using the cosign CLI trivial (cosign download attestation --annotation foo=bar <image>)
  2. Verifying a particular attestation would also be trivial with cosign verify-attestation --annotation <image>
  3. It would have the side effect of making the annotations visible as part of what gets returned by the v2 registry API, which means any language with basic support for making requests would be able to locate the desired attestation (albeit without attestation verification via cosign verify-attestatation)

This idea had been brought up before in #1773 and a PR was opened for it in #1934. That PR was ultimately closed due to concerns over how the annotation itself could be verified as part of the payload. I had suggested that perhaps the annotation is specified in both the manifest for the layer and in the payload itself. In this way, the annotation could be used to filter the desired layer without the need to download all attestations and decode them using an external tool like jq, and the verify-attestation would be performed by first validating the payload signature and then making sure the user-provided --annotation value matched the annotation in the signed payload.

I'd be willing to contribute a PR to try to provide this, if it sounds like a good idea.
@chaospuppy chaospuppy added the enhancement New feature or request label Nov 21, 2022
@znewman01
Copy link
Contributor

@asraa WDYT?

@znewman01 znewman01 added the oci Integration between Sigstore and OCI registries/images label Nov 22, 2022
This was referenced Nov 27, 2022
Closed
Merged
@chaospuppy
Copy link
Contributor Author

I’ve created #2484, which partially solves this by reusing the predicateType as an annotation on the attestation manifest. This exposes the predicateType to simple GET requests, which helps external tools not written in Go have an easier time of finding a particular attestation, and can also be used to be more selective about which attestation should be output with cosign download attestation —predicate-type <string>. Arbitrary annotations are probably still desirable for some use cases though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request oci Integration between Sigstore and OCI registries/images
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@znewman01 @chaospuppy