CLI Design: Uploading Other Things #368
Comments
|
Note: all of these commands would be able to work with the current "naming convention" based discovery mechanism, but I think they also would work fine with the either of the two References proposals in the OCI specification as well. |
|
@jonjohnsonjr I made this for you: |
|
Can cosign return the reference to the SBOM/Signature manifest so some other tool can use it to manage things like tracking original images and blobs? What about signed content, for example, signing an SBOM and producing a detached signature? |
|
Yup! I'll try to show how that would work in the diagram. It's actually the nice thing about treating the SBOMs as "first class" images, you can sign them just like normal ones. The only difference is they have a funny name. |
|
Getting more crowded, but hopefully this helps! |
This is in preparation for #368. Signed-off-by: Dan Lorenc <[email protected]>
This is in preparation for #368. Signed-off-by: Dan Lorenc <[email protected]>
This is in preparation for #368. Signed-off-by: Dan Lorenc <[email protected]>
Description
Right now we have:
cosign uploadwhich uploads a "thing" but treats it as a signature. This is designed for usage in workflows that require signing with strategies unsupported by cosign (HSMs, other scripts), but still wish to use the rest of the cosign signature spec.We also have
cosign upload-blobwhich uploads a generic binary blob as an OCI Artifact, with nothing to do with the rest of the cosign spec. This is designed as something that would be signed after it is uploaded.We also have a WIP CLI for uploading WASM, which follows a separate WASM specification for how to layout WASM blobs in an OCI registry, defined here.
I can think of a few other things we might want to upload as well (SBOMs, In-Toto Attestations, etc.), which complicates the CLI design a bit.
Description
There are two basic classes of things we're uploading (new things and references to existing things). Let's split these out into two sub-trees.
Upload
cosign upload blob <blob>cosign upload wasm <wasm>Attach
cosign attach attestation -f <attestation> <image>cosign attach sbom -f <sbom> <image>cosign attach signature -f <sig> <image>For storing in the registry, signatures will use the cosign signature spec. We'll define new ones for attestations and SBOMs, but a rough idea for now is that we can use the
suffixto locate and differentiate..sigfor signatures,.sbom(or maybe.spdx?) for SBOMs, etc.Questions
Should SBOMs be a type of attestation, or their own suffix? We can use
mediaTypeson each layer within the overall wrapper object to differentiate between formats. My initial hunch is no. An attestation is typically signed itself, so if someone did have a signed SBOM they could upload it using an attestation.The text was updated successfully, but these errors were encountered: