Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Drop the CosignPredicate wrapper around SBOM attestations. #2718

Merged
merged 1 commit into from
Feb 13, 2023

Commits on Feb 11, 2023

  1. Fix: Drop the CosignPredicate wrapper around SBOM attestations.

    🐛 This change drops the `CosignPredicate` that `cosign` wraps around SPDX/CycloneDX attestations.
    
    Currently `cosign` wraps SPDX and CycloneDX attestations produced via their shortnames (`cosign attest --type {spdxjson|cyclonedx}`) in a `CosignPredicate` envelope.
    
    However, the whole point of the in-toto `predicateType` is to specify the schema of the `predicate`, and despite using the SPDX and Cyclone predicate type URIs, this envelope violates their schema with the extra layer.
    
    Moreover, if users were to attest these SBOMs with the explicit predicate type URI:
    ```
    cosign attest --type https://spdx.dev/Document ...
    ```
    
    Then `cosign` will NOT add this additional envelope, which makes it effectively impossible to know the schema to use for policy validation based strictly on the `predicateType` because even `cosign` will produce these attestations both
    ways.
    
    Fixes: sigstore#2126
    
    /kind bug
    
    Signed-off-by: Matt Moore <[email protected]>
    mattmoor committed Feb 11, 2023
    Configuration menu
    Copy the full SHA
    7c68406 View commit details
    Browse the repository at this point in the history