Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump to Cosign v2.0.0 rc.3 #602

Merged
merged 8 commits into from
Feb 22, 2023
Merged

Conversation

hectorj2f
Copy link
Collaborator

@hectorj2f hectorj2f commented Feb 21, 2023

Summary

Adapt code to changes in cosign v2.0.0-rc.3 where several things changed, especially the predicate type verifications.

Release Note

  • Use cosign v2.0.0-rc.3
    • BREAKING: Any attestation verification will now use the RFC 3986 compliant URIs (adds https://) so that the predicate types must be compliant with the in-toto specification, e.g. https://cosign.sigstore.dev/attestation/vuln/v1.
    • BREAKING: This new cosign version also removes the CosignPredicate envelope that wraps the predicates of SPDX and CycloneDX attestations. Therefore, policies must specify the explicit predicate type, e.g. https://spdx.dev/Document. In addition to that, any occurrence of predicate Data block should be now removed from any policy. As an example, a predicate such as predicate: Data: spdxVersion: ... should be replaced by predicate: spdxVersion: ..., e.g. predicate: Data: specVersion: ... --> predicate: specVersion: ....

Documentation

dependabot bot and others added 6 commits February 18, 2023 11:05
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.0.0-rc.2 to 2.0.0-rc.3.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](sigstore/cosign@v2.0.0-rc.2...v2.0.0-rc.3)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
Signed-off-by: Hector Fernandez <[email protected]>
@hectorj2f hectorj2f added the enhancement New feature or request label Feb 21, 2023
@hectorj2f hectorj2f self-assigned this Feb 21, 2023
@codecov
Copy link

codecov bot commented Feb 21, 2023

Codecov Report

Merging #602 (703f4f0) into main (c74244f) will increase coverage by 0.11%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main     #602      +/-   ##
==========================================
+ Coverage   54.94%   55.05%   +0.11%     
==========================================
  Files          45       45              
  Lines        4752     4757       +5     
==========================================
+ Hits         2611     2619       +8     
+ Misses       1936     1934       -2     
+ Partials      205      204       -1     
Impacted Files Coverage Δ
pkg/webhook/validator.go 62.33% <50.00%> (+0.54%) ⬆️
cmd/policy_webhook/main.go 0.00% <0.00%> (ø)
pkg/apis/policy/common/validation.go 17.46% <0.00%> (ø)
...is/policy/v1beta1/clusterimagepolicy_validation.go 95.52% <0.00%> (+0.01%) ⬆️
...s/policy/v1alpha1/clusterimagepolicy_validation.go 92.53% <0.00%> (+0.02%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@mattmoor
Copy link
Member

@vaikas @hectorj2f WDYT about deprecating and starting to warn when folks use the short-name version of the predicate type?

I'd love it if we could get folks using explicit predicate types, since the short names have been so fraught.

Thanks for bumping this @hectorj2f 👍

@hectorj2f
Copy link
Collaborator Author

Warning always looks like a good approach announcing for a future deprecation. Yes, it makes sense to slowly transition to strict predicate types. I'm wondering if we could start adding a warning in cosign (too) for these short names.

@vaikas
Copy link
Collaborator

vaikas commented Feb 21, 2023

I think this has a few breaking changes that we should make sure make it into the release notes.

@hectorj2f
Copy link
Collaborator Author

@vaikas I added the predicate type breaking change to the notes.

@vaikas
Copy link
Collaborator

vaikas commented Feb 21, 2023

There's also this:
sigstore/cosign#2718

Which means that all the policies written against spdx/cyclonedx will not work as far as I can tell?

I'd go through the PRs from the last and make sure there weren't others.

@hectorj2f
Copy link
Collaborator Author

@vaikas Thanks for pointing that out. In my opinion, the other PRs are not affecting our verifications if I am not mistaken.

@vaikas
Copy link
Collaborator

vaikas commented Feb 21, 2023

@hectorj2f thanks for checking. I would word it that you have to rewrite your policy, not only that you must specify the predicatetype, but the extra 'indentation' of Data has been removed, so policies that used them will need to be changed:
https://github.com/sigstore/cosign/pull/2718/files#diff-9e762d0df1502ee31a1de1a3bc67be6c2707ec3e6117be3147907a60ef5fb854L263

And since previous versions of cosign had that extra Data in there, to be safe, you might want to have both policies in place to catch the old / new ones.

@hectorj2f
Copy link
Collaborator Author

@vaikas I feel we should highlight these changes when documenting (docs/README) the new version.

@vaikas
Copy link
Collaborator

vaikas commented Feb 22, 2023

@hectorj2f we can certainly create a 'changelog.MD' or something like that in addition to clear commit messages that impact users, but for folks that are looking to upgrade to a new version are accustomed to seeing the breaking changes when they look at the releases.

@hectorj2f hectorj2f merged commit 5f2b5f8 into sigstore:main Feb 22, 2023
@hectorj2f hectorj2f deleted the cosign-v2-2.0.0-rc.3 branch February 22, 2023 18:16
@hectorj2f
Copy link
Collaborator Author

Thanks for the reviews!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants