Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support generating and verifying with "Sigstore" bundles #251

Closed
2 tasks done
woodruffw opened this issue Oct 14, 2022 · 11 comments
Closed
2 tasks done

Support generating and verifying with "Sigstore" bundles #251

woodruffw opened this issue Oct 14, 2022 · 11 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@woodruffw
Copy link
Member

woodruffw commented Oct 14, 2022

There are currently (at least) 3 different things called "bundles" in the Sigstore ecosystem:

  • "cosign bundles", which cosign --bundle emits. These contain a Rekor entry, plus checksum, certificate, and signature needed to perform a normal verification step.
  • "Rekor offline bundles", which contain just the Rekor entry and its SET. These need to be combined with separate inputs to perform a normal verification step.
  • "sigstore bundles", which are currently being designed (Sigstore bundle cosign#2204). These will deprecate "cosign bundles" and perform the same function.

Once the "Sigstore bundle" format is stabilized, sigstore-python should both consume and emit it (by default, rather than emitting/loading separate files for each component).

This is a counterpart to #52 and #194, and will obviate/deprecate the work in #247 once finished.

Subtasks:

@woodruffw woodruffw added the enhancement New feature or request label Oct 14, 2022
@woodruffw woodruffw added this to the Stable release (1.0) milestone Oct 14, 2022
@di
Copy link
Member

di commented Oct 21, 2022

Marking this blocked on sigstore/cosign#2131

@di di added the blocked label Oct 21, 2022
@woodruffw
Copy link
Member Author

The sigstore bundle spec is being developed in sigstore/protobuf-specs; tracking sigstore/protobuf-specs#6

@jku
Copy link
Member

jku commented Nov 2, 2022

nothing against protobufs as such but it'll likely be yet another dependency just to read a single config file :(

@woodruffw
Copy link
Member Author

nothing against protobufs as such but it'll likely be yet another dependency just to read a single config file :(

Yeah, this isn't ideal (but also not the end of the world). My plan here was to look into generating a separate Python package from the protobuf specs, something like sigstore-protos or sigstore-models, so that we can avoid a direct protobuf dependency.

@di
Copy link
Member

di commented Nov 2, 2022

Or we could have the repo that defines the specs generate/publish the protos package as well.

@woodruffw
Copy link
Member Author

Bumping this to post-stable, since the Sigstore bundle format itself isn't fully stabilized.

@woodruffw woodruffw removed the blocked label Jan 12, 2023
@woodruffw
Copy link
Member Author

Unblocking because a 0.1 release of the bundle format is now available; we should begin evaluating against it.

@woodruffw woodruffw self-assigned this Jan 20, 2023
@tetsuo-cpp tetsuo-cpp self-assigned this Jan 25, 2023
@tetsuo-cpp
Copy link
Contributor

I'm going to prepare a PR for verifying bundles.

@woodruffw
Copy link
Member Author

Done as of #478!

@edgarrmondragon
Copy link

Not a big deal, but should the subtask

  • Verify using Sigstore-style bundles with the sigstore verify subcommands

in the issue description be checked and linked to #478?

@woodruffw
Copy link
Member Author

Yes, thanks @edgarrmondragon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants