-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attaching the signature artifact to the Image artifact #3935
Comments
That's already possible: Try:
But generally speaking, OCI-1.1 support in Cosign is poor and it doesn't seem like there has been any improvement in a very long time. In particular, it's still not possible to attach attestations in an OCI compliant way. For that reason we're thinking about migrating away from Cosign. (In fact, I found this issue while investigating if there have been any improvements over the last year or so, but sadly it doesn't look that way.) |
Thanks for your reply! My experience has been the same as yours. I noticed that it’s possible to attach an artifact in an oci1.1 compliant way, but oci1.1 for attestations is not supported. What other options besides cosign are there? |
OCI 1.1 support is planned - https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md |
buildkit is adding support in v0.19.0 |
The proposed Bundle-spec will be just another breaking change that makes all existing attachments and tooling incompatible, yet again. Also, I need to attach signatures and SBOMs in a future-proof way right now.
I am currently looking into Notation/NotaryV2 in combination with ORAS. My plan is to just push my SBOMs as true OCI attachments (Referrers API) using ORAS and maybe sign them using Notation. I am not saying that these tools are "better" than Cosign, but at least they seem committed to their specifications without deprecating everything every year. |
The planned OCI 1.1 referring artifact support for attestations (Bundle-spec) is in active development here and should be available very soon as an optional feature in Cosign. We've been very deliberate in designing the new specifications and this PR is part of a series of client standardization efforts that have been ongoing for nearly two years, centered on the Sigstore Bundle Format. The other language clients are cross-compatible and Cosign is the last to be updated, as we take breaking changes very seriously. |
I'll also point out #3927 as a solution for signatures as OCI artifacts, as the spec I linked is for attestations. @ChristianCiach, adapting based on feedback from consumers and evolving the specification based on progress across the ecosystem is a natural part of development. Yes, in this example, there is a breaking change in terms of the format so old Cosign versions will not be compatible, but it's not accurate to say existing attachments will fail. We can continue to support verification of the current signature specification. We want to standardize on the format of the signature and its verification material across Sigstore clients and SDKs. Cosign is actually the outlier in this case as bundles are already implemented in 5 Sigstore SDKs. We've made a lot of progress recently towards supporting this newer bundle format in Cosign, launched in Cosign v2.4.0. The bundle specification I've linked is our answer to OCI 1.1 and bundles - using OCI 1.1 with the current spec for the signature format keeps Cosign divergent and incompatible with the rest of the ecosystem, and using annotations to store bundles makes no progress towards OCI 1.1. We are always open to feedback or PRs from the community. |
Thanks a lot, guys! Everything is a lot clearer to me now. |
When I use oras (or
gcloud artifacts attachments create
) to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.When I use cosign this is not the case. The signature artifact is displayed like a normal artifact and no relationship is visible at first glance.
After comparing some of the manifests, I noticed that oras adds a field called subject to the manifest of the added artifact with a reference to the digest of the image artifact.
"subject": { "mediaType": "application/vnd.oci.image.index.v1+json", "digest": "sha256:the_digest_of_the_image", "size": 856 }
opencontainers/image-spec#1020
docker/build-push-action#1260
You can use the following command
oras attach --artifact-type doc/example --annotation "key1=val1" --annotation "key2=val2" localhost:5000/hello:v1
to quickly create an attached artifact at that location.Can cosign support the subject field as well?
The text was updated successfully, but these errors were encountered: