Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attaching the signature artifact to the Image artifact #3935

Open
wieringen opened this issue Nov 15, 2024 · 8 comments
Open

Attaching the signature artifact to the Image artifact #3935

wieringen opened this issue Nov 15, 2024 · 8 comments
Labels
question Further information is requested

Comments

@wieringen
Copy link

wieringen commented Nov 15, 2024

When I use oras (or gcloud artifacts attachments create) to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.

Screenshot 2024-11-15 at 15 35 16

When I use cosign this is not the case. The signature artifact is displayed like a normal artifact and no relationship is visible at first glance.

After comparing some of the manifests, I noticed that oras adds a field called subject to the manifest of the added artifact with a reference to the digest of the image artifact.
"subject": { "mediaType": "application/vnd.oci.image.index.v1+json", "digest": "sha256:the_digest_of_the_image", "size": 856 }

opencontainers/image-spec#1020
docker/build-push-action#1260

You can use the following command oras attach --artifact-type doc/example --annotation "key1=val1" --annotation "key2=val2" localhost:5000/hello:v1 to quickly create an attached artifact at that location.

Can cosign support the subject field as well?

@wieringen wieringen added the question Further information is requested label Nov 15, 2024
@ChristianCiach
Copy link
Contributor

ChristianCiach commented Dec 16, 2024

That's already possible:

Try:

COSIGN_EXPERIMENTAL=1 cosign sign --registry-referrers-mode=oci-1-1 ...

But generally speaking, OCI-1.1 support in Cosign is poor and it doesn't seem like there has been any improvement in a very long time. In particular, it's still not possible to attach attestations in an OCI compliant way. For that reason we're thinking about migrating away from Cosign. (In fact, I found this issue while investigating if there have been any improvements over the last year or so, but sadly it doesn't look that way.)

@wieringen
Copy link
Author

Thanks for your reply! My experience has been the same as yours. I noticed that it’s possible to attach an artifact in an oci1.1 compliant way, but oci1.1 for attestations is not supported. What other options besides cosign are there?

@haydentherapper
Copy link
Contributor

OCI 1.1 support is planned - https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md

@wieringen
Copy link
Author

wieringen commented Dec 17, 2024

moby/buildkit#5561

buildkit is adding support in v0.19.0

@ChristianCiach
Copy link
Contributor

ChristianCiach commented Dec 17, 2024

The proposed Bundle-spec will be just another breaking change that makes all existing attachments and tooling incompatible, yet again. Also, I need to attach signatures and SBOMs in a future-proof way right now.

What other options besides cosign are there?

I am currently looking into Notation/NotaryV2 in combination with ORAS. My plan is to just push my SBOMs as true OCI attachments (Referrers API) using ORAS and maybe sign them using Notation. I am not saying that these tools are "better" than Cosign, but at least they seem committed to their specifications without deprecating everything every year.

@codysoyland
Copy link
Member

The planned OCI 1.1 referring artifact support for attestations (Bundle-spec) is in active development here and should be available very soon as an optional feature in Cosign.

We've been very deliberate in designing the new specifications and this PR is part of a series of client standardization efforts that have been ongoing for nearly two years, centered on the Sigstore Bundle Format. The other language clients are cross-compatible and Cosign is the last to be updated, as we take breaking changes very seriously.

@haydentherapper
Copy link
Contributor

I'll also point out #3927 as a solution for signatures as OCI artifacts, as the spec I linked is for attestations.

@ChristianCiach, adapting based on feedback from consumers and evolving the specification based on progress across the ecosystem is a natural part of development. Yes, in this example, there is a breaking change in terms of the format so old Cosign versions will not be compatible, but it's not accurate to say existing attachments will fail. We can continue to support verification of the current signature specification.

We want to standardize on the format of the signature and its verification material across Sigstore clients and SDKs. Cosign is actually the outlier in this case as bundles are already implemented in 5 Sigstore SDKs. We've made a lot of progress recently towards supporting this newer bundle format in Cosign, launched in Cosign v2.4.0. The bundle specification I've linked is our answer to OCI 1.1 and bundles - using OCI 1.1 with the current spec for the signature format keeps Cosign divergent and incompatible with the rest of the ecosystem, and using annotations to store bundles makes no progress towards OCI 1.1.

We are always open to feedback or PRs from the community.

@wieringen
Copy link
Author

Thanks a lot, guys! Everything is a lot clearer to me now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants