Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support sbom/attestation OCI artifacts similar to .sig signatures #269

Open
cppforlife opened this issue Oct 6, 2021 · 5 comments · May be fixed by #392
Open

support sbom/attestation OCI artifacts similar to .sig signatures #269

cppforlife opened this issue Oct 6, 2021 · 5 comments · May be fixed by #392
Assignees
@joaopapereira
Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon

Comments

@cppforlife
Copy link
Contributor

Describe the problem/challenge you have

we currently have --cosign-singatures=bool flag that attaches .sig artifacts. cosign has .sbom and .att suffixes as well.
(https://github.com/sigstore/cosign/blob/0142711da2fadc78f546a99adf12e2f0be428600/pkg/oci/remote/options.go#L27-L29)

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.
@cppforlife cppforlife added enhancement This issue is a feature request carvel triage This issue has not yet been reviewed for validity labels Oct 6, 2021
@DennisDenuto
Copy link
Contributor

DennisDenuto commented Oct 12, 2021
edited
Loading

hey @cppforlife good idea! i'll carvel-accept this meaning we plan on working on it.

Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?

Personally, I think leaving it as-is and documenting that it is used to copy cosign artifacts (such as sbom and attestations) is sufficient. And avoids backward compatibility concerns with renaming it.

@DennisDenuto DennisDenuto added carvel accepted This issue should be considered for future work and that the triage process has been completed priority/important-soon Must be staffed and worked on currently or soon and removed carvel triage This issue has not yet been reviewed for validity labels Oct 12, 2021
@cppforlife
Copy link
Contributor Author

Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?

may be worth renaming to --cosign-artifacts=bool? im a little less concerned about backwards compatibility for this one, since it's not a widely used feature and it would fail loudly if somebody depends on it.

btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.

@hectorj2f
Copy link

btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.

@cppforlife In addition to that, you could create an attestation that includes the SBOM as a predicate in the attestation (so you get the best from both worlds).

@hectorj2f
Copy link

@joaopapereira I have investigated a little more the options to have a single BOM for the bundle while referring to the rest of the BOM per image inside the bundle. I believe we could using externalReferences from CycloneDX as explained in https://cyclonedx.org/capabilities/bomlink/ there is an example here https://github.com/CycloneDX/bom-examples/tree/master/OBOM/Example-1-Decoupled. CycloneDX external references are URIs and bom-link is a URN, all external references end up being relationships as well.

This was referenced May 25, 2022
Open
Open
@aaronshurley aaronshurley moved this to To Triage in Carvel Jul 25, 2022
@ThomasVitale ThomasVitale mentioned this issue Jan 30, 2023
Open
@github-project-automation github-project-automation bot moved this to To Triage in Carvel Feb 14, 2023
@joaopapereira joaopapereira moved this from To Triage to In Progress in Carvel Feb 14, 2023
@ThomasVitale
Copy link

Cosign is experimenting with a different way of storing signatures and other artefacts that will affect both this feature request and also the existing Cosign signatures support.

More info:

  • [https://twitter.com/developerguyba/status/1636110374251446277?s=20](conversation about imgpkg and cosign)
  • [https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign](Building towards OCI v1.1 support in cosign)

@ThomasVitale ThomasVitale mentioned this issue Jul 12, 2023
Open
@ThomasVitale ThomasVitale mentioned this issue Apr 14, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joaopapereira joaopapereira

Labels
carvel accepted This issue should be considered for future work and that the triage process has been completed enhancement This issue is a feature request priority/important-soon Must be staffed and worked on currently or soon
Projects
Carvel
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow copy and describe of SBOM, attestations and signatures from cosign carvel-dev/imgpkg
5 participants
@cppforlife @joaopapereira @DennisDenuto @hectorj2f @ThomasVitale