Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for new bundle specification in cosign verify-attestation #3889

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from
Draft

Add support for new bundle specification in cosign verify-attestation #3889

wants to merge 15 commits into from

Conversation

codysoyland
Copy link
Member

@codysoyland codysoyland commented Sep 25, 2024
edited
Loading

This PR adds support for the new Cosign Bundle Specification in cosign verify-attestation.

This works in conjunction with #3888 and is interoperable with GitHub Artifact Attestations.

Related: #3139

This is in draft for now pending:

  • TSA Support
  • Wiring in verification options from CheckOpts
  • More metadata returned in oci.Signature (currently outputs just enough to display basic verification success message)
  • Error propagation similar to that in VerifyImageAttestation
  • Tests

To test, run the following (replacing MY_IDENTITY, MY_ISSUER, MY_TRUSTED_ROOT and MY_IMAGE as needed):

go run ./cmd/cosign verify-attestation --certificate-identity MY_IDENTITY --certificate-oidc-issuer MY_ISSUER --expect-sigstore-bundle=true --trusted-root=MY_TRUSTED_ROOT MY_IMAGE

Summary

Release Note

Documentation

@codysoyland codysoyland mentioned this pull request Nov 5, 2024
Open
@codecov Codecov
Copy link

codecov bot commented Nov 6, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 1.68067% with 351 lines in your changes missing coverage. Please review.

Project coverage is 35.55%. Comparing base (2ef6022) to head (8796901).
Report is 236 commits behind head on main.

Files with missing lines Patch % Lines
pkg/cosign/verify.go 0.00% 131 Missing ⚠️
pkg/oci/remote/write.go 0.00% 89 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go 0.00% 36 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 32 Missing ⚠️
pkg/oci/remote/signatures.go 0.00% 20 Missing ⚠️
cmd/cosign/cli/attest/common.go 0.00% 10 Missing ⚠️
pkg/cosign/verify_bundle.go 0.00% 10 Missing ⚠️
cmd/cosign/cli/verify/verify.go 0.00% 8 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go 14.28% 6 Missing ⚠️
cmd/cosign/cli/verify.go 0.00% 3 Missing ⚠️
... and 4 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3889      +/-   ##
==========================================
- Coverage   40.10%   35.55%   -4.55%     
==========================================
  Files         155      210      +55     
  Lines       10044    13693    +3649     
==========================================
+ Hits         4028     4869     +841     
- Misses       5530     8198    +2668     
- Partials      486      626     +140

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codysoyland
Update docs
8796901 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland
Use ParsePredicateType helper here
67d421a 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland
Add missing annotations
ba5c7cb 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland
Filter by bundle artifact type
7a4c4df 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland codysoyland mentioned this pull request Nov 6, 2024
Closed
4 tasks
@codysoyland
Fix up MediaType logic
693b391 
Signed-off-by: Cody Soyland <[email protected]>
@codysoyland codysoyland mentioned this pull request Nov 8, 2024
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@codysoyland