Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Syft hardcodes custom attestation type #1532

Closed
Nirusu opened this issue Feb 2, 2023 · 2 comments · Fixed by #1533
Closed

Syft hardcodes custom attestation type #1532

Nirusu opened this issue Feb 2, 2023 · 2 comments · Fixed by #1533
Labels
bug Something isn't working

Comments

@Nirusu
Copy link
Contributor

Nirusu commented Feb 2, 2023

Please provide a set of steps on how to reproduce the issue
(see: https://github.com/edgelesssys/constellation/actions/runs/4076041100/jobs/7023239500)
Using Syft 0.69.0, if you have a workflow like:

syft attest --key cosign.key ghcr.io/edgelesssys/constellation/joinservice:v2.6.0-pre.0.20230131140552-27cae81bd7bc@sha256:cd33aacb5733f6cb7c9d9694a8d6c5337c78e019274ea1d531e25114f86b537b -o cyclonedx-json

cosign attach attestation ghcr.io/edgelesssys/constellation/key-service:v2.6.0-pre.0.20230202153131-e91a34d4ad99@sha256:e82624bc9889497589672f56680a9b5e4f8f6ead5673d7fcc6507ff534218b3d --attestation container-image.att.json

cosign verify-attestation ghcr.io/edgelesssys/constellation/key-service:v2.6.0-pre.0.20230202153131-e91a34d4ad99@sha256:e82624bc9889497589672f56680a9b5e4f8f6ead5673d7fcc6507ff534218b3d --type 'https://cyclonedx.org/bom'

It will fail:

Error: none of the attestations matched the predicate type: https://cyclonedx.org/bom
main.go:62: error during command execution: none of the attestations matched the predicate type: https://cyclonedx.org/bom

What happened:
Syft hardcodes --type custom in the call to cosign as an argument.

What you expected to happen:
Syft passes my defined type to cosign.

Anything else we need to know?:
Judging from #1442, this hardcoding seems to be intentional, but in my opinion, for a completely flawed reason.

Cosign does not auto-detect the predicate type, as described in sigstore/cosign#2264.

@spiffcs noticed this issue and reported this in sigstore/cosign#2494.

However, the issue here is that Cosign also requires the type to be set for verification, due to the lack of auto-detection. It defaults to custom whereas @spiffcs has defined a type in the syft attest command in sigstore/cosign#2494, but not in the cosign attest command.

Now, I am not sure why #1442 does hard code the type for, given that seems to me like either user error (defining a type on one command but not on another), or an upstream issue in Cosign (detection does not work, wrong types between different command).

However, I am not sure why the type is not enforced in Syft. This looks wrong given that everything here is essentially just Cosign under the hood, but Syft now enforces this behavior because of user error or Cosign upstream issues.

That seems wrong to me, so I'd like to open a discussion here or propose removing hardcoding the fix. But I cannot really figure out why this hardcoding is sold as a bug fix or feature, given that Cosign should default to custom for both attest and verify-attestation in any case. If a custom type is defined in one command but not another, this is user error or a lack of features - but not a reason to hardcode any parameters since this now does the opposite - breaking user workflows.

Environment:

  • Output of syft version:
Application:        syft
Version:            0.69.1
JsonSchemaVersion:  6.2.0
BuildDate:          2023-01-31T16:53:16Z
GitCommit:          1530ef354ffaf59cef6a02c949f2cdb82353954f
GitDescription:     [not provided]
Platform:           darwin/arm64
GoVersion:          go1.19.5
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
    macOS Ventura 13.2 arm64
@Nirusu Nirusu added the bug Something isn't working label Feb 2, 2023
@spiffcs
Copy link
Contributor

spiffcs commented Feb 2, 2023

Thanks for the issue and PR @Nirusu!

I'll get the custom --type flag added for the attest command as a follow up.

TIL verify-attestation also accepted a --type flag. When I was originally doing this feature I didn't see a way to specify the type on that command - makes much more sense to just allow the parameters to exist for the users to customize rather than rely on auto detection or hard coding it on our part.

@Nirusu
Copy link
Contributor Author

Nirusu commented Feb 2, 2023

Ah, okay now that makes sense to me how that happened!
To be honest I have no idea when (or how) it was added, but it's also super unfortunate that sigstore/cosign#2264 broke the detection so it had to be specified manually. That's also quite an annoying issue that I hope gets fixed soon :/

But well, should all be good now for our use case. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants