-
Notifications
You must be signed in to change notification settings - Fork 585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft hardcodes custom
attestation type
#1532
Comments
Thanks for the issue and PR @Nirusu! I'll get the custom TIL |
Ah, okay now that makes sense to me how that happened! But well, should all be good now for our use case. Thank you! |
Please provide a set of steps on how to reproduce the issue
(see: https://github.com/edgelesssys/constellation/actions/runs/4076041100/jobs/7023239500)
Using Syft 0.69.0, if you have a workflow like:
syft attest --key cosign.key ghcr.io/edgelesssys/constellation/joinservice:v2.6.0-pre.0.20230131140552-27cae81bd7bc@sha256:cd33aacb5733f6cb7c9d9694a8d6c5337c78e019274ea1d531e25114f86b537b -o cyclonedx-json cosign attach attestation ghcr.io/edgelesssys/constellation/key-service:v2.6.0-pre.0.20230202153131-e91a34d4ad99@sha256:e82624bc9889497589672f56680a9b5e4f8f6ead5673d7fcc6507ff534218b3d --attestation container-image.att.json cosign verify-attestation ghcr.io/edgelesssys/constellation/key-service:v2.6.0-pre.0.20230202153131-e91a34d4ad99@sha256:e82624bc9889497589672f56680a9b5e4f8f6ead5673d7fcc6507ff534218b3d --type 'https://cyclonedx.org/bom'
It will fail:
Error: none of the attestations matched the predicate type: https://cyclonedx.org/bom main.go:62: error during command execution: none of the attestations matched the predicate type: https://cyclonedx.org/bom
What happened:
Syft hardcodes
--type custom
in the call tocosign
as an argument.What you expected to happen:
Syft passes my defined type to
cosign
.Anything else we need to know?:
Judging from #1442, this hardcoding seems to be intentional, but in my opinion, for a completely flawed reason.
Cosign does not auto-detect the predicate type, as described in sigstore/cosign#2264.
@spiffcs noticed this issue and reported this in sigstore/cosign#2494.
However, the issue here is that Cosign also requires the type to be set for verification, due to the lack of auto-detection. It defaults to
custom
whereas @spiffcs has defined a type in thesyft attest
command in sigstore/cosign#2494, but not in thecosign attest
command.Now, I am not sure why #1442 does hard code the type for, given that seems to me like either user error (defining a type on one command but not on another), or an upstream issue in Cosign (detection does not work, wrong types between different command).
However, I am not sure why the type is not enforced in Syft. This looks wrong given that everything here is essentially just Cosign under the hood, but Syft now enforces this behavior because of user error or Cosign upstream issues.
That seems wrong to me, so I'd like to open a discussion here or propose removing hardcoding the fix. But I cannot really figure out why this hardcoding is sold as a bug fix or feature, given that Cosign should default to
custom
for both attest and verify-attestation in any case. If a custom type is defined in one command but not another, this is user error or a lack of features - but not a reason to hardcode any parameters since this now does the opposite - breaking user workflows.Environment:
syft version
:cat /etc/os-release
or similar):macOS Ventura 13.2 arm64
The text was updated successfully, but these errors were encountered: