Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Init entity from ociremote when signing a digest ref #1616

Merged
merged 1 commit into from
Mar 16, 2022
Merged

Init entity from ociremote when signing a digest ref #1616

merged 1 commit into from
Mar 16, 2022

Conversation

puerco
Copy link
Member

@puerco puerco commented Mar 16, 2022
edited
Loading

Summary

This PR modifies the object used to seed the SignedEntity used when signing a digest reference to fix a bug where cosign would wipe out all signatures from the manifest (and thus, not garbage-collecting previous signature layers) when signing a digest reference.

Before, the entity was created from a ociempty.SignedImage. This caused cosign to create a new manifest on every invocation of cosign sign image@sha.... , effectively wiping any previous signatures attached to the image.

Now, cosign el init the entity from a ociremote.SignedEntity which will append new signatures to any existing ones.

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

Ticket Link

Release Note

Fixed a bug where cosign would always create a new sig manifest when signing a digest reference, preventing it from attaching more than one signature.

@puerco
Init entity from ociremote when signing a digest ref
2c2e074 
This commit modifies the object used to seed the SignedEntity used
when signing a digest reference to fix a bug where cosign would wipe
out all signatures from the manifest (and not garbage-collecting
previous signature layers)

Before the entity was created from a `ociempty.SignedImage`. This
cuased cosign to always wipe any previous signatures attached to the
image.

Now, cosign el init the entity from a `ociremote.SignedEntity` which
will append new signatures to any existing ones.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@codecov-commenter
Copy link

codecov-commenter commented Mar 16, 2022
edited
Loading

Codecov Report

Merging #1616 (2c2e074) into main (a60fd71) will decrease coverage by 0.06%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1616      +/-   ##
==========================================
- Coverage   28.01%   27.95%   -0.07%     
==========================================
  Files         137      137              
  Lines        7802     7826      +24     
==========================================
+ Hits         2186     2188       +2     
- Misses       5386     5407      +21     
- Partials      230      231       +1
Impacted Files Coverage Δ
cmd/cosign/cli/sign/sign.go 1.62% <0.00%> (ø)
pkg/cosign/tlog.go 4.70% <0.00%> (+0.41%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a60fd71...2c2e074. Read the comment docs.

@puerco puerco mentioned this pull request Mar 16, 2022
Merged
@dlorenc dlorenc merged commit 36d7646 into sigstore:main Mar 16, 2022
@github-actions github-actions bot added this to the v1.7.0 milestone Mar 16, 2022
coyote240 pushed a commit to coyote240/cosign that referenced this pull request Mar 16, 2022
@puerco
Init entity from ociremote when signing a digest ref (sigstore#1616)
561184b 
This commit modifies the object used to seed the SignedEntity used
when signing a digest reference to fix a bug where cosign would wipe
out all signatures from the manifest (and not garbage-collecting
previous signature layers)

Before the entity was created from a `ociempty.SignedImage`. This
cuased cosign to always wipe any previous signatures attached to the
image.

Now, cosign el init the entity from a `ociremote.SignedEntity` which
will append new signatures to any existing ones.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@wlynch wlynch mentioned this pull request Apr 18, 2022
Closed
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@puerco @mlieberman85
Init entity from ociremote when signing a digest ref (sigstore#1616)
1b96656 
This commit modifies the object used to seed the SignedEntity used
when signing a digest reference to fix a bug where cosign would wipe
out all signatures from the manifest (and not garbage-collecting
previous signature layers)

Before the entity was created from a `ociempty.SignedImage`. This
cuased cosign to always wipe any previous signatures attached to the
image.

Now, cosign el init the entity from a `ociremote.SignedEntity` which
will append new signatures to any existing ones.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@imjasonh imjasonh mentioned this pull request May 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @codecov-commenter @dlorenc