-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support attaching a Rekor bundle to a container #3246
feat: add support attaching a Rekor bundle to a container #3246
Conversation
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Codecov Report
@@ Coverage Diff @@
## main #3246 +/- ##
==========================================
+ Coverage 30.35% 30.93% +0.58%
==========================================
Files 155 155
Lines 9845 9931 +86
==========================================
+ Hits 2988 3072 +84
+ Misses 6410 6406 -4
- Partials 447 453 +6
|
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a few small comments
cmd/cosign/cli/attach/sig.go
Outdated
@@ -95,9 +97,24 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef, | |||
return err | |||
} | |||
} | |||
bundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig) | |||
TSBundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lowercase variable, so tsBundle
cmd/cosign/cli/options/attach.go
Outdated
@@ -57,6 +58,8 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) { | |||
"signing certificate and end with the root certificate. Included in the OCI Signature") | |||
cmd.Flags().StringVar(&o.TimeStampedSig, "tsr", "", | |||
"path to the Time Stamped Signature Response from RFC3161 compliant TSA") | |||
cmd.Flags().StringVar(&o.RekorBundle, "rekor", "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name the flag rekor-response
? This helps us to distinguish from the upcoming "sigstore bundle" format we plan to integrate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, what is the sigstore bundle 👀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto - sigstore-go and other newer clients use this rather than have separate outputs for cert, sig, rekor, etc
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@haydentherapper Added the changes |
Summary
Closes: #2904
cosign attach
supports attaching signatures, but not Rekor bundles. This PR adds support attaching a Rekor bundle to a containerRelease Note
added support attaching a Rekor bundle to a container
Documentation