Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support attaching a Rekor bundle to a container #3246

Merged
merged 14 commits into from
Oct 17, 2023

Conversation

vishal-chdhry
Copy link
Contributor

Summary

Closes: #2904

cosign attach supports attaching signatures, but not Rekor bundles. This PR adds support attaching a Rekor bundle to a container

Release Note

added support attaching a Rekor bundle to a container

Documentation

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@codecov
Copy link

codecov bot commented Sep 17, 2023

Codecov Report

Merging #3246 (4d776f6) into main (44f7703) will increase coverage by 0.58%.
Report is 45 commits behind head on main.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #3246      +/-   ##
==========================================
+ Coverage   30.35%   30.93%   +0.58%     
==========================================
  Files         155      155              
  Lines        9845     9931      +86     
==========================================
+ Hits         2988     3072      +84     
+ Misses       6410     6406       -4     
- Partials      447      453       +6     
Files Coverage Δ
pkg/cosign/bundle/rekor.go 100.00% <ø> (ø)
cmd/cosign/cli/attach.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/attach.go 0.00% <0.00%> (ø)

... and 10 files with indirect coverage changes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
cmd/cosign/cli/attach/sig.go Outdated Show resolved Hide resolved
test/e2e_test.go Show resolved Hide resolved
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just a few small comments

@@ -95,9 +97,24 @@ func SignatureCmd(ctx context.Context, regOpts options.RegistryOptions, sigRef,
return err
}
}
bundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig)
TSBundle := bundle.TimestampToRFC3161Timestamp(timeStampedSig)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lowercase variable, so tsBundle

@@ -57,6 +58,8 @@ func (o *AttachSignatureOptions) AddFlags(cmd *cobra.Command) {
"signing certificate and end with the root certificate. Included in the OCI Signature")
cmd.Flags().StringVar(&o.TimeStampedSig, "tsr", "",
"path to the Time Stamped Signature Response from RFC3161 compliant TSA")
cmd.Flags().StringVar(&o.RekorBundle, "rekor", "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we name the flag rekor-response? This helps us to distinguish from the upcoming "sigstore bundle" format we plan to integrate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, what is the sigstore bundle 👀

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto - sigstore-go and other newer clients use this rather than have separate outputs for cert, sig, rekor, etc

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Copy link
Contributor Author

@haydentherapper Added the changes

@haydentherapper haydentherapper enabled auto-merge (squash) October 17, 2023 19:16
@haydentherapper haydentherapper merged commit c75d1e3 into sigstore:main Oct 17, 2023
28 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Oct 17, 2023
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support attaching a Rekor bundle to a container
3 participants