Skip to content

Add support for recording creation timestamp for cosign attest #3797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 29, 2024
Merged

Add support for recording creation timestamp for cosign attest #3797

merged 2 commits into from
Jul 29, 2024

Conversation

@zshorvath
Copy link
Contributor

@zshorvath zshorvath commented Jul 26, 2024
edited
Loading

Summary

  • cosign 2.2.0 deleted automatic, non-deterministic recording of the creation timestamp in the config layer of signatures, attestations, sboms
  • cosign 2.2.4 introduced --record-creation-timestamp, but only enabled it for cosign sign, leaving the timestamp empty for attestations. It is a huge problem for oci registries allowing automatic cleanup policies as they won't be able to tell the creation time. GitLab for example is reporting 23 years of age for uploaded attestations

Release Note

  • Enables --record-creation-timestamp flag for cosign attest

Documentation

attach an attestation to a container image and honor the creation timestamp of the signature

cosign attest --predicate <FILE> --type <TYPE> --key cosign.key --record-creation-timestamp <IMAGE>

References

@zshorvath zshorvath marked this pull request as draft July 26, 2024 11:37
@zshorvath zshorvath marked this pull request as ready for review July 26, 2024 11:44
haydentherapper
haydentherapper previously approved these changes Jul 26, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
fyi @jonjohnsonjr

@haydentherapper haydentherapper enabled auto-merge (squash) July 26, 2024 22:39
@codecov
Copy link

codecov bot commented Jul 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 23.80952% with 16 lines in your changes missing coverage. Please review.

Project coverage is 37.67%. Comparing base (2ef6022) to head (07fb281).
Report is 169 commits behind head on main.

Files Patch % Lines
cmd/cosign/cli/attest.go 29.41% 12 Missing ⚠️
cmd/cosign/cli/options/attest.go 0.00% 3 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3797      +/-   ##
==========================================
- Coverage   40.10%   37.67%   -2.44%     
==========================================
  Files         155      201      +46     
  Lines       10044    12444    +2400     
==========================================
+ Hits         4028     4688     +660     
- Misses       5530     7180    +1650     
- Partials      486      576      +90

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@haydentherapper
Copy link
Contributor

haydentherapper commented Jul 29, 2024

can you rerun make docgen?

auto-merge was automatically disabled July 29, 2024 07:14

Head branch was pushed to by a user without write access

Zsolt Horvath added 2 commits July 29, 2024 09:17
add support for recording creation timestamp for cosign attest
429ee60 
Signed-off-by: Zsolt Horvath <zsolte@gmail.com>
Signed-off-by: Zsolt Horvath <zsolt.horvath@real-digital.de>
Fix cosign attest example in doc/cosign_attest.md
07fb281 
Signed-off-by: Zsolt Horvath <zsolt.horvath@real-digital.de>
@zshorvath
Copy link
Contributor Author

zshorvath commented Jul 29, 2024

make docgen

I have made a change so attest.go and cosign_attest.md has the same example line at the top, after this ./cmd/help/verify.sh should complete without an error

@haydentherapper haydentherapper enabled auto-merge (squash) July 29, 2024 14:44
@haydentherapper haydentherapper merged commit 0406602 into sigstore:main Jul 29, 2024
kipz pushed a commit to kipz/cosign that referenced this pull request Oct 21, 2024
@zshorvath
Add support for recording creation timestamp for cosign attest (sigst…
12915f3 
…ore#3797)

* add support for recording creation timestamp for cosign attest

Signed-off-by: Zsolt Horvath <zsolte@gmail.com>
Signed-off-by: Zsolt Horvath <zsolt.horvath@real-digital.de>

* Fix cosign attest example in doc/cosign_attest.md

Signed-off-by: Zsolt Horvath <zsolt.horvath@real-digital.de>

---------

Signed-off-by: Zsolt Horvath <zsolte@gmail.com>
Signed-off-by: Zsolt Horvath <zsolt.horvath@real-digital.de>
Co-authored-by: Zsolt Horvath <zsolt.horvath@real-digital.de>
@baal-lgln baal-lgln mentioned this pull request Oct 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zshorvath @haydentherapper