imgpkg icon indicating copy to clipboard operation
imgpkg copied to clipboard
verified publisher icon carvel-dev

support sbom/attestation OCI artifacts similar to .sig signatures

Open cppforlife opened this issue 4 years ago • 5 comments

Describe the problem/challenge you have

we currently have --cosign-singatures=bool flag that attaches .sig artifacts. cosign has .sbom and .att suffixes as well. (https://github.com/sigstore/cosign/blob/0142711da2fadc78f546a99adf12e2f0be428600/pkg/oci/remote/options.go#L27-L29)

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

cppforlife avatar Oct 06 '21 19:10 cppforlife

hey @cppforlife good idea! i'll carvel-accept this meaning we plan on working on it.

Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?

Personally, I think leaving it as-is and documenting that it is used to copy cosign artifacts (such as sbom and attestations) is sufficient. And avoids backward compatibility concerns with renaming it.

DennisDenuto avatar Oct 12 '21 17:10 DennisDenuto

Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?

may be worth renaming to --cosign-artifacts=bool? im a little less concerned about backwards compatibility for this one, since it's not a widely used feature and it would fail loudly if somebody depends on it.

btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.

cppforlife avatar Oct 12 '21 19:10 cppforlife

btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.

@cppforlife In addition to that, you could create an attestation that includes the SBOM as a predicate in the attestation (so you get the best from both worlds).

hectorj2f avatar Apr 06 '22 19:04 hectorj2f

@joaopapereira I have investigated a little more the options to have a single BOM for the bundle while referring to the rest of the BOM per image inside the bundle. I believe we could using externalReferences from CycloneDX as explained in https://cyclonedx.org/capabilities/bomlink/ there is an example here https://github.com/CycloneDX/bom-examples/tree/master/OBOM/Example-1-Decoupled. CycloneDX external references are URIs and bom-link is a URN, all external references end up being relationships as well.

hectorj2f avatar May 11 '22 11:05 hectorj2f

Cosign is experimenting with a different way of storing signatures and other artefacts that will affect both this feature request and also the existing Cosign signatures support.

More info:

  • [https://twitter.com/developerguyba/status/1636110374251446277?s=20](conversation about imgpkg and cosign)
  • [https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign](Building towards OCI v1.1 support in cosign)

ThomasVitale avatar Mar 16 '23 17:03 ThomasVitale