nerdctl
nerdctl copied to clipboard
containerd
feat: add cosign binary to nerdctl-full
Signed-off-by: Batuhan Apaydın [email protected] Co-authored-by: Furkan Türkal [email protected]
fixes #679
cc: @Dentrax
Please remove this https://github.com/containerd/nerdctl/blob/e7858835cb43a54aae10500e99a120db11180701/Dockerfile#L243
Please remove this
https://github.com/containerd/nerdctl/blob/e7858835cb43a54aae10500e99a120db11180701/Dockerfile#L243
thank you for bringing it to my attention, I've removed this line. ✌️
cosign-linux-amd64 81.4 MB
Why is this binary so large? https://github.com/sigstore/cosign/releases/tag/v1.4.1
cosign-linux-amd64 81.4 MB
Why is this binary so large? sigstore/cosign@
v1.4.1(release)
idk actually :(
Sorry for going back and forth, but I'd like to see binary footprint to be reduced
I'd expect it to be around 10MB
There's an issue tracking size reduction here: https://github.com/sigstore/cosign/issues/1462
FWIW I don't think 10mb is doable today, the Go binaries are just too large. I've seen it hit ~20mb with compression and stripping out some features.
I know @AkihiroSuda you don't want to add cosign until its binary size shrinks, but according to the issue^1, once we generate an SBOM of an image, we should use cosign to attach it to the registry along with an image by default. Also, there is an ongoing issue in Syft to support uploading SBOM results directly to an OCI registry.^2
With the latest improvements, the binary size of cosign is shrunk to approximately ~70MB.
exiftool $(which cosign)
ExifTool Version Number : 12.42
File Name : cosign
Directory : /Users/batuhan.apaydin/.nix-profile/bin
File Size : 71 MB
File Modification Date/Time : 1970:01:01 02:00:01+02:00
File Access Date/Time : 2022:11:04 14:17:49+03:00
File Inode Change Date/Time : 2022:11:04 14:15:38+03:00
File Permissions : -r-xr-xr-x
File Type : Mach-O executable
File Type Extension :
MIME Type : application/octet-stream
CPU Architecture : 64 bit
CPU Byte Order : Little endian
CPU Type : x86 64-bit
CPU Subtype : i386 (all) 64-bit
Object File Type : Demand paged executable
Object Flags : No undefs, Dyld link, Two level
Is it still big enough for adding this binary into lima VM?
for Linux, it is even better, ~64 MB 🙉
$ docker container run --rm -ti nixery.dev/shell/which/exiftool/cosign sh
Unable to find image 'nixery.dev/shell/which/exiftool/cosign:latest' locally
latest: Pulling from shell/which/exiftool/cosign
cc73b673c757: Already exists
29ffb7f35e12: Already exists
822072e9bbcc: Already exists
63dfabb54096: Already exists
db4ba31bfdcb: Already exists
ec7b47b7b623: Already exists
9697a32c6d89: Already exists
59940a9e2484: Already exists
c59b85fffe3e: Already exists
122f0022d7c7: Already exists
465fd702f8d3: Already exists
5c9dd42b7d8d: Pull complete
d14455596f87: Pull complete
Digest: sha256:3bcdf13f245285fd58f0502c97cf4892b49d03a919c9c85755c243a7520eb9d7
Status: Downloaded newer image for nixery.dev/shell/which/exiftool/cosign:latest
sh-5.1# exiftool $(which cosign)
ExifTool Version Number : 12.49
File Name : cosign
Directory : /bin
File Size : 64 MB
File Modification Date/Time : 1970:01:01 00:00:01+00:00
File Access Date/Time : 1970:01:01 00:00:01+00:00
File Inode Change Date/Time : 2022:11:09 09:31:19+00:00
File Permissions : -r-xr-xr-x
File Type : ELF executable
File Type Extension :
MIME Type : application/octet-stream
CPU Architecture : 64 bit
CPU Byte Order : Little endian
Object File Type : Executable file
CPU Type : AMD x86-64
sh-5.1#
Hello @AkihiroSuda, this PR will fix the problems related to signing&verifying images with cosign because, at the moment, people can't use the new features of nerdctl and nerdctl compose for signing.
https://github.com/containerd/nerdctl/pull/1508 https://github.com/containerd/nerdctl/pull/556
I think you should try to get the distros to support aptgetting cosign.
If it faces difficulty we can revisit this PR.