cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Provenance attestation does not contain subjects for each tag created.

Open marcofranssen opened this issue 3 years ago • 0 comments

Description

https://github.com/philips-labs/slsa-provenance-action generates provenance where each tag is captured as a subject in the provenance.

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      "name": "philipssoftware/slsa-provenance:dddb40e199ae28d4cd2f17bad7f31545556fdd3d",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    },
    {
      "name": "philipssoftware/slsa-provenance:v0.7.2",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": {
    …
  }
}

Cosign is currently only capturing the repository as a subject.

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      "name": "philipssoftware/slsa-provenance",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": {
    …
  }
}

See https://github.com/philips-labs/slsa-provenance-action/issues/159 for more details on how we use both slsa-provenance and cosign in our workflow.

Currently there is no way to instruct cosign to take all the tags for a given digest. The downside of this is that you can't easily relate from the build provenance which tags have been released for a given digest/image.

Is this a feature that can be added to cosign? Or maybe should we drop this feature?

marcofranssen avatar Mar 11 '22 13:03 marcofranssen