cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add Copy method in pkg

Open gpkmr-genesys opened this issue 3 years ago • 2 comments

Description

Currently, cosign has the copy command only in cli. But it will be very useful if it is included as a shared pkg so that it is reusable.

I have an application developed in go which authenticates and copies images between 2 private registries using crane pkg. Now that our images are signed using cosign, I need to add this feature to our app. I am unable to find a way to copy both image and it's signature data programmatically.

gpkmr-genesys avatar Jun 23 '22 13:06 gpkmr-genesys

@imjasonh - created this as per our conversation in slack

gpkmr-genesys avatar Jun 23 '22 13:06 gpkmr-genesys

It sounds like we should have some kind of pkg/cosign.Copy method that looks and acts like pkg/crane.Copy, with a method signature like:

func Copy(ctx context.Context, src, dst string, opt ...Option) error

This would be something like cmd/cosign/cli/copy.CopyCmd, and should probably even be used by that.

Options available to Copy would be:

  • things from RegistryOptions like WithAllowInsecure, WithAuthFromKeychain, WithTagPrefix
  • WithSigOnly (or maybe WithSignatures(bool), WithSBOMs(bool), WithAttestations(bool) all defaulted to true?)
  • WithForce, probably renamed or split to be more clear about what's being forced

What do people think? pkg/cosign is kind of a kitchen sink at the moment, which imports 58 other packages. Maybe starting with Copy in a new package would be a good start, and we can split pkg/cosign apart into that and other places (like sigstore/sigstore)?

imjasonh avatar Jun 23 '22 13:06 imjasonh