cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Allow signing local image without registry access

Open bkabrda opened this issue 1 year ago • 1 comments

Summary

This PR attempts to address https://github.com/sigstore/cosign/issues/3832 - it will allow generating local signature for an image (when --upload=false) by using --output-signature/--output-artifact/--output-payload even when the remote registry is not accessible or the image hasn't yet been pushed there. Details are in the linked issue.

I only implemented this for the case the image is passed in by digest right now - it's easier to do and the code says we're going to eventually disable referencing images by tag, so I don't think it's strictly necessary there (but let me know if you think otherwise).

Verification of such signature requires the --insecure-tlog-verify (a.k.a. --private-infrastructure) flag, which seems a little weird to me, but I think that's not something that I introduced by this PR. After some investigation, I think this is caused by the fact that the locally written files don't seem to represent a full bundle (like the one that can be generated with signing a blob or the one that gets pushed as an OCI artifact with --upload=true) and hence the locally created fakeOCISignatures object can't be used correctly in the VerifyBundle function in pkg/cosign/verify.go. I think maybe a better way to solve all of this would be to rather allow writing out full bundles for images, like we allow for sign-blob?

Release Note

  • Enabled signing local images without access to registry

Documentation

I think the release note should be fine, but please correct me if I'm wrong.

bkabrda avatar Aug 20 '24 12:08 bkabrda

Codecov Report

Attention: Patch coverage is 0% with 16 lines in your changes missing coverage. Please review.

Project coverage is 36.67%. Comparing base (2ef6022) to head (b6fac96). Report is 271 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/sign/sign.go 0.00% 16 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3841      +/-   ##
==========================================
- Coverage   40.10%   36.67%   -3.43%     
==========================================
  Files         155      203      +48     
  Lines       10044    12787    +2743     
==========================================
+ Hits         4028     4690     +662     
- Misses       5530     7514    +1984     
- Partials      486      583      +97

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Aug 20 '24 12:08 codecov[bot]

Closing this PR, I'm doing some more research and I think I'll be able to find a better way to fix this.

bkabrda avatar Jan 07 '25 13:01 bkabrda