cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add support for new bundle specification in `cosign verify-attestation`

Open codysoyland opened this issue 1 year ago • 0 comments

This PR adds support for the new Cosign Bundle Specification in cosign verify-attestation.

This works in conjunction with https://github.com/sigstore/cosign/pull/3888 and is interoperable with GitHub Artifact Attestations.

Related: https://github.com/sigstore/cosign/issues/3139

This is in draft for now pending:

  • [ ] TSA Support
  • [ ] Wiring in verification options from CheckOpts
  • [ ] More metadata returned in oci.Signature (currently outputs just enough to display basic verification success message)
  • [ ] Error propagation similar to that in VerifyImageAttestation
  • [ ] Tests

To test, run the following (replacing MY_IDENTITY, MY_ISSUER, MY_TRUSTED_ROOT and MY_IMAGE as needed):

go run ./cmd/cosign verify-attestation --certificate-identity MY_IDENTITY --certificate-oidc-issuer MY_ISSUER --expect-sigstore-bundle=true --trusted-root=MY_TRUSTED_ROOT MY_IMAGE

Summary

Release Note

Documentation

codysoyland avatar Sep 25 '24 19:09 codysoyland