cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Support stdout output for attest-blob bundles

Open ralphbean opened this issue 2 months ago • 3 comments

Summary

This enables attest-blob --bundle=- to write bundles to stdout with a trailing newline, allowing users to create JSONL files containing multiple attestations by redirecting and appending output.

This change adds support for the convention of using "-" to represent stdout. When the bundle path is "-", the bundle is written to stdout instead of a file, and the signature output is suppressed to avoid conflicts.

Changes:

  • Add stdout detection in attest/attest_blob.go and signcommon/common.go
  • Suppress signature output when bundle goes to stdout
  • Add comprehensive test coverage in attest_blob_test.go
  • Update flag description and add JSONL example to documentation

Example usage, appending two predicates about the same blob to the same jsonl file.

cosign attest-blob --key key.key --predicate pred1.json \ --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl
cosign attest-blob --key key.key --predicate pred2.json \ --type slsaprovenance --bundle=- blob.txt >> attestations.jsonl

🤖 Generated with Claude Code

Closes #4494

Release Note

Added support for writing blob attestations to stdout.

Documentation

I don't think this needs any special docs update, but I'm open to it if you think there's somewhere it should be noted.

ralphbean avatar Oct 24 '25 13:10 ralphbean

Codecov Report

:x: Patch coverage is 46.66667% with 8 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 36.68%. Comparing base (2ef6022) to head (77486a5). :warning: Report is 574 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/attest/attest_blob.go 42.85% 3 Missing and 1 partial :warning:
cmd/cosign/cli/signcommon/common.go 0.00% 3 Missing :warning:
cmd/cosign/cli/options/attest_blob.go 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4495      +/-   ##
==========================================
- Coverage   40.10%   36.68%   -3.42%     
==========================================
  Files         155      220      +65     
  Lines       10044    12173    +2129     
==========================================
+ Hits         4028     4466     +438     
- Misses       5530     7017    +1487     
- Partials      486      690     +204

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Oct 24 '25 13:10 codecov[bot]

I'm hesitant to assume that the only stdout from subcommands like attest-blob will be the bundle itself.

Yeah, there's an old issue lurking about this at https://github.com/sigstore/cosign/issues/2510

ralphbean avatar Oct 28 '25 11:10 ralphbean

Would it make sense to have these subcommands append to the --bundle path, instead of just calling os.WriteFile(), which truncates the file?

As a user, this sounds nice. Consider, is it a breaking change? A user might theoretically be depending on that truncation, but in practice I can't imagine it mattering. At most, somebody's local flow might change if they were depending on writing an attestation over and over again as a test.

Is there a type-ambiguity? If you call attest-blob once with --bundle, you get a json file where .json is an appropriate suffix. If you call it twice, you get a json lines file where .jsonl is an appropriate suffix.

Perhaps an explicit --append option, defaulting to false would be the right choice (although, it does inflate the number of options and I believe there's an effort underway or done with v3 to reduce the number of options).

ralphbean avatar Oct 28 '25 11:10 ralphbean