cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** A lot of the signing logic is currently in the `cmd` package. https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/sign/sign.go It would be great if more of this logic can be moved into the `pkg` package...
**Description** I've created an in-toto attestation and uploaded it to a image registry. When I tried to use `cosign verify-attestation --policy my.cue ...` the policy written in CUE was not...
Goal is to be able to successfully sign and verify container images without having to communicate with tlog when `--upload=false` Status: - [ ] - Disable uploading to tlog -...
This is some WIP TUF code. The major thing I want to do is to not rely on my hand-grown store. I'd like to remove a lot of it in...
Getting `MANIFEST_UNKNOWN: manifest unknown` error ```sh cosign download sbom ghcr.io/xmlking/grpc-starter-kit/greeter:latest --output-file=sbom.spdx ``` Error ``` Error: GET https://ghcr.io/v2/xmlking/grpc-starter-kit/greeter/manifests/sha256-4ae72f03d893bae528ae69048360d9cf674552688f76fc59940132d4175a90fc.sbom: MANIFEST_UNKNOWN: manifest unknown main.go:46: error during command execution: GET https://ghcr.io/v2/xmlking/grpc-starter-kit/greeter/manifests/sha256-4ae72f03d893bae528ae69048360d9cf674552688f76fc59940132d4175a90fc.sbom: MANIFEST_UNKNOWN: manifest unknown...
**Description** Currently, cosign is not able to leverage the existing trust established by container runtime engines such as Docker or Containerd against private registries signed with an internally-trusted certificate authority....
When using `COSIGN_DOCKER_MEDIA_TYPES=1 cosign attest`, the generated manifest contains a nested non-docker entity: ``` $ COSIGN_DOCKER_MEDIA_TYPES=1 cosign -d attest --predicate /tmp/predicate.json --key /tmp/signing-key quay.io/lucarval/festoji:latest ... {"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","size":233,"digest":"sha256:cb978855b77b57c23449c4bbaa36fcd9c4c390ead881eb0eb485681756dcb644"},"layers":[{"mediaType":"application/vnd.dsse.envelope.v1+json","size":4516,"digest":"sha256:da0941eb5616c32607785d97f8a619acd5e46bffeb711f98c8086d9795795534","annotations":{"dev.cosignproject.cosign/signature":""}}]} 2022/03/22 10:00:16
**Description** https://github.com/philips-labs/slsa-provenance-action generates provenance where each tag is captured as a subject in the provenance. ```json { "_type": "https://in-toto.io/Statement/v0.1", "subject": [ { "name": "philipssoftware/slsa-provenance:dddb40e199ae28d4cd2f17bad7f31545556fdd3d", "digest": { "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7" } },...
When I try to list tokens, I am given the unhelpful error "Error: flag: help requested" # Expected behaviour ```bash export COSIGN_PKCS11_MODULE_PATH=/usr/local/lib/libykcs11.dylib ./cosign pkcs11-tool list-tokens Listing tokens of PKCS11 module...
**Description** As a follow on to the #1610 we should keep track of Rekor tree state and complain loudly (just like rekor-cli does) if things change.
