sigstore-python icon indicating copy to clipboard operation
sigstore-python copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Support generating and verifying with "Sigstore" bundles

Open woodruffw opened this issue 3 years ago • 1 comments

There are currently (at least) 3 different things called "bundles" in the Sigstore ecosystem:

  • "cosign bundles", which cosign --bundle emits. These contain a Rekor entry, plus checksum, certificate, and signature needed to perform a normal verification step.
  • "Rekor offline bundles", which contain just the Rekor entry and its SET. These need to be combined with separate inputs to perform a normal verification step.
  • "sigstore bundles", which are currently being designed (https://github.com/sigstore/cosign/pull/2204). These will deprecate "cosign bundles" and perform the same function.

Once the "Sigstore bundle" format is stabilized, sigstore-python should both consume and emit it (by default, rather than emitting/loading separate files for each component).

This is a counterpart to #52 and #194, and will obviate/deprecate the work in #247 once finished.

woodruffw avatar Oct 14 '22 17:10 woodruffw

Marking this blocked on https://github.com/sigstore/cosign/issues/2131

di avatar Oct 21 '22 14:10 di

The sigstore bundle spec is being developed in sigstore/protobuf-specs; tracking https://github.com/sigstore/protobuf-specs/issues/6

woodruffw avatar Nov 01 '22 22:11 woodruffw

nothing against protobufs as such but it'll likely be yet another dependency just to read a single config file :(

jku avatar Nov 02 '22 08:11 jku

nothing against protobufs as such but it'll likely be yet another dependency just to read a single config file :(

Yeah, this isn't ideal (but also not the end of the world). My plan here was to look into generating a separate Python package from the protobuf specs, something like sigstore-protos or sigstore-models, so that we can avoid a direct protobuf dependency.

woodruffw avatar Nov 02 '22 14:11 woodruffw

Or we could have the repo that defines the specs generate/publish the protos package as well.

di avatar Nov 02 '22 14:11 di

Bumping this to post-stable, since the Sigstore bundle format itself isn't fully stabilized.

woodruffw avatar Jan 03 '23 16:01 woodruffw

Unblocking because a 0.1 release of the bundle format is now available; we should begin evaluating against it.

woodruffw avatar Jan 12 '23 17:01 woodruffw

I'm going to prepare a PR for verifying bundles.

tetsuo-cpp avatar Jan 26 '23 06:01 tetsuo-cpp

Done as of #478!

woodruffw avatar Jan 31 '23 20:01 woodruffw

Not a big deal, but should the subtask

  • [ ] Verify using Sigstore-style bundles with the sigstore verify subcommands

in the issue description be checked and linked to https://github.com/sigstore/sigstore-python/pull/478?

edgarrmondragon avatar Jan 05 '24 00:01 edgarrmondragon

Yes, thanks @edgarrmondragon!

woodruffw avatar Jan 05 '24 01:01 woodruffw