chains icon indicating copy to clipboard operation
chains copied to clipboard
verified publisher icon tektoncd

feat: add support for referrers attestations

Open arewm opened this issue 5 months ago • 7 comments

Changes

While the backwards compatible tag-based attestation method works, it can result in a lot of additional tags being pushed to OCI registries. In order to maintain fewer tags, Chains should be able to use the referrer's API when pushing signatures and attestations.

Co-Authored-By: Claude [email protected] Signed-off-by: arewm [email protected]

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • [x] Has Docs included if any changes are user facing
  • [x] Has Tests included if any functionality added or changed
  • [x] Follows the commit message standard
  • [x] Meets the Tekton contributor standards (including functionality, content, code)
  • [x] Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • [x] Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Add support for pushing OCI signatures and provenance with the referrer's API

arewm avatar Aug 08 '25 18:08 arewm

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please assign priyawadhwa after the PR has been reviewed. You can assign the PR to them by writing /assign @priyawadhwa in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

tekton-robot avatar Aug 08 '25 18:08 tekton-robot

Hi @arewm. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Aug 08 '25 18:08 tekton-robot

@arewm - Could you clarify if all the OCI registries support the referrer API end point? If not could we include validation and default fall back option if the end point is not supported for the given registry. Also, Recommend to create an upstream issue for this with label kind/feature with more details on why we are incorporating this enhancement.Thanks

anithapriyanatarajan avatar Aug 11 '25 04:08 anithapriyanatarajan

All registries might not support the referrers API but this is also why the configuration can be defined.

After creating this PR, I investigated the gap more and created sigstore/cosign/issues/4335. I used cosign's support for the new bundle format in the PR. I don't know if there are any implications with this change, but I suspect that we might actually want that to be configured separately from the use of the referrer's API.

My understanding is that Cosign should handle the fallback, but it does make sense to add that as a test case here too.

After I do a little more investigation with cosign, I will create an issue in Chains to further describe the challenge I am trying to resolve (the motivation is similar to the cosign issue).

arewm avatar Aug 11 '25 14:08 arewm

I found the spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#unavailable-referrers-api

A client that pushes an image manifest with a defined subject field MUST verify the referrers API is available or fallback to updating the image index pushed to a tag described by the referrers tag schema. A client querying the referrers API and receiving a 404 Not Found MUST fallback to using an image index pushed to a tag described by the referrers tag schema.

So we should expect cosign to fall back appropriately. The configuration change is just to attempt to use the referrer's API in the first place instead of only using the legacy option.

arewm avatar Aug 11 '25 14:08 arewm

I just reworked this implementation to include the changes made in https://github.com/sigstore/cosign/pull/4357. It is not currently possible for cosign to download all of these attestations, but that is also something that I am working on. I have been using Tekton as the attestation generator for testing Cosign, so as I continue the investigation, this PR may change.

I have some sample images that I generated attestations and signatures for here: https://quay.io/repository/arewm/test-repo?tab=tags

arewm avatar Sep 23 '25 02:09 arewm

@arewm: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tekton-robot avatar Dec 13 '25 11:12 tekton-robot