Attaching the signature artifact to the Image artifact

[wieringen]

When I use oras (or gcloud artifacts attachments create) to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.

When I use cosign this is not the case. The signature artifact is displayed like a normal artifact and no relationship is visible at first glance.

After comparing some of the manifests, I noticed that oras adds a field called subject to the manifest of the added artifact with a reference to the digest of the image artifact.
"subject": { "mediaType": "application/vnd.oci.image.index.v1+json", "digest": "sha256:the_digest_of_the_image", "size": 856 }

opencontainers/image-spec#1020
docker/build-push-action#1260

You can use the following command oras attach --artifact-type doc/example --annotation "key1=val1" --annotation "key2=val2" localhost:5000/hello:v1 to quickly create an attached artifact at that location.

Can cosign support the subject field as well?

[ChristianCiach]

That's already possible:

• Add COSIGN_OCI_EXPERIMENTAL, push .sig/.sbom using OCI 1.1+ digest tag #2684

Try:

COSIGN_EXPERIMENTAL=1 cosign sign --registry-referrers-mode=oci-1-1 ...

But generally speaking, OCI-1.1 support in Cosign is poor and it doesn't seem like there has been any improvement in a very long time. In particular, it's still not possible to attach attestations in an OCI compliant way. For that reason we're thinking about migrating away from Cosign. (In fact, I found this issue while investigating if there have been any improvements over the last year or so, but sadly it doesn't look that way.)

[wieringen]

Thanks for your reply! My experience has been the same as yours. I noticed that it’s possible to attach an artifact in an oci1.1 compliant way, but oci1.1 for attestations is not supported. What other options besides cosign are there?

[haydentherapper]

OCI 1.1 support is planned - https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md

[wieringen]

moby/buildkit#5561

buildkit is adding support in v0.19.0

[ChristianCiach]

The proposed Bundle-spec will be just another breaking change that makes all existing attachments and tooling incompatible, yet again. Also, I need to attach signatures and SBOMs in a future-proof way right now.

What other options besides cosign are there?

I am currently looking into Notation/NotaryV2 in combination with ORAS. My plan is to just push my SBOMs as true OCI attachments (Referrers API) using ORAS and maybe sign them using Notation. I am not saying that these tools are "better" than Cosign, but at least they seem committed to their specifications without deprecating everything every year.

[codysoyland]

The planned OCI 1.1 referring artifact support for attestations (Bundle-spec) is in active development here and should be available very soon as an optional feature in Cosign.

We've been very deliberate in designing the new specifications and this PR is part of a series of client standardization efforts that have been ongoing for nearly two years, centered on the Sigstore Bundle Format. The other language clients are cross-compatible and Cosign is the last to be updated, as we take breaking changes very seriously.

[haydentherapper]

I'll also point out #3927 as a solution for signatures as OCI artifacts, as the spec I linked is for attestations.

@ChristianCiach, adapting based on feedback from consumers and evolving the specification based on progress across the ecosystem is a natural part of development. Yes, in this example, there is a breaking change in terms of the format so old Cosign versions will not be compatible, but it's not accurate to say existing attachments will fail. We can continue to support verification of the current signature specification.

We want to standardize on the format of the signature and its verification material across Sigstore clients and SDKs. Cosign is actually the outlier in this case as bundles are already implemented in 5 Sigstore SDKs. We've made a lot of progress recently towards supporting this newer bundle format in Cosign, launched in Cosign v2.4.0. The bundle specification I've linked is our answer to OCI 1.1 and bundles - using OCI 1.1 with the current spec for the signature format keeps Cosign divergent and incompatible with the rest of the ecosystem, and using annotations to store bundles makes no progress towards OCI 1.1.

We are always open to feedback or PRs from the community.

[wieringen]

Thanks a lot, guys! Everything is a lot clearer to me now.