Conversation
Signed-off-by: Zach Steindler <steiza@github.com>
✅ Deploy Preview for docssigstore ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: Zach Steindler <steiza@github.com>
Hayden-IO
left a comment
Hayden-IO
left a comment
There was a problem hiding this comment.
This looks great, thank you for cleaning this up!
Any updates we need to make to https://github.com/sigstore/docs/blob/main/content/en/quickstart/quickstart-cosign.md? You made an update here to not use ttl.sh, should we make the same change in the quickstart guide?
Signed-off-by: Zach Steindler <steiza@github.com>
| ## SBOMs (Software Bill Of Materials) | ||
|
|
||
| SBOMs can also be stored in an OCI registry, using this [specification](https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md). | ||
| There's a couple of different approaches SBOMs, depending on if you're working with container images or not. |
There was a problem hiding this comment.
| There's a couple of different approaches SBOMs, depending on if you're working with container images or not. | |
| SBOMs can be treated as either standalone OCI objects, or as container image attestations. |
There was a problem hiding this comment.
What I wanted to get across here (and maybe you can help me wordsmith) is that you can use SBOMs with Cosign both if you're working with container images (sign, attest), as well as if you're using files on disk (sign-blob, attest-blob).
There was a problem hiding this comment.
Oh I got it, how about just that:
You can use SBOMs with Cosign both if you're working with container images (
sign,attest), as well as if you're using files on disk (sign-blob,attest-blob).
| {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef"},"Type":"cosign container image signature"},"Optional":null} | ||
| ``` | ||
|
|
||
| ## Tag signing |
There was a problem hiding this comment.
Why did we want these sections removed?
There was a problem hiding this comment.
For tag signing the use case doesn't make a lot of sense to me. I think today if you want the release name to digest mapping to have integrity you'd use something like https://github.com/in-toto/attestation/blob/main/spec/predicates/release.md, which leads to a second point that I think if you find yourself doing cosign sign -a what you really should be doing is cosign attest --predicate, especially since now a Cosign OCI signature is an attestation (with predicate type https://sigstore.dev/cosign/sign/v1).
For base image signing there's no reason you couldn't do that, but I don't think it needs special mention - you would sign the base image URI. You definitely would not sign each layer - how the heck would you verify that? This is sort of typical of early Cosign "sign everything now, figure out verification later" approach.
Countersigning I was more on the fence. There's no reason why you can't cosign sign targeting a protobuf bundle in the registry, but I don't think that's a use-case we necessarily want to encourage. If you want to do it, and you know what you're doing, go ahead, but I'm not sure it needs to be part of our documentation.
| $ cosign sign $IMAGE | ||
| ``` | ||
|
|
||
| ## Add annotations with a signature |
There was a problem hiding this comment.
It doesn't look like annotations are deprecated, why don't we want to include examples of it?
There was a problem hiding this comment.
I mentioned this above, but I think it's difficult to answer "when should I use cosign sign -a vs when should I use cosign attest --predicate. I personally would strongly recommend people use cosign attest --predicate.
There was a problem hiding this comment.
I might be wrong but I think one difference is people can verify that individual annotations are present, but for attestations you have to have more complex policy files to verify their contents. I lean slightly more on the side of keeping documentation and explaining the difference versus letting people discover it in the command line help and not have a good base for understanding it.
There was a problem hiding this comment.
Fair enough! I added it back, but below Attesting an image 😅
| } | ||
| } | ||
| $ echo '{"sbom_path": "example.com/...", "sbom_hash": "sha256:0a1b2c..."}' > sbom.predicate.json | ||
| $ cosign attest --type custom --predicate sbom.predicate.json $IMAGE |
There was a problem hiding this comment.
I'm curious why use a custom type with an arbitrary predicate instead of keeping the SPDX example for SBOMs?
There was a problem hiding this comment.
I really want folks to move away from things like https://github.com/in-toto/attestation/blob/main/spec/predicates/cyclonedx.md and https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx2.md.
SBOMs range from 1 - 100 MBs, and if you stuff the entire SBOM into the Sigstore protobuf bundle (using those predicates) then your Sigstore bundle can be 100 MBs. Not only does this cause problems with Rekor (mostly v1 I think), this also means that anytime you want to verify the container image signature you might have to download 100 MBs of data.
Instead, I think folks should use https://github.com/in-toto/attestation/blob/main/spec/predicates/reference.md, and indeed, this is what we at GitHub are moving things like https://github.com/actions/attest-sbom to. Unfortunately, cosign attest today doesn't let you reference arbitrary predicate types.
There was a problem hiding this comment.
Oh, I got it, that makes a lot of sense and I wasn't aware we were trying to move people off of the individual predicate types.
Should we be more explicit about why we're recommending using the custom predicate type and a hash instead of the whole SBOM? Or is there a place we could talk about the advantages (searchability) and disadvantages (size) of using the more explicit predicates?
steiza
left a comment
steiza
left a comment
There was a problem hiding this comment.
Lots of great questions! I added some opinionated answers on my current perspective.
| ## SBOMs (Software Bill Of Materials) | ||
|
|
||
| SBOMs can also be stored in an OCI registry, using this [specification](https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md). | ||
| There's a couple of different approaches SBOMs, depending on if you're working with container images or not. |
There was a problem hiding this comment.
What I wanted to get across here (and maybe you can help me wordsmith) is that you can use SBOMs with Cosign both if you're working with container images (sign, attest), as well as if you're using files on disk (sign-blob, attest-blob).
| } | ||
| } | ||
| $ echo '{"sbom_path": "example.com/...", "sbom_hash": "sha256:0a1b2c..."}' > sbom.predicate.json | ||
| $ cosign attest --type custom --predicate sbom.predicate.json $IMAGE |
There was a problem hiding this comment.
I really want folks to move away from things like https://github.com/in-toto/attestation/blob/main/spec/predicates/cyclonedx.md and https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx2.md.
SBOMs range from 1 - 100 MBs, and if you stuff the entire SBOM into the Sigstore protobuf bundle (using those predicates) then your Sigstore bundle can be 100 MBs. Not only does this cause problems with Rekor (mostly v1 I think), this also means that anytime you want to verify the container image signature you might have to download 100 MBs of data.
Instead, I think folks should use https://github.com/in-toto/attestation/blob/main/spec/predicates/reference.md, and indeed, this is what we at GitHub are moving things like https://github.com/actions/attest-sbom to. Unfortunately, cosign attest today doesn't let you reference arbitrary predicate types.
| {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef"},"Type":"cosign container image signature"},"Optional":null} | ||
| ``` | ||
|
|
||
| ## Tag signing |
There was a problem hiding this comment.
For tag signing the use case doesn't make a lot of sense to me. I think today if you want the release name to digest mapping to have integrity you'd use something like https://github.com/in-toto/attestation/blob/main/spec/predicates/release.md, which leads to a second point that I think if you find yourself doing cosign sign -a what you really should be doing is cosign attest --predicate, especially since now a Cosign OCI signature is an attestation (with predicate type https://sigstore.dev/cosign/sign/v1).
For base image signing there's no reason you couldn't do that, but I don't think it needs special mention - you would sign the base image URI. You definitely would not sign each layer - how the heck would you verify that? This is sort of typical of early Cosign "sign everything now, figure out verification later" approach.
Countersigning I was more on the fence. There's no reason why you can't cosign sign targeting a protobuf bundle in the registry, but I don't think that's a use-case we necessarily want to encourage. If you want to do it, and you know what you're doing, go ahead, but I'm not sure it needs to be part of our documentation.
| $ cosign sign $IMAGE | ||
| ``` | ||
|
|
||
| ## Add annotations with a signature |
There was a problem hiding this comment.
I mentioned this above, but I think it's difficult to answer "when should I use cosign sign -a vs when should I use cosign attest --predicate. I personally would strongly recommend people use cosign attest --predicate.
Signed-off-by: Zach Steindler <steiza@github.com>
Signed-off-by: Zach Steindler <steiza@github.com>
There was a problem hiding this comment.
Should this still live somewhere?
| ``` | ||
| Note that there are also SBOM predicate types, but they are not recommended. Using a SBOM predicate type will result in the entire SBOM being included in the signature bundle, and so you will have to download the entire SBOM every time you want to verify the signature on the container. | ||
|
|
||
| ## Tekton Bundles |
There was a problem hiding this comment.
I wonder if we should drop this - has anyone verified this still works with Tekton?
| Pushing signature to: us.gcr.io/user-vmtest2/wasm:sha256-9e7a511fb3130ee4641baf1adc0400bed674d4afc3f1b81bb581c3c8f613f812.sig | ||
| ``` | ||
|
|
||
| ## OCI artifacts |
There was a problem hiding this comment.
I'd bubble this up higher in the documentation
| $ cosign verify --key cosign.pub user/demo:mysignature | ||
| {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e"},"Type":"cosign container image signature"},"Optional":{"sig":"counter"}} | ||
| ``` | ||
| Web Assembly Modules can also be stored in an OCI registry, using this [specification](https://github.com/solo-io/wasm/tree/master/spec). |
There was a problem hiding this comment.
Not sure this example is that meaningful, we could remove it.
| $ cosign sign-blob --key cosign.key --bundle bundle.sigstore.json README.md | ||
| Using payload from: README.md | ||
| Enter password for private key: | ||
| MEQCIAU4wPBpl/U5Vtdx/eJFgR0nICiiNCgyWPWarupH0onwAiAv5ycIKgztxHNVG7bzUjqHuvK2gsc4MWxwDgtDh0JINw== |
There was a problem hiding this comment.
Is this still the output when signing with the new bundle flags? I think this was old output where the signature was dumped to stdout
| > NOTE: You will need access to a container registry for Cosign to work with. If you're not sure what container registry to use, you can set up a local one for testing. | ||
|
|
||
| To create a test image to sign using [ttl.sh](https://ttl.sh), run the following commands: | ||
| [google/go-containerregistry](https://github.com/google/go-containerregistry) allows you to run a container registry locally, and [ko-build/ko](https://github.com/ko-build/ko) lets you build an image: |
There was a problem hiding this comment.
Can we also reference https://github.com/project-zot/zot for local testing?
3 participants
Summary
Making progress on #418
Release Note
Documentation
N/A