Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature]Add COSIGN_REPOSITORY input for the generator_container_slsa3 workflow #2956

Closed
saisatishkarra opened this issue Nov 9, 2023 · 7 comments
Closed

[feature]Add COSIGN_REPOSITORY input for the generator_container_slsa3 workflow #2956

saisatishkarra opened this issue Nov 9, 2023 · 7 comments
Labels
area:container Issue with the generic container generator type:feature New feature or request

Comments

@saisatishkarra
Copy link
Contributor

saisatishkarra commented Nov 9, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
Cosign allows publishing attestations and provenance to a repository other than the image repository using the environment variable COSIGN_REPOSITORY.

  • This will be helpful in scenarios where a single digest/container image is tagged with multiple repositories and would help publish provenance to an external repository to avoid pollution in all image repositories for the same digest.
  • Reduces migration effort of tags when moving signatures / provenance attestations for multiple images with same digest
  • Helps to provide a single point of repository to external customers during verification of multiple images of same digest

Describe the solution you'd like
COSIGN_REPOSITORY must be allowed as an input and set as env variable for cosign command
When set, use this repository to publish provenance instead of image repository.
When unset/empty, publish provenances as per the parsed image repository (default cosign behavior)

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.
@saisatishkarra saisatishkarra added status:triage Issue that has not been triaged type:feature New feature or request labels Nov 9, 2023
@saisatishkarra saisatishkarra mentioned this issue Nov 10, 2023
Merged
@laurentsimon
Copy link
Collaborator

laurentsimon commented Nov 11, 2023
edited
Loading

Thanks. I think we'll need to also have an option in the verifier tool https://github.com/slsa-framework/slsa-verifier, correct?

Someone can make it work by setting the COSIGN_REPOSITORY when calling the slsa-verifier, but it's probably cleaner to have a dedicated option like slsa-verifier --attestation-store?

@ianlewis ianlewis added area:container Issue with the generic container generator and removed status:triage Issue that has not been triaged labels Nov 13, 2023
@ianlewis
Copy link
Member

Docs seem to be here: https://docs.sigstore.dev/system_config/registry_support/#specifying-registry

I don't see any info about authentication in the docs.

@saisatishkarra
Copy link
Contributor Author

@laurentsimon / @ianlewis Let me know if i can help raise a PR in the verifier and what direction needs to be taken. In the meantime can this be merged to support the workflow if the slsa-verifier supports COSIGN_REPOSITORY and later be made compatible with the CLI option?

@ianlewis
Copy link
Member

@saisatishkarra I think we can add the necessary options here and then add them to the verifier later. I think we just need to make sure we get the implementation right. See our comments on the PR.

@laurentsimon
Copy link
Collaborator

Yes, please add the necessary options in the PR you already opened. We can help you for slsa-verifier after that. I think the main question we have on the PR is for authentication to the separate registry.

@saisatishkarra
Copy link
Contributor Author

saisatishkarra commented Nov 15, 2023
edited
Loading

@laurentsimon / @ianlewis I have added the Authentication to a separate provenance registry if specified to the existing PR. Please review and help guide the changes needed for the slsa-verifier (client)

@saisatishkarra saisatishkarra mentioned this issue Nov 15, 2023
Open
@laurentsimon laurentsimon mentioned this issue Nov 17, 2023
Closed
laurentsimon added a commit that referenced this issue Nov 21, 2023
@saisatishkarra @laurentsimon
feat: Set cosign-repository input and env (#2962)
23a2d52 
Solves: #2956

---------

Signed-off-by: saisatishkarra <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
Co-authored-by: Ian Lewis <[email protected]>
@laurentsimon
Copy link
Collaborator

Completed in #2962

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:container Issue with the generic container generator type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ianlewis @saisatishkarra @laurentsimon and others