feat: add support for referrers attestations #1409
Conversation
tekton-robot
added
size/L
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @arewm. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
arewm
force-pushed
the
use-referrers-api
branch
3 times, most recently
from
5549931 to
9f1e273
Compare
tekton-robot
added
the
do-not-merge/work-in-progress
arewm
force-pushed
the
use-referrers-api
branch
from
9f1e273 to
d2f1a14
Compare
|
@arewm - Could you clarify if all the OCI registries support the referrer API end point? If not could we include validation and default fall back option if the end point is not supported for the given registry. Also, Recommend to create an upstream issue for this with label kind/feature with more details on why we are incorporating this enhancement.Thanks |
|
All registries might not support the referrers API but this is also why the configuration can be defined. After creating this PR, I investigated the gap more and created sigstore/cosign/issues/4335. I used cosign's support for the new bundle format in the PR. I don't know if there are any implications with this change, but I suspect that we might actually want that to be configured separately from the use of the referrer's API. My understanding is that Cosign should handle the fallback, but it does make sense to add that as a test case here too. After I do a little more investigation with cosign, I will create an issue in Chains to further describe the challenge I am trying to resolve (the motivation is similar to the cosign issue). |
|
I found the spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#unavailable-referrers-api
So we should expect cosign to fall back appropriately. The configuration change is just to attempt to use the referrer's API in the first place instead of only using the legacy option. |
Proposing to bump the cosign version to include new library calls to push attestations with the referrer's API. - [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0) - [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md) - [Commits](sigstore/cosign/compare/v2.5.3...v2.6.0) The new changes desired are sigstore/cosign/pull/4357 which should better support the work in tektoncd#1409. Signed-off-by: arewm <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
Proposing to bump the cosign version to include new library calls to push attestations with the referrer's API. - [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0) - [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md) - [Commits](sigstore/cosign@v2.5.3...v2.6.0) The new changes desired are sigstore/cosign/pull/4357 which should better support the work in tektoncd#1409. Signed-off-by: arewm <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
* Bump github.com/sigstore/cosign/v2 from 2.5.3 to 2.6.0 Proposing to bump the cosign version to include new library calls to push attestations with the referrer's API. - [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0) - [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md) - [Commits](sigstore/cosign@v2.5.3...v2.6.0) The new changes desired are sigstore/cosign/pull/4357 which should better support the work in #1409. Signed-off-by: arewm <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED * Fix LoadPrivateKey API breaking change for cosign v2.6.0 - Add LoadOption parameter to LoadPrivateKey calls in x509.go and clients.go - Pass nil for defaultLoadOptions to use sensible defaults (ED25519ph) - Update both production code and test code to match new API The LoadPrivateKey function signature changed in cosign v2.6.0 to include a third parameter for LoadOption configuration. Passing nil uses the default ED25519ph behavior which is appropriate for this use case. Co-authored-by: Claude Sonnet <[email protected]> Signed-off-by: arewm <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
arewm
force-pushed
the
use-referrers-api
branch
from
d2f1a14 to
0a4fe1a
Compare
tekton-robot
added
size/XXL
docs/oci-format-migration.md
Outdated
| @@ -0,0 +1,389 @@ | |||
| # OCI Storage Format Migration Guide | |||
There was a problem hiding this comment.
This is something that Claude created. I'll leave it for now, but will plan to remove it before merging.
arewm
force-pushed
the
use-referrers-api
branch
from
0a4fe1a to
912de9c
Compare
tekton-robot
removed
the
do-not-merge/work-in-progress
|
I just reworked this implementation to include the changes made in sigstore/cosign#4357. It is not currently possible for cosign to download all of these attestations, but that is also something that I am working on. I have been using Tekton as the attestation generator for testing Cosign, so as I continue the investigation, this PR may change. I have some sample images that I generated attestations and signatures for here: https://quay.io/repository/arewm/test-repo?tab=tags |
arewm
force-pushed
the
use-referrers-api
branch
from
912de9c to
c3e15bb
Compare
Add storage.oci.format configuration supporting three storage strategies for OCI signatures and attestations: - "legacy": Tag-based storage with DSSE format (default) - "referrers-api": OCI 1.1 referrers API with DSSE format - "protobuf-bundle": OCI 1.1 referrers API with protobuf bundle format Implementation includes: - Configuration layer with format validation and defaults - Format-based routing in AttestationStorer and SimpleStorer - Three storage implementations per storer type - Legacy backend integration with format-aware storers - Comprehensive test coverage for all three formats Enables adoption of OCI 1.1 referrers API while maintaining backward compatibility with existing tag-based storage. All formats also work correctly with both certificate-based and x509 key configurations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]> Signed-off-by: arewm <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
arewm
force-pushed
the
use-referrers-api
branch
from
c3e15bb to
7e58288
Compare
tekton-robot
added
the
do-not-merge/work-in-progress
tekton-robot
added
the
needs-rebase
|
@arewm: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
3 participants
Changes
While the backwards compatible tag-based attestation method works, it can result in a lot of additional tags being pushed to OCI registries. In order to maintain fewer tags, Chains should be able to use the referrer's API when pushing signatures and attestations.
Co-Authored-By: Claude [email protected]
Signed-off-by: arewm [email protected]
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes