Open cppforlife opened 2 years ago
DennisDenuto
commented
2 years ago hey @cppforlife good idea! i'll carvel-accept this meaning we plan on working on it.
Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?
Personally, I think leaving it as-is and documenting that it is used to copy cosign artifacts (such as sbom and attestations) is sufficient. And avoids backward compatibility concerns with renaming it.
cppforlife
commented
2 years ago Do you have any thoughts on the flag name? It has the word signatures, but will be used to copy other artifacts too?
may be worth renaming to --cosign-artifacts=bool? im a little less concerned about backwards compatibility for this one, since it's not a widely used feature and it would fail loudly if somebody depends on it.
btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.
hectorj2f
commented
2 years ago btw one thing i just realized is that we have to be mindful that attestations/sboms could be signed themselves.
@cppforlife In addition to that, you could create an attestation that includes the SBOM as a predicate in the attestation (so you get the best from both worlds).
hectorj2f
commented
2 years ago @joaopapereira I have investigated a little more the options to have a single BOM for the bundle while referring to the rest of the BOM per image inside the bundle. I believe we could using externalReferences from CycloneDX as explained in https://cyclonedx.org/capabilities/bomlink/ there is an example here https://github.com/CycloneDX/bom-examples/tree/master/OBOM/Example-1-Decoupled. CycloneDX external references are URIs and bom-link is a URN, all external references end up being relationships as well.
ThomasVitale
commented
1 year ago Cosign is experimenting with a different way of storing signatures and other artefacts that will affect both this feature request and also the existing Cosign signatures support.
More info:
Describe the problem/challenge you have
we currently have --cosign-singatures=bool flag that attaches .sig artifacts. cosign has .sbom and .att suffixes as well. (https://github.com/sigstore/cosign/blob/0142711da2fadc78f546a99adf12e2f0be428600/pkg/oci/remote/options.go#L27-L29)
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.