Sigstore technical debt

[mtrmac]

Captured from PRs

• [x] Writes to quay.io currently (Oct 13 2022) fail with HTTP status 500
• [ ] Unit tests for #1595 , at least the config file handling
• [ ] Unit tests for #1597
• [ ] Unit tests for #1784
• [ ] Unit tests for #1785
• [ ] Unit tests for #1787
• [ ] Check if we can reduce the binary size
  • https://github.com/letsencrypt/boulder/pull/6651 + https://github.com/containers/image/pull/1849

  • 1845

  • https://github.com/sigstore/sigstore/pull/969
  • https://github.com/containers/ocicrypt/pull/82
• [ ] Only fetch the attachment config if we actually have a new signature to add (and if we continue to update the DiffID list).
• [ ] Only upload an updated attachment config and manifest if we added at least one new signature.
• [ ] Use private.UnparsedImage.UntrustedSignatures, not types.UnparsedImage.Signatures, throughout c/image/signature so that non-simple signatures are not silently ignored on some code paths, and the code at least logs that they were not considered.
• [x] Consider accepting any of a set of public keys: https://github.com/containers/image/pull/2524
• [ ] Consider allowing remapIdentity to do repo-only matching.
• [ ] Pass the copy.Image report writer and/or progress bar objects to transports, use that for reporting attachment reads/writes
• [ ] Do we actually need to add layers to the attachment config’s DiffIDs array?
• [ ] Possibly test isManifestUnknown from #1595 against various registries?
• [ ] Possibly consider accepting an image with a signed manifest list but not the individual images (i.e. cosign sign without --recursive)

[mtrmac]

I have moved the Skopeo-specific items to https://github.com/containers/skopeo/issues/1704 .

[mtrmac]

https://github.com/letsencrypt/boulder/pull/6651 decreases Skopeo binary size on macOS by 295 kB.