sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.47k stars 546 forks source link

Annotation support when uploading blobs #2149

Open cldmnky opened 2 years ago

cldmnky commented 2 years ago

Annotations for blobs

We are using cosign to upload (and sign) release artifacts as blobs. We currently use something like:

cosign upload blob -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}

It would be useful to be able to add (common) annotations to the descriptor(s) for the manifests to store some more information:

cosign upload blob -a date=xxxx -a name="a name" -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}

This way we can in our custom code get a bit more metadata on the releases we have stored in the registry.

I'll be happy to prepare a PR if it makes sense!

dlorenc commented 2 years ago

Maybe a different flag to make sure it's clear these are unprotected (not signed)?

cldmnky commented 2 years ago

Good point, I'll open a PR so we can figure out the flag name.