Open mendhak opened 2 weeks ago
Ideally this could be shipped via the official ubuntu / Debian archive, but given the tremendous amount of go dependencies this will likely never happen. Please also see my comment this fundamental dependency handling flaw: https://github.com/sigstore/cosign/issues/1462#issuecomment-2068137208
IMHO security critical stuff (like cosign) should be distributed by the distributions and not by the vendors or third parties. Also, the tooling should be modular and only load the required features. This would reduce the attack surface significantly, but unfortunately is close to impossible to implement in go or rust.
Related to the large dependency graph, we've been working on https://github.com/sigstore/sigstore/issues/1658, which would let us remove KMS dependencies. Depending on what is being verified (namely, only binaries), we could also ship a lightweight binary without support for containers based on sigstore-go.
Currently Cosign can be installed manually by downloading a .deb from the Releases, however this is a single, point in time version.
Feature request: Add support for installing Cosign through Ubuntu's native package management system, an official apt repository or a PPA.
Considering that it is meant to address supply chain issues, keeping cosign up to date becomes critical, so distributing it through an apt/ppa would help, and also allow verification and also improve trust and its security posture, I think many organizations would appreciate it as well.