sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.53k stars 547 forks source link

Add official apt repository/PPA support for Ubuntu installation #3919

Open mendhak opened 2 weeks ago

mendhak commented 2 weeks ago

Currently Cosign can be installed manually by downloading a .deb from the Releases, however this is a single, point in time version.

Feature request: Add support for installing Cosign through Ubuntu's native package management system, an official apt repository or a PPA.

Considering that it is meant to address supply chain issues, keeping cosign up to date becomes critical, so distributing it through an apt/ppa would help, and also allow verification and also improve trust and its security posture, I think many organizations would appreciate it as well.

fmoessbauer commented 2 weeks ago

Ideally this could be shipped via the official ubuntu / Debian archive, but given the tremendous amount of go dependencies this will likely never happen. Please also see my comment this fundamental dependency handling flaw: https://github.com/sigstore/cosign/issues/1462#issuecomment-2068137208

IMHO security critical stuff (like cosign) should be distributed by the distributions and not by the vendors or third parties. Also, the tooling should be modular and only load the required features. This would reduce the attack surface significantly, but unfortunately is close to impossible to implement in go or rust.

haydentherapper commented 2 weeks ago

Related to the large dependency graph, we've been working on https://github.com/sigstore/sigstore/issues/1658, which would let us remove KMS dependencies. Depending on what is being verified (namely, only binaries), we could also ship a lightweight binary without support for containers based on sigstore-go.