Skip to content

Commit

Permalink
Fix: Drop the CosignPredicate wrapper around SBOM attestations. (si…
Browse files Browse the repository at this point in the history 
…gstore#2718)

🐛 This change drops the `CosignPredicate` that `cosign` wraps around SPDX/CycloneDX attestations.

Currently `cosign` wraps SPDX and CycloneDX attestations produced via their shortnames (`cosign attest --type {spdxjson|cyclonedx}`) in a `CosignPredicate` envelope.

However, the whole point of the in-toto `predicateType` is to specify the schema of the `predicate`, and despite using the SPDX and Cyclone predicate type URIs, this envelope violates their schema with the extra layer.

Moreover, if users were to attest these SBOMs with the explicit predicate type URI:
```
cosign attest --type https://spdx.dev/Document ...
```

Then `cosign` will NOT add this additional envelope, which makes it effectively impossible to know the schema to use for policy validation based strictly on the `predicateType` because even `cosign` will produce these attestations both
ways.

Fixes: sigstore#2126

/kind bug

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
  • Loading branch information
@mattmoor @dmitris
mattmoor authored and dmitris committed Mar 24, 2023
1 parent 8e89160 commit 1426f1b
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 10 deletions.
8 changes: 2 additions & 6 deletions pkg/cosign/attestation/attestation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,9 +241,7 @@ func generateSPDXStatement(rawPayload []byte, digest string, repo string, parseJ
}
return in_toto.SPDXStatement{
StatementHeader: generateStatementHeader(digest, repo, in_toto.PredicateSPDX),
Predicate: CosignPredicate{
Data: data,
},
Predicate: data,
}, nil
}

Expand All @@ -254,9 +252,7 @@ func generateCycloneDXStatement(rawPayload []byte, digest string, repo string) (
}
return in_toto.SPDXStatement{
StatementHeader: generateStatementHeader(digest, repo, in_toto.PredicateCycloneDX),
Predicate: CosignPredicate{
Data: data,
},
Predicate: data,
}, nil
}

Expand Down
8 changes: 4 additions & 4 deletions test/e2e_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,8 +260,8 @@ func TestAttestVerifySPDXJSON(t *testing.T) {
attestVerify(t,
"spdxjson",
string(attestationBytes),
`predicate: Data: spdxVersion: "SPDX-2.2"`,
`predicate: Data: spdxVersion: "SPDX-9.9"`,
`predicate: spdxVersion: "SPDX-2.2"`,
`predicate: spdxVersion: "SPDX-9.9"`,
)
}

Expand All @@ -273,8 +273,8 @@ func TestAttestVerifyCycloneDXJSON(t *testing.T) {
attestVerify(t,
"cyclonedx",
string(attestationBytes),
`predicate: Data: specVersion: "1.4"`,
`predicate: Data: specVersion: "7.7"`,
`predicate: specVersion: "1.4"`,
`predicate: specVersion: "7.7"`,
)
}

Expand Down

0 comments on commit 1426f1b

Please sign in to comment.