From 9bcd90e63bbac795c7b85baf6b6cfaea5714fb7c Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 19 Aug 2022 16:33:47 +0200 Subject: [PATCH] add release cadence section in the readme (#2179) Signed-off-by: cpanato Signed-off-by: cpanato --- README.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 590ad5a2462..9b317426468 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ If you have Go 1.17+, you can setup a development environment: $ $(go env GOPATH)/bin/cosign ## Dockerfile + Here is how to install and use cosign inside a Dockerfile through the gcr.io/projectsigstore/cosign image: ```shell @@ -194,6 +195,7 @@ $ cosign sign --key cosign.key gcr.io/dlorenc-vmtest2/artifact Enter password for private key: Pushing signature to: gcr.io/dlorenc-vmtest2/artifact:sha256-3f612a4520b2c245d620d0cca029f1173f6bea76819dde8543f5b799ea3c696c.sig ``` + #### sget We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor. @@ -349,6 +351,7 @@ Today, `cosign` has been tested and works against the following registries: * Cloudsmith Container Registry We aim for wide registry support. To `sign` images in registries which do not yet fully support [OCI media types](https://github.com/sigstore/cosign/blob/main/SPEC.md#object-types), one may need to use `COSIGN_DOCKER_MEDIA_TYPES` to fall back to legacy equivalents. For example: + ```shell COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image ``` @@ -414,12 +417,12 @@ That looks like: } } ``` + **Note:** This can be generated for an image reference using `cosign generate `. I'm happy to switch this format to something else if it makes sense. See https://github.com/notaryproject/nv2/issues/40 for one option. - #### Registry Details `cosign` signatures are stored as separate objects in the OCI registry, with only a weak @@ -434,14 +437,17 @@ To add a signature, clients orchestrate a "read-append-write" operation, so the will win in the case of contention. ##### Specifying Registry + `cosign` will default to storing signatures in the same repo as the image it is signing. To specify a different repo for signatures, you can set the `COSIGN_REPOSITORY` environment variable. This will replace the repo in the provided image like this: -``` + +```shell $ export COSIGN_REPOSITORY=gcr.io/my-new-repo $ gcr.io/dlorenc-vmtest2/demo -> gcr.io/my-new-repo/demo:sha256-DIGEST.sig ``` + So the signature for `gcr.io/dlorenc-vmtest2/demo` will be stored in `gcr.io/my-new-repo/demo:sha256-DIGEST.sig`. Note: different registries might expect different formats for the "repository." @@ -452,10 +458,12 @@ Note: different registries might expect different formats for the "repository." specify a full image name like `$LOCATION-docker.pkg.dev/$PROJECT/$REPO/$STORAGE_IMAGE`, not just a repository. For example, - ``` + + ```shell COSIGN_REPOSITORY=us-docker.pkg.dev/my-new-repo/demo gcr.io/dlorenc-vmtest2/demo --> us-docker.pkg.dev/my-new-repo/demo:sha256-DIGEST.sig ``` + where the `sha256-DIGEST` will match the digest for `gcr.io/dlorenc-vmtest2/demo`. Specifying just a repo like `$LOCATION-docker.pkg.dev/$PROJECT/$REPO` will not work in Artifact Registry. @@ -471,7 +479,7 @@ The keys encrypted under a password using scrypt as a KDF and nacl/secretbox for They have a PEM header of `ENCRYPTED COSIGN PRIVATE KEY`: -``` +```shell -----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- ... -----END ENCRYPTED COSIGN PRIVATE KEY----- @@ -777,6 +785,13 @@ $ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa2 } ``` +## Release Cadence + +We are intending to move to a monthly cadence for minor releases. +Minor releases will be published around the beginning of the month. +We may cut a patch release instead, if the changes are small enough not to warrant a minor release. +We will also cut patch releases periodically as needed to address bugs. + ## Security Should you discover any security issues, please refer to sigstore's [security