Deprecate SBOM attachments (#3256)

This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves #2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>

cmd/cosign/cli/attach.go

@@ -63,16 +63,18 @@ func attachSBOM() *cobra.Command {
 
 	cmd := &cobra.Command{
 		Use:              "sbom",
-		Short:            "Attach sbom to the supplied container image",
+		Short:            "DEPRECATED: Attach sbom to the supplied container image",
+		Long:             "Attach sbom to the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
 		Example:          "  cosign attach sbom <image uri>",
 		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
 			mediaType, err := o.MediaType()
 			if err != nil {
 				return err
 			}
-			fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest --predicate %s --key <key path>' or 'cosign sign --key <key path> --attachment sbom <image uri>'.\n", o.SBOM)
+			fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate %s --key <key path>'.\n", o.SBOM)
 			return attach.SBOMCmd(cmd.Context(), o.Registry, o.RegistryExperimental, o.SBOM, mediaType, args[0])
 		},
 	}

cmd/cosign/cli/download.go

@@ -65,12 +65,14 @@ func downloadSBOM() *cobra.Command {
 
 	cmd := &cobra.Command{
 		Use:              "sbom",
-		Short:            "Download SBOMs from the supplied container image",
+		Short:            "DEPRECATED: Download SBOMs from the supplied container image",
+		Long:             "Download SBOMs from the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
 		Example:          "  cosign download sbom <image uri>",
 		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			fmt.Fprintln(os.Stderr, "WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.")
+			fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
+			fmt.Fprintln(os.Stderr, "WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.")
 			_, err := download.SBOMCmd(cmd.Context(), *o, *do, args[0], cmd.OutOrStdout())
 			return err
 		},

cmd/cosign/cli/options/clean.go

@@ -65,7 +65,7 @@ var _ Interface = (*CleanOptions)(nil)
 func (c *CleanOptions) AddFlags(cmd *cobra.Command) {
 	c.Registry.AddFlags(cmd)
 	c.CleanType = defaultCleanType()
-	cmd.Flags().Var(&c.CleanType, "type", "a type of clean: <signature|attestation|sbom|all>")
+	cmd.Flags().Var(&c.CleanType, "type", "a type of clean: <signature|attestation|sbom|all> (sbom is deprecated)")
 	// TODO(#2044): Rename to --skip-confirmation for consistency?
 	cmd.Flags().BoolVarP(&c.Force, "force", "f", false, "do not prompt for confirmation")
 }

cmd/cosign/cli/options/deprecate.go

@@ -0,0 +1,21 @@
+//
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package options
+
+const SBOMAttachmentDeprecation = "WARNING: SBOM attachments are deprecated " +
+	"and support will be removed in a Cosign release soon after 2024-02-22 " +
+	"(see https://github.com/sigstore/cosign/issues/2755). " +
+	"Instead, please use SBOM attestations."

cmd/cosign/cli/options/sign.go

@@ -100,7 +100,7 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 		"if a multi-arch image is specified, additionally sign each discrete image")
 
 	cmd.Flags().StringVar(&o.Attachment, "attachment", "",
-		"related image attachment to sign (sbom), default none")
+		"DEPRECATED, related image attachment to sign (sbom), default none")
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for non-destructive operations")

cmd/cosign/cli/options/triangulate.go

@@ -32,5 +32,5 @@ func (o *TriangulateOptions) AddFlags(cmd *cobra.Command) {
 	o.Registry.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.Type, "type", "signature",
-		"related attachment to triangulate (attestation|sbom|signature), default signature")
+		"related attachment to triangulate (attestation|sbom|signature), default signature (sbom is deprecated)")
 }

cmd/cosign/cli/options/verify.go

@@ -84,7 +84,7 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
 		"whether to check the claims found")
 
 	cmd.Flags().StringVar(&o.Attachment, "attachment", "",
-		"related image attachment to verify (sbom), default none")
+		"DEPRECATED, related image attachment to verify (sbom), default none")
 
 	cmd.Flags().StringVarP(&o.Output, "output", "o", "json",
 		"output format for the signing image information (json|text)")

cmd/cosign/cli/sign.go

@@ -17,6 +17,7 @@ package cli
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/spf13/cobra"
 
@@ -88,7 +89,9 @@ race conditions or (worse) malicious tampering.
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			switch o.Attachment {
-			case "sbom", "":
+			case "sbom":
+				fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
+			case "":
 				break
 			default:
 				return fmt.Errorf("specified image attachment %s not specified. Can be 'sbom'", o.Attachment)

cmd/cosign/cli/triangulate/triangulate.go

@@ -18,6 +18,7 @@ package triangulate
 import (
 	"context"
 	"fmt"
+	"os"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
@@ -41,6 +42,7 @@ func MungeCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef str
 	case cosign.Signature:
 		dstRef, err = ociremote.SignatureTag(ref, ociremoteOpts...)
 	case cosign.SBOM:
+		fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
 		dstRef, err = ociremote.SBOMTag(ref, ociremoteOpts...)
 	case cosign.Attestation:
 		dstRef, err = ociremote.AttestationTag(ref, ociremoteOpts...)

cmd/cosign/cli/verify/verify.go

@@ -88,7 +88,9 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 	}
 
 	switch c.Attachment {
-	case "sbom", "":
+	case "sbom":
+		fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
+	case "":
 		break
 	default:
 		return flag.ErrHelp

specs/SBOM_SPEC.md

@@ -1,5 +1,9 @@
 # Cosign SBOM Specifications
 
+**WARNING**: SBOM attachments are deprecated and support will be removed in a Cosign release soon
+after 2024-02-22 (see [sigstore/cosign#2755](https://github.com/sigstore/cosign/issues/2755)).
+Instead, please use SBOM [attestations](./specs/ATTESTATION_SPEC.md).
+
 This document aims to describe how `cosign` attaches SBOM (Software Bill of Materials) documents to containers.
 
 The goal is to specify the behavior well enough to promote other implementations and enable interoperability.