Cosign 2.0 Tracking

[haydentherapper]

Description

This is an issue to track Cosign 2.0, with the primary change being the removal of the experimental flag. I've added some initial issues I think would be in scope, feel free to discuss and edit. We should also triage open bugs.

• Cosign experimental and offline mode - FR: offline mode #2255
• Cosign inspect - Add cosign inspect command. #2210
• Require verification flags - Discourage (disallow?) naked cosign verify invocations #2056

There's also the open question of sigstore-go - Should Cosign 2.0 also involve the redesign of the Cosign API? I'm thinking no, let's narrowly scope 2.0 to focus on client work to support GA, and a 3.0 release could be focused on library redesign.

cc @znewman01 @priyawadhwa

[asraa]

I'd like to propose another thing: conglomerating all the env vars we use for pinning rekor/ct/fulcio keys and creating a Root provider interfact, that either uses TUF or populates with any env vars that are enabled.

This would be a MAJOR cleanup and help people use cosign in special environments.

All commands should ingest a Root provider options in the sign/verify/etc options

[znewman01]

See also: #2365 especially the proposal to separate the CLI versioning and the library versioning, and the proposal to provide no guarantees about API stability.

I'm in favor of a quick, relatively narrow 2.0 (scoped to CLI only) because dropping COSIGN_EXPERIMENTAL is a big win and because a long-lived v2-staging branch is a recipe for headache. While we're in there, we should skim for deprecated functionality and things we've been planning to yank, too. So a quick cleanup around env vars SGTM, but I'm a little skeptical of a total refactor of the root provider. I think that would fold nicely into the sigstore-go work, though.

[priyawadhwa]

Thanks for opening this tracking issue @haydentherapper! +1 to a narrow-scoped 2.0, I think all the tagged issues are in-scope. For the root provider refactor, I'm ok not making it a requirement for 2.0 but if it gets in by the time we're ready to release that would be awesome :)

[asraa]

I'm ok not making it a requirement for 2.0 but if it gets in by the time we're ready to release that would be awesome :)

I think that's fair: if we can make the requirement of ripping out any TUF calls from the internal verification functions I think that would suffice! Doing it quickly makes sense. @vaikas

[asraa]

This would be great: #2222

I can work on it soon

[asraa]

To some degree, all bugs should technically be fixed before a major release.
#2138

I think it should be replaced with https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify_blob_attestation.go and we should remove the verify-blob support for attestations.

[asraa]

This too: #2219 @bobcallaway

[haydentherapper]

I'd like to add #2382 - This would require that an SCT is provided as proof the certificate is logged in a CT log, unless an insecure flag is provided. This was what we always should have done, but couldn't because old certs didn't have embedded SCTs.

[haydentherapper]

+1 to bugs being fixed, should we set up some time to triage open bugs?

[bobcallaway]

This too: #2219 @bobcallaway

Agreed, that is dependent on Rekor changes sigstore/rekor#1139 and sigstore/rekor#1144 going live in production

[haydentherapper]

Would like to add #1762 so that Cosign stops calling the legacy API for Fulcio

[haydentherapper]

Another AI, we need to update documentation and blog posts

[haydentherapper]

We did some triaging in the GA sync for PRs and issues that we would like to include in 2.0 and a 2.0 release candidate:

• cosign#2411 - Requiring identity flags (2.0-blocker)
• cosign#2482 - Refactoring verification (2.0-blocker)
  • cosign#2504 - Split of 2482, just contains certificate expiration (RC-blocker)
• cosign#2499 - Updates to Timestamping (RC-blocker)
• cosign#2505 - Respect tlog-upload=false (2.0-blocker)
• cosign#1762 - Switch to calling gRPC-based fulcio v2 APIs (2.0-blocker)
• cosign#2047 - Discourage signing references to images that aren't digests (2.0-blocker)

Maybe blockers:

• cosign#2389 - deprecate DSSE support in verify-blob (@asraa?)
• cosign#2393 - verify: fetch rekor public keys before verification (@asraa?)

[znewman01]

Okay, all our RC-blockers are merged. CC @cpanato can you help cut a 2.0 rc1 when you get a chance?

[haydentherapper]

For 2.0, I’d like to also update the timestamp verification to use the latest version once we cut a new release. We should also verify the timestamp on signing, #2488

[haydentherapper]

We need to remove references to COSIGN_EXPERIMENTAL in code (tests and CLI docs), documentation, and blog posts. We also need to update documentation with any new required flags (like identity flags) and optional flags (like tlog-upload).

[hectorj2f]

I have updated the list of pending issues:

• cosign#2411 - Requiring identity flags (2.0-blocker)
• cosign#1762 - Switch to calling gRPC-based fulcio v2 APIs (2.0-blocker)
• cosign#2047 - Discourage signing references to images that aren't digests (2.0-blocker)

Maybe blockers:

• cosign#2389 - deprecate DSSE support in verify-blob (@asraa?)
• cosign#2393 - verify: fetch rekor public keys before verification (@asraa?)

[haydentherapper]

Updating the list with the latest PRs:

• Deprecate --certificate-email flag. Make --certificate-identity and -… #2411 - Requiring identity flags (2.0-blocker)
• Discourage signing references to images that aren't digests #2047 - Discourage signing references to images that aren't digests (2.0-blocker)
• attest-blob: add functionality for keyless signing #2515 - Support for keyless signing with attest-blob
• feat: support keyless verification for verify-blob-attestation #2525 - Support for keyless verification for blob attestations
• Update timestamp verification to use latest changes (once verifier is done)
• 2.0: Documentation updates for COSIGN_EXPERIMENTAL and new flags #2534 - Update documentation for flags (this is not just Cosign, but all sigstore blogs/docs)
• insecure-skip-tlog-verify: rename and adapt the cert expiration check #2620

2.0.1 release:

• Timestamp authority response verification during signing #2488 - Verify timestamp authority response on signing
• bug: x509 verification broken #2632

Nice to have:

• RFC: When verifying, only use data after it is considered acceptable #2482 - Refactoring verification
• Switch to calling gRPC-based fulcio v2 APIs  #1762 - Switch to calling gRPC-based fulcio v2 APIs
• "Chain" for verification is confusingly named #2472

[haydentherapper]

Happy new year! Going to ping everyone for status updates for the remaining PRs:

• @bobcallaway - For switching to gRPC for Fulcio, are we just blocked on testing?
• @znewman01 - Were you planning to take on enforcing images by digest? Otherwise, is there someone else who can?
• @mtrmac - What is the status of RFC: When verifying, only use data after it is considered acceptable #2482?
• @asraa - Just waiting on reviews for attest-blob and verify-blob-attestation, correct?
• @hectorj2f, were you going to take a look at adding timestamp response verification during signing? Otherwise, I can take a look at that

[mtrmac]

I do want to get #2482 done, but I can probably only return to that next month or so. IIRC there are no functional changes remaining (the timestamp semantics changes have already been merged), it’s “just” structural cleanup now.

[haydentherapper]

Thanks, so I think we can remove it as a blocker then if it’s just internal cleanup.

[mtrmac]

FWIW, my wish for 2.0 would be to change the cosign payload, and the cosign sign UI, so that the payload contains name:tag and the UI is cosign sign --digest sha256:… name:tag, instead of the current 2.0 behavior of pushing users towards cosign sign name@sha256:…. (In short, the rationale is that signing app:10.0, and enforcing that the signed tag matches, protects against registries maliciously substituting a previously-correctly-signed app:0.0.1-beta-auth-not-working-yet.)

I realize this is probably not the time or place (and I haven’t done any work towards this), I’m bringing it up just in case circumstances happen to align…

[haydentherapper]

Do you want to chime in on #2047 about that?

[Dentrax]

I'm curious if it's worth to include the #1532 for legacy annotation changes.

[haydentherapper]

I’d lean towards not including it to minimize more breaking changes and making it harder to adopt, but we should track that for a future major release (we’ve talked about reworking CLI flags for that for example)

[haydentherapper]

I've updated #2376 (comment) to move two issues into a fast followup release, as they aren't breaking changes but we do want to resolve them soon.

[znewman01]

Where are we at with Cosign 2.0? RC1 has been available for the better part of a week: https://github.com/sigstore/cosign/releases/tag/v2.0.0-rc.1

I would actually like to request including #2674 which fixes a regression for prompts on Windows but otherwise I'm ready to pull the trigger.

CC @priyawadhwa

[xopham]

Adding proper error codes would be a great improvement for any type of integration: #2742. At Connaisseur, we tend to struggle with parsing the unhandled and frequently changing outputs of cosign which complicates interpretation of the validation result.

I would propose returning proper error codes. Would be great to improve compatibility.

[znewman01]

2.0 is out, so closing