Make cosign copy copy metadata attached to child images.
#1682
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@cpanato if possible, I'd love for this to land in 1.7 🙏 |
Codecov Report
@@ Coverage Diff @@
## main #1682 +/- ##
=======================================
Coverage 29.29% 29.29%
=======================================
Files 140 140
Lines 8370 8370
=======================================
Hits 2452 2452
Misses 5652 5652
Partials 266 266 Continue to review full report at Codecov.
|
mattmoor
commented
Mar 29, 2022
Previously, `cosign copy` would only copy metadata associated directly with the reference it was given, however, this is problematic for multi-architecture images like those produced by `ko` and `apko` because the SBOMs they produce are associated with the per-architecture images, but only SBOMs associated with the index will be copied. This change leverages the `walk` library to copy things at each level of the `oci.SignedEntity` we are given. Here is an example where I copy a `ko` built image where I signed the index: ``` $ go run ./cmd/cosign copy -f gcr.io/mattmoor-chainguard/cosign@sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624 ghcr.io/mattmoor/cosign Copying gcr.io/mattmoor-chainguard/cosign:sha256-71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624.sig to ghcr.io/mattmoor/cosign:sha256-71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624.sig... Copying gcr.io/mattmoor-chainguard/cosign@sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624 to ghcr.io/mattmoor/cosign:sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624... Copying gcr.io/mattmoor-chainguard/cosign:sha256-70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700.sbom to ghcr.io/mattmoor/cosign:sha256-70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700.sbom... Copying gcr.io/mattmoor-chainguard/cosign@sha256:70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700 to ghcr.io/mattmoor/cosign:sha256:70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700... Copying gcr.io/mattmoor-chainguard/cosign:sha256-3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0.sbom to ghcr.io/mattmoor/cosign:sha256-3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0.sbom... Copying gcr.io/mattmoor-chainguard/cosign@sha256:3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0 to ghcr.io/mattmoor/cosign:sha256:3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0... ``` Notable is that both the signature and the per-architecture SBOMs are copied to the target repository. I refactored the existing logic a bit to be slightly less verbose in support of this. Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
n3wscott
approved these changes
Mar 29, 2022
puerco
approved these changes
Mar 29, 2022
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
…1682) Previously, `cosign copy` would only copy metadata associated directly with the reference it was given, however, this is problematic for multi-architecture images like those produced by `ko` and `apko` because the SBOMs they produce are associated with the per-architecture images, but only SBOMs associated with the index will be copied. This change leverages the `walk` library to copy things at each level of the `oci.SignedEntity` we are given. Here is an example where I copy a `ko` built image where I signed the index: ``` $ go run ./cmd/cosign copy -f gcr.io/mattmoor-chainguard/cosign@sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624 ghcr.io/mattmoor/cosign Copying gcr.io/mattmoor-chainguard/cosign:sha256-71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624.sig to ghcr.io/mattmoor/cosign:sha256-71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624.sig... Copying gcr.io/mattmoor-chainguard/cosign@sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624 to ghcr.io/mattmoor/cosign:sha256:71e2f842aec01d151a2630db3c2a6891536ffe273d17e7a8bff288845a7b0624... Copying gcr.io/mattmoor-chainguard/cosign:sha256-70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700.sbom to ghcr.io/mattmoor/cosign:sha256-70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700.sbom... Copying gcr.io/mattmoor-chainguard/cosign@sha256:70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700 to ghcr.io/mattmoor/cosign:sha256:70e7d4974d9ed3017706c38247b270f7a0b9fe77ae1d034c4c0bc5e214872700... Copying gcr.io/mattmoor-chainguard/cosign:sha256-3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0.sbom to ghcr.io/mattmoor/cosign:sha256-3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0.sbom... Copying gcr.io/mattmoor-chainguard/cosign@sha256:3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0 to ghcr.io/mattmoor/cosign:sha256:3b2e73aaa122fa1aded2164a506687510c82e788d7a5b510c998877ba78003e0... ``` Notable is that both the signature and the per-architecture SBOMs are copied to the target repository. I refactored the existing logic a bit to be slightly less verbose in support of this. Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously,
cosign copywould only copy metadata associated directly with the reference it was given, however, this is problematic for multi-architecture images like those produced bykoandapkobecause the SBOMs they produce are associated with the per-architecture images, but only SBOMs associated with the index will be copied.This change leverages the
walklibrary to copy things at each level of theoci.SignedEntitywe are given.Here is an example where I copy a
kobuilt image where I signed the index:Notable is that both the signature and the per-architecture SBOMs are copied to the target repository.
I refactored the existing logic a bit to be slightly less verbose in support of this.
Release Note
cc @dlorenc @imjasonh