Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: attach: attestation: allow passing multiple payloads #2085

Merged
merged 2 commits into from
Aug 1, 2022
Merged

feat: attach: attestation: allow passing multiple payloads #2085

merged 2 commits into from
Aug 1, 2022

Conversation

Dentrax
Copy link
Member

@Dentrax Dentrax commented Jul 20, 2022
edited by developer-guy
Loading

Signed-off-by: Furkan furkan.turkal@trendyol.com
Co-authored-by: Batuhan batuhan.apaydin@trendyol.com

Fixes #2052

Summary

Release Note

Allow passing multiple attestation payloads to "attach attestation" command

Documentation

@Dentrax
Copy link
Member Author

Dentrax commented Jul 20, 2022
edited
Loading 

$ ./cosign attach attestation --attestation at1.json --attestation at2.json furkanturkal/busybox:0.1.0

Using payload from: at1.json (0205d4c0d9d12706c126515b1ef452e3c7460de647aeec33d1ed01bd172e98de)
Using payload from: at2.json (d2a9efb2c1621823ecb3dc270a74d5ded58be7219080875be0349b625bae7206)

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "size": 342,
    "digest": "sha256:9641fd9d3b1b7e18ab7ed6b7fe6c232e4969043d188902aa192843cb9c3eec84"
  },
  "layers": [
    {
      "mediaType": "application/vnd.dsse.envelope.v1+json",
      "size": 4939,
      "digest": "sha256:0205d4c0d9d12706c126515b1ef452e3c7460de647aeec33d1ed01bd172e98de",
      "annotations": {
        "dev.cosignproject.cosign/signature": ""
      }
    },
    {
      "mediaType": "application/vnd.dsse.envelope.v1+json",
      "size": 5999,
      "digest": "sha256:d2a9efb2c1621823ecb3dc270a74d5ded58be7219080875be0349b625bae7206",
      "annotations": {
        "dev.cosignproject.cosign/signature": ""
      }
    }
  ]
}

@Dentrax Dentrax force-pushed the feature/multi-payload-for-attach branch from 7731763 to 6865430 Compare July 20, 2022 21:42
@Dentrax Dentrax mentioned this pull request Jul 20, 2022
Closed
@TomHennen
Copy link
Contributor

Thanks for working on this!

Looking at the example and code it looks like this doesn't follow the intent of #2052 which wants the attach command to support reading multiple attestations from a single file in the in-toto bundle format.

The expected behavior is that a single file would have multiple attestations contained within it (one per line) and that attach should read and attach all of them.

e.g.

{ "payloadType": "application/vnd.in-toto+json", "payload": "a...", "signatures": [w...] }
{ "payloadType": "application/vnd.in-toto+json", "payload": "b...", "signatures": [w...] }

The behavior here, letting the user specify multiple files, does seem useful though. I wouldn't be surprised if some users would like this capability, it's just not quite what I was looking for in #2052.

WDYT?

@developer-guy
Copy link
Member

Oh, thanks, @TomHennen, we couldn't understand the issue at first, but now we are okay with the idea and will fix it soon, but @dlorenc, what do you think about this PR? It seems useful for people who might want to add multiple attestation files.

@codecov-commenter
Copy link

codecov-commenter commented Jul 27, 2022
edited
Loading

Codecov Report

Merging #2085 (0fae11e) into main (8f2c36d) will decrease coverage by 0.70%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2085      +/-   ##
==========================================
- Coverage   26.33%   25.62%   -0.71%     
==========================================
  Files         129      130       +1     
  Lines        7564     7597      +33     
==========================================
- Hits         1992     1947      -45     
- Misses       5317     5412      +95     
+ Partials      255      238      -17
Impacted Files Coverage Δ
cmd/cosign/cli/attach.go 0.00% <0.00%> (ø)
cmd/cosign/cli/options/attach.go 0.00% <0.00%> (ø)
pkg/oci/layout/signatures.go 0.00% <0.00%> (-53.85%) ⬇️
pkg/oci/layout/write.go 0.00% <0.00%> (-37.50%) ⬇️
pkg/oci/layout/index.go 0.00% <0.00%> (-28.58%) ⬇️
pkg/blob/load.go 68.57% <0.00%> (-5.72%) ⬇️
pkg/oci/static/file.go 64.70% <0.00%> (-5.30%) ⬇️
pkg/oci/mutate/signatures.go 33.33% <0.00%> (-0.67%) ⬇️
pkg/policy/eval.go 78.94% <0.00%> (-0.54%) ⬇️
pkg/cosign/rego/rego.go 70.96% <0.00%> (-0.47%) ⬇️
... and 6 more

Help us with your feedback. Take ten seconds to tell us how you rate us.

@dlorenc
Copy link
Member

dlorenc commented Jul 27, 2022

Seems fine. When we support bundles, would we just detect them in the same file/flag or would that be different?

@Dentrax @developer-guy
feat: attach: allow passing multiple payloads
8ceb65c 
Fixed sigstore#2052

Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@developer-guy developer-guy force-pushed the feature/multi-payload-for-attach branch from 171ef35 to 8ceb65c Compare July 27, 2022 19:47
@developer-guy
Copy link
Member

Seems fine. When we support bundles, would we just detect them in the same file/flag or would that be different?

In this PR, UX will remain the same, just add knowledge about the jsonlines file for attestation bundles.

TomHennen
TomHennen suggested changes Jul 27, 2022
View reviewed changes
Copy link
Contributor

@TomHennen TomHennen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this seems to work well! :)

cmd/cosign/cli/attach.go Outdated
Args: cobra.ExactArgs(1),
Use: "attestation",
Short: "Attach attestation to the supplied container image",
Example: ` cosign attach attestation --attestation <payload path> <image uri>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: instead of <payload path>, <attestation file path>

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

cmd/cosign/cli/attach.go Outdated
Short: "Attach attestation to the supplied container image",
Example: ` cosign attach attestation --attestation <payload path> <image uri>

# attach multiple attestations to a container image
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion:

"attach attestations from multiple files to a container image"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

cmd/cosign/cli/attach.go
Example: " cosign attach attestation <image uri>",
Args: cobra.ExactArgs(1),
Use: "attestation",
Short: "Attach attestation to the supplied container image",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a place to add a note that "attach attestation supports files using the in-toto bundle format" or something like that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

cmd/cosign/cli/attach/attach.go Show resolved Hide resolved
cmd/cosign/cli/attach/attach.go
"github.com/sigstore/cosign/pkg/types"
)

func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayloads []string, imageRef string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, instead of 'signedPayloads', should this be 'filePaths' ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you, updated.

cmd/cosign/cli/attach/attach.go Outdated Show resolved Hide resolved
cmd/cosign/cli/attach/attach.go
return nil
}

func attachAttestation(remoteOpts []ociremote.Option, signedPayload, imageRef string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: instead of 'signedPayload' should this be 'filePath' ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you, updated.

@developer-guy developer-guy force-pushed the feature/multi-payload-for-attach branch 2 times, most recently from 550524b to 28f7030 Compare August 1, 2022 08:41
@developer-guy
fix: reviews
0fae11e 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@developer-guy developer-guy force-pushed the feature/multi-payload-for-attach branch from 28f7030 to 0fae11e Compare August 1, 2022 08:49
@dlorenc dlorenc merged commit 938ad43 into sigstore:main Aug 1, 2022
@github-actions github-actions bot added this to the v1.11.0 milestone Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developer-guy developer-guy developer-guy left review comments

@TomHennen TomHennen TomHennen requested changes

@dlorenc dlorenc dlorenc approved these changes

@cpanato cpanato Awaiting requested review from cpanato

Assignees

@Dentrax Dentrax

@developer-guy developer-guy

Labels
None yet
Projects
None yet
Milestone
v1.10.1
Development

Successfully merging this pull request may close these issues.

attach attestation should support Attestation Bundles
5 participants
@Dentrax @TomHennen @developer-guy @codecov-commenter @dlorenc