Fix: Drop the CosignPredicate wrapper around SBOM attestations.
#2718
Commits on Feb 11, 2023
-
Fix: Drop the
CosignPredicatewrapper around SBOM attestations.🐛 This change drops the `CosignPredicate` that `cosign` wraps around SPDX/CycloneDX attestations. Currently `cosign` wraps SPDX and CycloneDX attestations produced via their shortnames (`cosign attest --type {spdxjson|cyclonedx}`) in a `CosignPredicate` envelope. However, the whole point of the in-toto `predicateType` is to specify the schema of the `predicate`, and despite using the SPDX and Cyclone predicate type URIs, this envelope violates their schema with the extra layer. Moreover, if users were to attest these SBOMs with the explicit predicate type URI: ``` cosign attest --type https://spdx.dev/Document ... ``` Then `cosign` will NOT add this additional envelope, which makes it effectively impossible to know the schema to use for policy validation based strictly on the `predicateType` because even `cosign` will produce these attestations both ways. Fixes: sigstore#2126 /kind bug Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.