Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign without pulling from the registry #903

Merged
merged 1 commit into from
Oct 16, 2021

Conversation

sudo-bmitch
Copy link
Contributor

This allows signing in a disconnected environment.

Signed-off-by: Brandon Mitchell git@bmitch.net

Summary

This skips registry queries when the reference provided includes the digest and it does not need to recursively resolve an Index or resolve the SBOM digest. The result is the ability to sign images in a disconnected environment without direct access to the registry, or to sign images before they are pushed to the registry (if the digest can be calculated in advance).

Ticket Link

This is handling issues similar to #596 when you know the digest (but doesn't handle situations when you don't know the digest).

Release Note

Do not query the registry when a digest is provided in the reference to sign.

@hectorj2f
Copy link
Contributor

Great catch!

@sudo-bmitch
Copy link
Contributor Author

Realizing that I missed some of the latest commits, working on rebasing now.

@dlorenc
Copy link
Member

dlorenc commented Oct 15, 2021

Welcome @sudo-bmitch! Great to have you here!

This allows signing in a disconnected environment.

Signed-off-by: Brandon Mitchell <git@bmitch.net>
@dlorenc
Copy link
Member

dlorenc commented Oct 16, 2021

I think this is fine. If we end up switching to the Descriptor as a payload format we'll lose this ability because we still need to know the size, but we can deal with that later.

@dlorenc dlorenc merged commit 42e5df0 into sigstore:main Oct 16, 2021
@github-actions github-actions bot added this to the v1.3.0 milestone Oct 16, 2021
@sudo-bmitch
Copy link
Contributor Author

Thanks @dlorenc. I'm looking to make the OCI Layout a first class format for images in tooling I work with. The full descriptor could then be pulled from the index.json. Then in CI pipelines with tools like in-toto and steps running without network access, the image could be passed around as a file or directory between various tools.

@dlorenc
Copy link
Member

dlorenc commented Oct 16, 2021

Thanks @dlorenc. I'm looking to make the OCI Layout a first class format for images in tooling I work with. The full descriptor could then be pulled from the index.json. Then in CI pipelines with tools like in-toto and steps running without network access, the image could be passed around as a file or directory between various tools.

Perfect! We're considering doing the same in thinks like Kaniko to better support hermetic builds!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants