TaskRuns can't be stored in OCI registries

[priyawadhwa]

we get this error:

{"level":"info","ts":"2021-08-12T15:12:00.776Z","logger":"watcher.event-broadcaster","caller":"record/event.go:282","msg":"Event(v1.ObjectReference{Kind:\"TaskRun\", Namespace:\"default\", Name:\"build-push-run-output-image-l4mjf\", UID:\"8628d8a4-2ca6-401f-a15a-c310d2cbd562\", APIVersion:\"tekton.dev/v1beta1\", ResourceVersion:\"91241155\", FieldPath:\"\"}): type: 'Warning' reason: 'InternalError' 1 error occurred:\n\t* getting digest: digest must be between 71 and 71 runes in length: \n\n"}

[priyawadhwa]

so looks like we only support OCI storage backend for OCI images right now

https://github.com/tektoncd/chains/blob/main/pkg/chains/storage/oci/oci.go#L72

we could add support for storing TaskRuns and signatures in OCI

1. name the image [repo]-[taskrun name-uid]
2. upload the TaskRun (with the annotations containing signature/) to OCI via cosign upload-blob library
3. also upload the signature to OCI registry as cosign would

[priyawadhwa]

waiting on sigstore/cosign#535 to merge so that we can use cosign to upload files to an OCI registry

[priyawadhwa]

The PR was merged & I tried updating but ran into some dependency conflicts -- chains depends on knative which requires k8s.io/api at v0.20.7, while cosign @ main requires v0.22.0

[priyawadhwa]

once #203 is closed we should be able to do this as well

[nadgowdas]

thanks @priyawadhwa

[priyawadhwa]

This is (sort of) fixed -- we can store in-toto attestations in OCI registries but we still can't store any generic thing in a registry (e.g. a TaskRun yaml as is)

@nadgowdas were you trying to store the TaskRun yaml as is?

[nadgowdas]

@priyawadhwa I was trying to save the signed taskrun spec in OCI registry. Basically using artifacts.taskrun.storage config with oci. And I was using tekton-provenance format, which stores it in JSON format

[priyawadhwa]

sounds good, that should be working now! i'll close this issue then :)