consider attaching attestations to the OCI registry but verify its signature first

[developer-guy]

Description

As we support attaching SBOMs and signatures by using the cosign attach command, why don't we add attaching attestation files support as an addition to that? The only option people have is that cosign attest, but it also signs the attestation and attaches it to the OCI Registry. What I want to do is that only store the attestation files in OCI registries.

cc: @dlorenc @hectorj2f

[lukehinds]

Why would you want to do that? I mean cosign is a project about signing things :)

[developer-guy]

yep, but it also allows us to attach things, so I think attestations could be one of them

[ChaosInTheCRD]

This is maybe something separate, but I was a bit confused by the cosign attest --predicate command and the docs around it. My thought process was "I want to sign and attach my attestation to the OCI registry", and cosign attach seemed like the first port of call. I was also slightly unfamiliar with the phrase "predicate", which got me mixed up and thinking that this was the incorrect command. Maybe an update of the documentation would suffice 😄 .

As for the ability to attach the attestation without signing, @developer-guy what would the main customer use case be behind not signing the attestation? All it requires is that a private key is presented, which is possible in just about every use-case? It could also lead to situations where users of cosign think that cosign attach attestation is signing before attaching.

[dlorenc]

As we support attaching SBOMs and signatures by using the cosign attach command, why don't we add attaching attestation files support as an addition to that? The only option people have is that cosign attest, but it also signs the attestation and attaches it to the OCI Registry. What I want to do is that only store the attestation files in OCI registries.

Is the idea that you'd sign with some other way, then upload/attach the already signed attestation? I could see that being useful (basically just decomposing the attest command up to add flexibility.

[ChaosInTheCRD]

As we support attaching SBOMs and signatures by using the cosign attach command, why don't we add attaching attestation files support as an addition to that? The only option people have is that cosign attest, but it also signs the attestation and attaches it to the OCI Registry. What I want to do is that only store the attestation files in OCI registries.

Is the idea that you'd sign with some other way, then upload/attach the already signed attestation? I could see that being useful (basically just decomposing the attest command up to add flexibility.

Yeah I could see this being helpful. As I said though, the one caveat being care taken over ensuring the user understands that cosign (in this case) will not sign the attestation.

[developer-guy]

kindly ping @dlorenc

[developer-guy]

also related with #1216

[dlorenc]

Yeah, attaching an already signed attestation works for me. Like @ChaosInTheCRD said, we should verify it's a signed attestation first to make it safe.

[developer-guy]

we should verify it's a signed attestation first to make it safe.

Amazing !

[developer-guy]

Seems wrong issue is closed @dlorenc 😊

[developer-guy]

my bad 🤦🏻‍♂️ it should close #959, and I closed it manually.