First-class attachment support #618
Comments
|
Wanted to help out with this. Started with triangulate in #628 for attestations and SBOMs. I had a couple of questions as I proceed further. The current cosign commands can be a bit confusing for a first time user. upload/download/attach/attest - looks like upload allows you to upload random artifacts but download only allows you to download related attachments (only signature and sbom). attest which looks very similar to the other attachments has its own set of commands. Should we try and unify this? I assume there is a reason for this structure but its hard to guess without historical context. copy/clean - How should we specify the flags to copy specific things. Currently copy has a Recursive copy and clean - I guess a user may want to copy/clean over all the cosign related references recursively. Should we support this? |
|
Would we also want to sign signatures or attestations and similarly verify their signatures? Or is it just massive overkill ? :P |
Unifying makes sense. Not too much thought got put into these. LMK if you come up with something better.
Hah, I think leaving them off is fine. You can always manually sign a signature/attestation with a triangulate call first. |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
This issue was closed because it has been stalled for 5 days with no activity. |
With #615 in, we should firm up and support the other attachment types (SBOMs, signatures and attestations) across the CLI. We can upload, download, attach, sign and verify them, but we should also support them in copy, clean, and any other commands.
The text was updated successfully, but these errors were encountered: