Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SLSA 1.0 attestation support to cosign. Closes #2860 #3219

Merged
merged 4 commits into from
Sep 13, 2023

Conversation

ziel
Copy link
Contributor

@ziel ziel commented Sep 5, 2023

Summary

This change adds support for the SLSA 1.0 provenance predicate (https://slsa.dev/spec/v1.0/provenance).

cosign attest and related commands cannot validate it currently, and the custom type must be used for it instead. After this change, it will be possible to specify the new provenance attestation type as slsaprovenance1.

Related issue: #2860

Release Note

Added a new type slsaprovenance1 to support slsa 1.0 provenance in attest and verify commands.

Documentation

The attestation types do not appear to be documented at https://docs.sigstore.dev so there is no related change there.

@ziel
Copy link
Contributor Author

ziel commented Sep 5, 2023

Hi all! I'm not super sure if this is the right way to support this -- but figured it might be easiest to discuss with something as a starting point. I think my open questions are:

  • is making this an explicit type alongside the original slsaprovenance a good approach?
  • is slsaprovenance1 an acceptable name for this type?

Also, side note -- I updated two tests to run against the old and new types as subtests. The change is a bit easier to read when ignoring whitespace as there's a large block which was indented in both cases.

ziel added 2 commits September 5, 2023 12:00
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
@haydentherapper
Copy link
Contributor

I think this is a good way to approach this, and we can plan to change the behavior of the flags in a later release as a breaking change, where slsaprovenance will generate a v1.0 attestation and we'll drop support for v0.2.

cc @znewman01

@codecov
Copy link

codecov bot commented Sep 5, 2023

Codecov Report

Merging #3219 (1ac71d7) into main (865e7b3) will not change coverage.
Report is 10 commits behind head on main.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #3219   +/-   ##
=======================================
  Coverage   30.33%   30.33%           
=======================================
  Files         155      155           
  Lines        9827     9827           
=======================================
  Hits         2981     2981           
  Misses       6398     6398           
  Partials      448      448           
Files Changed Coverage Δ
cmd/cosign/cli/options/predicate.go 0.00% <0.00%> (ø)

Copy link
Contributor

@znewman01 znewman01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe to ease the transition can we add a slsaprovenance0.2 option that's just an alias for the current behavior?

Then we could at some future point switch over slsaprovenance to point to slsaprovenance1.

Otherwise looks great, thanks for the change!

pkg/cosign/attestation/attestation.go Outdated Show resolved Hide resolved
ziel added 2 commits September 6, 2023 14:07
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
@ziel
Copy link
Contributor Author

ziel commented Sep 13, 2023

hi @znewman01 -- i added a patch related to your change request, if you have a moment to peek at it. i called the type slasprovenance02 because there's places in the code base which don't like the . -- though we could have it diverge from the those if that'd be better

@znewman01 znewman01 merged commit b2cdbbb into sigstore:main Sep 13, 2023
@github-actions github-actions bot added this to the v2.3.0 milestone Sep 13, 2023
lance pushed a commit to securesign/cosign that referenced this pull request Sep 25, 2023
…store#3219)

* Add SLSA 1.0 attestation support to cosign

Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>

* fix leading whitspace

Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>

* fix 1.0 typo

Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>

* add slsaprovenance02 type

Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>

---------

Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants