-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SLSA 1.0 attestation support to cosign. Closes #2860 #3219
Conversation
Hi all! I'm not super sure if this is the right way to support this -- but figured it might be easiest to discuss with something as a starting point. I think my open questions are:
Also, side note -- I updated two tests to run against the old and new types as subtests. The change is a bit easier to read when ignoring whitespace as there's a large block which was indented in both cases. |
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
I think this is a good way to approach this, and we can plan to change the behavior of the flags in a later release as a breaking change, where cc @znewman01 |
Codecov Report
@@ Coverage Diff @@
## main #3219 +/- ##
=======================================
Coverage 30.33% 30.33%
=======================================
Files 155 155
Lines 9827 9827
=======================================
Hits 2981 2981
Misses 6398 6398
Partials 448 448
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe to ease the transition can we add a slsaprovenance0.2
option that's just an alias for the current behavior?
Then we could at some future point switch over slsaprovenance
to point to slsaprovenance1
.
Otherwise looks great, thanks for the change!
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
hi @znewman01 -- i added a patch related to your change request, if you have a moment to peek at it. i called the type |
…store#3219) * Add SLSA 1.0 attestation support to cosign Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * fix leading whitspace Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * fix 1.0 typo Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * add slsaprovenance02 type Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> --------- Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Summary
This change adds support for the SLSA 1.0 provenance predicate (https://slsa.dev/spec/v1.0/provenance).
cosign attest
and related commands cannot validate it currently, and thecustom
type must be used for it instead. After this change, it will be possible to specify the new provenance attestation type asslsaprovenance1
.Related issue: #2860
Release Note
Added a new type
slsaprovenance1
to support slsa 1.0 provenance in attest and verify commands.Documentation
The attestation types do not appear to be documented at https://docs.sigstore.dev so there is no related change there.