Skip to content

cosign tree support for OCI 1.1 Referrers #4204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ralphbean opened this issue May 14, 2025 · 1 comment · May be fixed by #4205
Open

cosign tree support for OCI 1.1 Referrers #4204

ralphbean opened this issue May 14, 2025 · 1 comment · May be fixed by #4205
Labels
enhancement New feature or request

Comments

@ralphbean
Copy link

ralphbean commented May 14, 2025
edited
Loading

Description

In previous changes, support for the OCI Referrers API was added:

But, support was never added to cosign tree. If I sign, attach, or attest to a container image, those results don't appear in the results of cosign tree.

I was thinking that if we put this behind a cosign tree --experimental-oci11 flag, then it would make sense for cosign tree to display all artifacts found, both those located by the convention implemented by cosign triangulate and those located by the OCI 1.1 Referrers API.

Something like this:

❯ ./cosign tree --experimental-oci11 quay.io/rbean/tree-scsa:example
📦 Supply Chain Security Related artifacts for an image: quay.io/rbean/tree-scsa:example
└── 🔐 Signatures for an image tag: quay.io/rbean/tree-scsa:sha256-b3454025ce78fa93aba879b2824a06a59e2b8c5005b2a4286368433cd0f41cde.sig
   └── 🍒 sha256:ef4e39921eeb670ea453be070877d0fef225a13f97a9f9bf107d4d04d4c0dba6
└── 💾 Attestations for an image tag: quay.io/rbean/tree-scsa:sha256-b3454025ce78fa93aba879b2824a06a59e2b8c5005b2a4286368433cd0f41cde.att
   ├── 🍒 sha256:105da535ba7425024b03685048c33a458b3147315458fc1291479bae34f34997
   └── 🍒 sha256:98c6b2784ffe8a38cc4533d9a5d845cfe4ce72c2aa7e7f00a0682718d0259472
└── 🔗 application/vnd.dev.sigstore.bundle.v0.3+json artifacts via OCI referrer: quay.io/rbean/tree-scsa@sha256:01ca3469ae921632f7bd965cb34f9c10f07a723ea68223008871e86052bcfec8:
   └── 🍒 sha256:a336d1bfe93e60ae8a5cbbe546663517719d8f3ce1e628ffc0196c0cdf658314

(I already prepared a patch for this at #4205, but I was stopped by the pull request template which suggested that an issue should be on file with some time to discuss the right approach first.)
@ralphbean ralphbean added the enhancement New feature or request label May 14, 2025
@ralphbean ralphbean linked a pull request May 14, 2025 that will close this issue
Open
@lefosg
Copy link

lefosg commented May 16, 2025

I was about to make an issue about that. Indeed, if you sign an image using the oci 1.1 parameter, you cannot even verify the image. In my gitlab ci yaml file i have this line which signs a container image:

  • COSIGN_EXPERIMENTAL=1 ./cosign sign --registry-referrers-mode=oci-1-1 "$CI_REGISTRY_IMAGE:1.0.5"
  • ...
  • COSIGN_EXPERIMENTAL=1 ./cosign attest -y --type spdxjson --predicate image.sbom.json "$CI_REGISTRY_IMAGE:1.0.5"
    Signature and sbom attestation appear in the tags. But cosign verify outputs Error: no signatures found. The sbom attestation is listed in the cosign tree command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add OCI 1.1+ experimental support to tree ralphbean/cosign
2 participants
@ralphbean @lefosg