- Notifications
You must be signed in to change notification settings - Fork154
feat: add support for referrers attestations#1409
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
tekton-robot commentedAug 8, 2025
[APPROVALNOTIFIER] This PR isNOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be foundhere. Needs approval from an approver in each of these files: Approvers can indicate their approval by writing |
tekton-robot commentedAug 8, 2025
Hi@arewm. Thanks for your PR. I'm waiting for atektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listedhere. Instructions for interacting with me using PR comments are availablehere. If you have questions or suggestions related to my behavior, please file an issue against thekubernetes/test-infra repository. |
5549931 to9f1e273Compareanithapriyanatarajan commentedAug 11, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
@arewm - Could you clarify if all the OCI registries support the referrer API end point? If not could we include validation and default fall back option if the end point is not supported for the given registry. Also, Recommend to create an upstream issue for this with label kind/feature with more details on why we are incorporating this enhancement.Thanks |
arewm commentedAug 11, 2025
All registries might not support the referrers API but this is also why the configuration can be defined. After creating this PR, I investigated the gap more and createdsigstore/cosign/issues/4335. I used cosign's support for the new bundle format in the PR. I don't know if there are any implications with this change, but I suspect that we might actually want that to be configured separately from the use of the referrer's API. My understanding is that Cosign should handle the fallback, but it does make sense to add that as a test case here too. After I do a little more investigation with cosign, I will create an issue in Chains to further describe the challenge I am trying to resolve (the motivation is similar to the cosign issue). |
arewm commentedAug 11, 2025
I found the spec:https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#unavailable-referrers-api
So we should expect cosign to fall back appropriately. The configuration change is just toattempt to use the referrer's API in the first place instead of only using the legacy option. |
Proposing to bump the cosign version to include new library calls topush attestations with the referrer's API.- [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0)- [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md)- [Commits](sigstore/cosign/compare/v2.5.3...v2.6.0)The new changes desired aresigstore/cosign/pull/4357 which shouldbetter support the work intektoncd#1409.Signed-off-by: arewm <arewm@users.noreply.github.com>rh-pre-commit.version: 2.3.2rh-pre-commit.check-secrets: ENABLED
Proposing to bump the cosign version to include new library calls topush attestations with the referrer's API.- [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0)- [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md)- [Commits](sigstore/cosign@v2.5.3...v2.6.0)The new changes desired aresigstore/cosign/pull/4357 which shouldbetter support the work intektoncd#1409.Signed-off-by: arewm <arewm@users.noreply.github.com>rh-pre-commit.version: 2.3.2rh-pre-commit.check-secrets: ENABLED
* Bump github.com/sigstore/cosign/v2 from 2.5.3 to 2.6.0Proposing to bump the cosign version to include new library calls topush attestations with the referrer's API.- [Release notes](https://github.com/sigstore/cosign/releases/tag/v2.6.0)- [Changelog](https://github.com/sigstore/cosign/blob/6431af15a8066c4b33c7232fc2dba3f9278a16a5/CHANGELOG.md)- [Commits](sigstore/cosign@v2.5.3...v2.6.0)The new changes desired aresigstore/cosign/pull/4357 which shouldbetter support the work in#1409.Signed-off-by: arewm <arewm@users.noreply.github.com>rh-pre-commit.version: 2.3.2rh-pre-commit.check-secrets: ENABLED* Fix LoadPrivateKey API breaking change for cosign v2.6.0- Add LoadOption parameter to LoadPrivateKey calls in x509.go and clients.go- Pass nil for defaultLoadOptions to use sensible defaults (ED25519ph)- Update both production code and test code to match new APIThe LoadPrivateKey function signature changed in cosign v2.6.0 toinclude a third parameter for LoadOption configuration. Passing niluses the default ED25519ph behavior which is appropriate for thisuse case.Co-authored-by: Claude Sonnet <claude@anthropic.com>Signed-off-by: arewm <arewm@users.noreply.github.com>rh-pre-commit.version: 2.3.2rh-pre-commit.check-secrets: ENABLED
docs/oci-format-migration.md Outdated
| @@ -0,0 +1,389 @@ | |||
| # OCI Storage Format Migration Guide | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This is something that Claude created. I'll leave it for now, but will plan to remove it before merging.
arewm commentedSep 23, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
I just reworked this implementation to include the changes made insigstore/cosign#4357. It is not currently possible for cosign to download all of these attestations, but that is also something that I am working on. I have been using Tekton as the attestation generator for testing Cosign, so as I continue the investigation, this PR may change. I have some sample images that I generated attestations and signatures for here:https://quay.io/repository/arewm/test-repo?tab=tags |
Add storage.oci.format configuration supporting three storagestrategies for OCI signatures and attestations:- "legacy": Tag-based storage with DSSE format (default)- "referrers-api": OCI 1.1 referrers API with DSSE format- "protobuf-bundle": OCI 1.1 referrers API with protobuf bundle formatImplementation includes:- Configuration layer with format validation and defaults- Format-based routing in AttestationStorer and SimpleStorer- Three storage implementations per storer type- Legacy backend integration with format-aware storers- Comprehensive test coverage for all three formatsEnables adoption of OCI 1.1 referrers API while maintainingbackward compatibility with existing tag-based storage. Allformats also work correctly with both certificate-based andx509 key configurations.🤖 Generated with [Claude Code](https://claude.ai/code)Co-Authored-By: Claude <noreply@anthropic.com>Signed-off-by: arewm <arewm@users.noreply.github.com>rh-pre-commit.version: 2.3.2rh-pre-commit.check-secrets: ENABLED
Changes
While the backwards compatible tag-based attestation method works, it can result in a lot of additional tags being pushed to OCI registries. In order to maintain fewer tags, Chains should be able to use the referrer's API when pushing signatures and attestations.
Co-Authored-By: Claudenoreply@antrhopic.com
Signed-off-by: arewmarewm@users.noreply.github.com
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes