Skip to content

Commit

Permalink
add release cadence section in the readme (#2179)
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <[email protected]>

Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato authored Aug 19, 2022
1 parent 5a5ba22 commit 9bcd90e
Showing 1 changed file with 19 additions and 4 deletions.
23 changes: 19 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ If you have Go 1.17+, you can setup a development environment:
$ $(go env GOPATH)/bin/cosign

## Dockerfile

Here is how to install and use cosign inside a Dockerfile through the gcr.io/projectsigstore/cosign image:

```shell
Expand Down Expand Up @@ -194,6 +195,7 @@ $ cosign sign --key cosign.key gcr.io/dlorenc-vmtest2/artifact
Enter password for private key:
Pushing signature to: gcr.io/dlorenc-vmtest2/artifact:sha256-3f612a4520b2c245d620d0cca029f1173f6bea76819dde8543f5b799ea3c696c.sig
```

#### sget

We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor.
Expand Down Expand Up @@ -349,6 +351,7 @@ Today, `cosign` has been tested and works against the following registries:
* Cloudsmith Container Registry

We aim for wide registry support. To `sign` images in registries which do not yet fully support [OCI media types](https://github.com/sigstore/cosign/blob/main/SPEC.md#object-types), one may need to use `COSIGN_DOCKER_MEDIA_TYPES` to fall back to legacy equivalents. For example:

```shell
COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image
```
Expand Down Expand Up @@ -414,12 +417,12 @@ That looks like:
}
}
```

**Note:** This can be generated for an image reference using `cosign generate <image>`.

I'm happy to switch this format to something else if it makes sense.
See https://github.com/notaryproject/nv2/issues/40 for one option.


#### Registry Details

`cosign` signatures are stored as separate objects in the OCI registry, with only a weak
Expand All @@ -434,14 +437,17 @@ To add a signature, clients orchestrate a "read-append-write" operation, so the
will win in the case of contention.

##### Specifying Registry

`cosign` will default to storing signatures in the same repo as the image it is signing.
To specify a different repo for signatures, you can set the `COSIGN_REPOSITORY` environment variable.

This will replace the repo in the provided image like this:
```

```shell
$ export COSIGN_REPOSITORY=gcr.io/my-new-repo
$ gcr.io/dlorenc-vmtest2/demo -> gcr.io/my-new-repo/demo:sha256-DIGEST.sig
```

So the signature for `gcr.io/dlorenc-vmtest2/demo` will be stored in `gcr.io/my-new-repo/demo:sha256-DIGEST.sig`.

Note: different registries might expect different formats for the "repository."
Expand All @@ -452,10 +458,12 @@ Note: different registries might expect different formats for the "repository."
specify a full image name like
`$LOCATION-docker.pkg.dev/$PROJECT/$REPO/$STORAGE_IMAGE`, not just a
repository. For example,
```

```shell
COSIGN_REPOSITORY=us-docker.pkg.dev/my-new-repo/demo
gcr.io/dlorenc-vmtest2/demo --> us-docker.pkg.dev/my-new-repo/demo:sha256-DIGEST.sig
```

where the `sha256-DIGEST` will match the digest for
`gcr.io/dlorenc-vmtest2/demo`. Specifying just a repo like
`$LOCATION-docker.pkg.dev/$PROJECT/$REPO` will not work in Artifact Registry.
Expand All @@ -471,7 +479,7 @@ The keys encrypted under a password using scrypt as a KDF and nacl/secretbox for

They have a PEM header of `ENCRYPTED COSIGN PRIVATE KEY`:

```
```shell
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
...
-----END ENCRYPTED COSIGN PRIVATE KEY-----
Expand Down Expand Up @@ -777,6 +785,13 @@ $ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa2
}
```

## Release Cadence

We are intending to move to a monthly cadence for minor releases.
Minor releases will be published around the beginning of the month.
We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
We will also cut patch releases periodically as needed to address bugs.

## Security

Should you discover any security issues, please refer to sigstore's [security
Expand Down

0 comments on commit 9bcd90e

Please sign in to comment.