Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --bundle flag to sign-blob and verify-blob #1306

Merged
merged 3 commits into from
Jan 14, 2022
Merged

Add --bundle flag to sign-blob and verify-blob #1306

merged 3 commits into from
Jan 14, 2022

Conversation

priyawadhwa
Copy link
Contributor

Add in --bundle flag to cosign sign-blob and cosign verify-blob. The bundle stores everything required to verify a blob in a file, so now you can do something like this:

cosign sign-blob --bundle bundle.sig <blob> 

cosign verify-blob --bundle bundle.sig <blob>

The bundle is basically just JSON with the Signature, Cert, and RekorBundle included.

Some thoughts I had, which might be future work:

  • For now I put everything behind the --bundle flag, but later we might want sign-blob to print out the entire bundle instead of just the signature by default
  • Right now other flags don't effect the output of --bundle, but later we might want certain flags to work together (e.g. --b64)
  • Since we already have the concept of a "rekor bundle" maybe we should call this something else?

fixes #1193

Add --bundle flag to sign-blob and verify-blob

@haydentherapper
Copy link
Contributor

For #1294, we're going to include a TUF timestamp in the OCI signature. Will this automatically pick this up, or will we need to append the timestamp to the bundle?

@dlorenc
Copy link
Member

dlorenc commented Jan 13, 2022

  • For now I put everything behind the --bundle flag, but later we might want sign-blob to print out the entire bundle instead of just the signature by default

I'd be fine adding it by default now - this is only relevant for the COSIGN_EXPERIMENTAL sign-blob workflow right?

@priyawadhwa
Copy link
Contributor Author

@haydentherapper I think it'll need to be added in, I can update that!

@dlorenc it should work for all workflows right now (for the regular workflow it'll just store the signature in the file and nothing else). Should we only do it for experimental right now?

@haydentherapper
Copy link
Contributor

haydentherapper commented Jan 13, 2022
edited
Loading

Thanks @priyawadhwa! #1294 has been merged. You should just need to add timestamp, err := tuf.GetTimestamp(ctx).

Fix merge conflict
f5ef32f 
Signed-off-by: Priya Wadhwa <[email protected]>
Add TUF timestamp when signing
caed757 
Signed-off-by: Priya Wadhwa <[email protected]>
@dlorenc dlorenc merged commit bad18e5 into sigstore:main Jan 14, 2022
@github-actions github-actions bot added this to the v1.5.0 milestone Jan 14, 2022
@priyawadhwa priyawadhwa deleted the bundle-flag branch January 14, 2022 18:28
@priyawadhwa priyawadhwa mentioned this pull request Jan 14, 2022
Merged
@znewman01 znewman01 mentioned this pull request May 2, 2022
Closed
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@mlieberman85
Add --bundle flag to sign-blob and verify-blob (sigstore#1306)
6537fcb 
* Add --bundle flag to sign-blob and verify-blob

Signed-off-by: Priya Wadhwa <[email protected]>

* Add TUF timestamp when signing

Signed-off-by: Priya Wadhwa <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

Specify and implement on-disk "verification bundle" format
3 participants
@priyawadhwa @haydentherapper @dlorenc