feat: attach: attestation: allow passing multiple payloads #2085
Conversation
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 342,
"digest": "sha256:9641fd9d3b1b7e18ab7ed6b7fe6c232e4969043d188902aa192843cb9c3eec84"
},
"layers": [
{
"mediaType": "application/vnd.dsse.envelope.v1+json",
"size": 4939,
"digest": "sha256:0205d4c0d9d12706c126515b1ef452e3c7460de647aeec33d1ed01bd172e98de",
"annotations": {
"dev.cosignproject.cosign/signature": ""
}
},
{
"mediaType": "application/vnd.dsse.envelope.v1+json",
"size": 5999,
"digest": "sha256:d2a9efb2c1621823ecb3dc270a74d5ded58be7219080875be0349b625bae7206",
"annotations": {
"dev.cosignproject.cosign/signature": ""
}
}
]
} |
Dentrax
force-pushed
the
feature/multi-payload-for-attach
branch
from
7731763 to
6865430
Compare
|
Thanks for working on this! Looking at the example and code it looks like this doesn't follow the intent of #2052 which wants the attach command to support reading multiple attestations from a single file in the in-toto bundle format. The expected behavior is that a single file would have multiple attestations contained within it (one per line) and that attach should read and attach all of them. e.g. { "payloadType": "application/vnd.in-toto+json", "payload": "a...", "signatures": [w...] }
{ "payloadType": "application/vnd.in-toto+json", "payload": "b...", "signatures": [w...] }The behavior here, letting the user specify multiple files, does seem useful though. I wouldn't be surprised if some users would like this capability, it's just not quite what I was looking for in #2052. WDYT? |
|
Oh, thanks, @TomHennen, we couldn't understand the issue at first, but now we are okay with the idea and will fix it soon, but @dlorenc, what do you think about this PR? It seems useful for people who might want to add multiple attestation files. |
Codecov Report
@@ Coverage Diff @@
## main #2085 +/- ##
==========================================
- Coverage 26.33% 25.62% -0.71%
==========================================
Files 129 130 +1
Lines 7564 7597 +33
==========================================
- Hits 1992 1947 -45
- Misses 5317 5412 +95
+ Partials 255 238 -17
Help us with your feedback. Take ten seconds to tell us how you rate us. |
|
Seems fine. When we support bundles, would we just detect them in the same file/flag or would that be different? |
Fixed sigstore#2052 Signed-off-by: Furkan <[email protected]> Co-authored-by: Batuhan <[email protected]> Signed-off-by: Batuhan Apaydın <[email protected]>
developer-guy
force-pushed
the
feature/multi-payload-for-attach
branch
from
171ef35 to
8ceb65c
Compare
In this PR, UX will remain the same, just add knowledge about the |
cmd/cosign/cli/attach.go
Outdated
| Args: cobra.ExactArgs(1), | ||
| Use: "attestation", | ||
| Short: "Attach attestation to the supplied container image", | ||
| Example: ` cosign attach attestation --attestation <payload path> <image uri> |
There was a problem hiding this comment.
suggestion: instead of <payload path>, <attestation file path>
cmd/cosign/cli/attach.go
Outdated
| Short: "Attach attestation to the supplied container image", | ||
| Example: ` cosign attach attestation --attestation <payload path> <image uri> | ||
|
|
||
| # attach multiple attestations to a container image |
There was a problem hiding this comment.
suggestion:
"attach attestations from multiple files to a container image"
| Example: " cosign attach attestation <image uri>", | ||
| Args: cobra.ExactArgs(1), | ||
| Use: "attestation", | ||
| Short: "Attach attestation to the supplied container image", |
There was a problem hiding this comment.
Is there a place to add a note that "attach attestation supports files using the in-toto bundle format" or something like that?
| "github.com/sigstore/cosign/pkg/types" | ||
| ) | ||
|
|
||
| func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayloads []string, imageRef string) error { |
There was a problem hiding this comment.
nit, instead of 'signedPayloads', should this be 'filePaths' ?
| return nil | ||
| } | ||
|
|
||
| func attachAttestation(remoteOpts []ociremote.Option, signedPayload, imageRef string) error { |
There was a problem hiding this comment.
nit: instead of 'signedPayload' should this be 'filePath' ?
developer-guy
force-pushed
the
feature/multi-payload-for-attach
branch
2 times, most recently
from
550524b to
28f7030
Compare
Signed-off-by: Batuhan Apaydın <[email protected]>
developer-guy
force-pushed
the
feature/multi-payload-for-attach
branch
from
28f7030 to
0fae11e
Compare
Signed-off-by: Furkan [email protected]
Co-authored-by: Batuhan [email protected]
Fixes #2052
Summary
Release Note
Allow passing multiple attestation payloads to "attach attestation" command
Documentation