-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't hardcode Cosign attest type #1533
Conversation
Signed-off-by: Nils Hanke <nils.hanke@outlook.de>
d40715f
to
3197fa9
Compare
@spiffcs probably has the most context here, but I believe the issue is we can no longer verify attestations if they are not using the |
Yes, see the linked issue with a longer description :) From what I gathered is that the original issue is Cosign defaults to |
👋 Hi @Nirusu see this issue we filed with cosign upstream: As of this feature the only way I could get |
If you shelled out and ran the command without the custom type previously it would not pass validation. If this is still not the case we can take a look and update the command string to use a value input by the user |
I read the issue you linked - I do agree that we probably should just expose the type at this point and let the downstream commands work as expected giving the user the most freedom |
I'll add that change - thanks for the report! |
I saw your issue (see my chain of thoughts in #1532), but that's what I don't get. You ran: $COSIGN_EXPERIMENTAL=1 cosign attest --predicate test_spdx_scratch.json --type spdxjson caphill4/scratch:latest
COSIGN_EXPERIMENTAL=1 cosign verify-attestation caphill4/scratch:latest The attest is specified with a predicate, the verify-attestation without. That doesn't make sense to me. So I don't really see what you were going here for - not specifying it should already give you the same But only in one command? Yes, auto-detection is broken, but I would still pass that as user error if you define another type but ultimately don't care about the type. Hardcoding doesn't make sense imo since Syft is not bound to a specific version of Cosign anymore if it's executed externally. |
Signed-off-by: Nils Hanke <nils.hanke@outlook.de>
Fixes #1532.
Since this seems to be intentional, I also raised the issue to describe the issue and maybe keep the discussion there?
Depending on how the discussion goes, maybe merge or close this PR. I don't know - the fix is trivial though :)