.cosign -> .sig

Signed-off-by: Jake Sanders <jsand@google.com>
sigstore · Apr 29, 2021 · e8b91ab · e8b91ab
1 parent 604020c
commit e8b91ab
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## v0.4.0 (pending)
 
+### Action Required
+
+* Signatures created with `cosign` before v0.4.0 are not compatible with those created after
+
 ### Enhancements
 
 * Support for Hashicorp vault as a KMS provider has been added

diff --git a/SPEC.md b/SPEC.md
@@ -124,14 +124,14 @@ If the object is referenced by tag, the tag must first be resolved to a digest.
 Then the digest of the object (of the form `sha256:abcdef...`) is encoded into a tag name using the following rules:
 
 * Replace the `:` character with a `-`
-* Append the `.cosign` suffix
+* Append the `.sig` suffix
 
 Example digest->tag mapping:
 
 1. Start with `gcr.io/dlorenc-vmtest2/demo:latest`
 2. Resolve this to a digest: `sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`
-3. Follow the encoding rules: `sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.cosign`
-4. Signature can be found at `gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.cosign`
+3. Follow the encoding rules: `sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig`
+4. Signature can be found at `gcr.io/dlorenc-vmtest2/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig`
 
 Implementations MAY store signatures objects in the same OCI repository as the target image or a different one.
 

diff --git a/pkg/cosign/fetch.go b/pkg/cosign/fetch.go
@@ -51,7 +51,7 @@ type SignedPayload struct {
 func Munge(desc v1.Descriptor) string {
 	// sha256:... -> sha256-...
 	munged := strings.ReplaceAll(desc.Digest.String(), ":", "-")
-	munged += ".cosign"
+	munged += ".sig"
 	return munged
 }
 

diff --git a/pkg/cosign/upload_test.go b/pkg/cosign/upload_test.go
@@ -34,32 +34,32 @@ func TestDestinationTag(t *testing.T) {
 		{
 			desc:  "don't specify repo",
 			image: "gcr.io/test/test",
-			want:  "gcr.io/test/test:sha256-digest.cosign",
+			want:  "gcr.io/test/test:sha256-digest.sig",
 		}, {
 			desc:  "replace repo",
 			image: "gcr.io/test/image",
 			repo:  "gcr.io/new",
-			want:  "gcr.io/new/image:sha256-digest.cosign",
+			want:  "gcr.io/new/image:sha256-digest.sig",
 		}, {
 			desc:  "image has subrepos",
 			image: "gcr.io/test/image/sub",
 			repo:  "gcr.io/new",
-			want:  "gcr.io/new/image/sub:sha256-digest.cosign",
+			want:  "gcr.io/new/image/sub:sha256-digest.sig",
 		}, {
 			desc:  "repo has subrepos",
 			image: "gcr.io/test/image/sub",
 			repo:  "gcr.io/new/subrepo",
-			want:  "gcr.io/new/subrepo/image/sub:sha256-digest.cosign",
+			want:  "gcr.io/new/subrepo/image/sub:sha256-digest.sig",
 		}, {
 			desc:  "replace not gcr repo",
 			image: "test/image",
 			repo:  "newrepo",
-			want:  "index.docker.io/newrepo/image:sha256-digest.cosign",
+			want:  "index.docker.io/newrepo/image:sha256-digest.sig",
 		}, {
 			desc:  "e2e test",
 			image: "us-central1-docker.pkg.dev/projectsigstore/cosign-ci/test",
 			repo:  "us-central1-docker.pkg.dev/projectsigstore/subrepo",
-			want:  "us-central1-docker.pkg.dev/projectsigstore/subrepo/cosign-ci/test:sha256-digest.cosign",
+			want:  "us-central1-docker.pkg.dev/projectsigstore/subrepo/cosign-ci/test:sha256-digest.sig",
 		},
 	}
 

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -139,6 +139,8 @@ func TestDuplicateSign(t *testing.T) {
 }
 
 func TestKeyURLVerify(t *testing.T) {
+	// TODO: re-enable once distroless images are being signed by the new client
+	t.Skip()
 	// Verify that an image can be verified via key url
 	keyRef := "https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub"
 	img := "gcr.io/distroless/base:latest"