Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve json output of cosign verify #1370

Closed
ribbybibby opened this issue Jan 28, 2022 · 3 comments
Closed

Improve json output of cosign verify #1370

ribbybibby opened this issue Jan 28, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@ribbybibby
Copy link
Contributor

Description
From this discussion: https://sigstore.slack.com/archives/C01PZKDL4DP/p1643231244166000

At the moment, cosign verify returns something like this:

[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/jimbugwadia/pause2"
      },
      "image": {
        "docker-manifest-digest": "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEYCIQD/1Gy6s6DNtELetftKzpV8YndhwWiWR402w480eQg28gIhALcp+mIYcvgvaKz8qjNZLDeOYJ8heG3hHznpOhwN6Pku",
        "Payload": {
          "body":   .<TRIM>,
          "integratedTime": 1643182752,
          "logIndex": 1161837,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "Issuer": "https://github.com/login/oauth",
      "Subject": "..."
    }
  }
]

The optional fields there aren't actually part of the payload, they're added in by cosign verify here.

The 'optional' information there is very useful but I think it's deceiving because (as was evidenced in the slack conversation) it created confusion when trying to check the contents of the payload in another context.

I was thinking some representation of this interface might be clearer because it would correspond to the functions available when dealing with signatures in your code.

It would also provide a decent amount of information that could be piped into policy engines or used in other contexts:

cosign verify | opa eval --stdin-input '<policy>'

Something like this:

{
  "annotations": {
    "foo": "bar",
    "bar": "foo"
  },
  "payload": .<TRIM>.,
  "cert": {
    "iss": "https://github.com/login/oauth",
    "sub": "..."
  },
  "bundle": {
    "SignedEntryTimestamp": "MEYCIQD/1Gy6s6DNtELetftKzpV8YndhwWiWR402w480eQg28gIhALcp+mIYcvgvaKz8qjNZLDeOYJ8heG3hHznpOhwN6Pku",
    "Payload": {
      "body":   .<TRIM>,
      "integratedTime": 1643182752,
      "logIndex": 1161837,
      "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
    }
  },
  "timestamp": 1643182752
}

@dlorenc @developer-guy @JimBugwadia
@ribbybibby ribbybibby added the enhancement New feature or request label Jan 28, 2022
@dlorenc
Copy link
Member

dlorenc commented Feb 2, 2022

I like this idea!

@ribbybibby ribbybibby mentioned this issue Feb 2, 2022
Closed
@znewman01
Copy link
Contributor

This may be more appropriate for a new cosign inspect verb (#2210).

See #2056 for background.

@znewman01 znewman01 mentioned this issue Aug 30, 2022
Open
@ribbybibby
Copy link
Contributor Author

cosign inspect looks like a much better approach to this so I'll close this in favour of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve json output of cosign verify ribbybibby/cosign
3 participants
@znewman01 @dlorenc @ribbybibby