Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow cosign download sbom when image is absent #3245

Merged
merged 4 commits into from
Oct 17, 2023
Merged

fix: allow cosign download sbom when image is absent #3245

merged 4 commits into from
Oct 17, 2023

Conversation

vishal-chdhry
Copy link
Contributor

Summary

Closes: #2603

Cosign will not fail to download sbom when image is absent.

This PR build on top of changes made in: #2959

Proof:

$ DIGEST=$(crane digest cgr.dev/chainguard/static)

$ crane copy cgr.dev/chainguard/static@$DIGEST ttl.sh/sbom-no-img:1h
2023/09/16 21:37:03 Copying from cgr.dev/chainguard/static@sha256:a432665213f109d5e48111316030eecc5191654cf02a5b66ac6c5d6b310a5511 to ttl.sh/sbom-no-img:1h
...
sha256:a432665213f109d5e48111316030eecc5191654cf02a5b66ac6c5d6b310a5511 size: 1835

$ go run ./cmd/cosign sign ttl.sh/sbom-no-img:1h 
Generating ephemeral keys...
Retrieving signed certificate...
...
Pushing signature to: ttl.sh/sbom-no-img

$ go run ./cmd/cosign attach sbom ttl.sh/sbom-no-img@$DIGEST  --sbom <(echo "{}")
WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest --predicate /dev/fd/11 --key <key path>' or 'cosign sign --key <key path> --attachment sbom <image uri>'.
Uploading SBOM file for [ttl.sh/sbom-no-img@sha256:a432665213f109d5e48111316030eecc5191654cf02a5b66ac6c5d6b310a5511] to [ttl.sh/sbom-no-img:sha256-a432665213f109d5e48111316030eecc5191654cf02a5b66ac6c5d6b310a5511.sbom] with mediaType [text/spdx].

$ go run ./cmd/cosign download sbom ttl.sh/sbom-no-img@$DIGEST 

WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: text/spdx
{}

$ crane delete ttl.sh/sbom-no-img@$DIGEST 

$ crane delete ttl.sh/sbom-no-img@$DIGEST # delete confirmation
Error: DELETE https://ttl.sh/v2/sbom-no-img/manifests/sha256:a432665213f109d5e48111316030eecc5191654cf02a5b66ac6c5d6b310a5511: MANIFEST_UNKNOWN: manifest unknown

$ go run ./cmd/cosign download sbom ttl.sh/sbom-no-img@$DIGEST
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>' or verify its signature using 'cosign verify --key <key path> --attachment sbom <image uri>'.
Found SBOM of media type: text/spdx
{}

Release Note

Added support for cosign download sbom when image is absent

Documentation

@vishal-chdhry
fix: allow cosign download sbom when image is absent
29bf448 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@codecov
Copy link

codecov bot commented Sep 16, 2023
edited
Loading

Codecov Report

Merging #3245 (6995070) into main (d5b8c35) will increase coverage by 0.58%.
Report is 44 commits behind head on main.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #3245      +/-   ##
==========================================
+ Coverage   30.35%   30.93%   +0.58%     
==========================================
  Files         155      155              
  Lines        9845     9929      +84     
==========================================
+ Hits         2988     3072      +84     
+ Misses       6410     6404       -6     
- Partials      447      453       +6

see 11 files with indirect coverage changes

@vishal-chdhry
fix: remove lint issue
f42e033 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
fix: add errors.As
5e46254 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
haydentherapper
haydentherapper previously approved these changes Oct 16, 2023
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems good to me, but I'm not familiar with the code path - @imjasonh @hectorj2f can you confirm this LGTY?

hectorj2f
hectorj2f previously approved these changes Oct 17, 2023
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although we could add comments in the code to explain it.

@vishal-chdhry
feat: added comments
6995070 
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
@vishal-chdhry
Copy link
Contributor Author

@haydentherapper @hectorj2f Added comments can you please review?

@hectorj2f hectorj2f merged commit bb4715c into sigstore:main Oct 17, 2023
28 checks passed
@github-actions github-actions bot added this to the v2.3.0 milestone Oct 17, 2023
@cpanato cpanato modified the milestones: v2.3.0, v2.2.1 Nov 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

@haydentherapper haydentherapper Awaiting requested review from haydentherapper

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.1
Development

Successfully merging this pull request may close these issues.

cosign download sbom fails when the remote image is absent
4 participants
@vishal-chdhry @hectorj2f @haydentherapper @cpanato