Sigstore technical debt #235
Description
Captured from PRs
- Writes to quay.io currently (Oct 13 2022) fail with HTTP status 500
- Unit tests for Add support for reading and writing Cosign attachments to c/image/docker image#1595 , at least the config file handling
- Unit tests for Cosign sign image#1597
- Unit tests for Add support for Rekor (“transparency log”) uploads to sigstore signing image#1784
- Unit tests for Fulcio signing implementation image#1785
- Unit tests for Add a sigstore signing parameter file format, and CLI utility image#1787
- Check if we can reduce the binary size
- Split sagoodkey.NewKeyPolicy from goodkey.NewKeyPolicy letsencrypt/boulder#6651 + Update letsencrypt/boulder after https://github.com/letsencrypt/boulder/pull/6651 image#1849
- UNTESTED: Replace sigstore/rekor/pkg/client with a manually-created client image#1845
- Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 sigstore/sigstore#969
- Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 ocicrypt#82
- Only fetch the attachment config if we actually have a new signature to add (and if we continue to update the DiffID list).
- Only upload an updated attachment config and manifest if we added at least one new signature.
- Use
private.UnparsedImage.UntrustedSignatures, nottypes.UnparsedImage.Signatures, throughoutc/image/signatureso that non-simple signatures are not silently ignored on some code paths, and the code at least logs that they were not considered. - Consider accepting any of a set of public keys: Add
keyPaths,keyDatastoprSigstoreSignedimage#2524 - Consider allowing
remapIdentityto do repo-only matching. - Pass the
copy.Imagereport writer and/or progress bar objects to transports, use that for reporting attachment reads/writes - Do we actually need to add layers to the attachment config’s
DiffIDsarray? - Possibly test
isManifestUnknownfrom Add support for reading and writing Cosign attachments to c/image/docker image#1595 against various registries? - Possibly consider accepting an image with a signed manifest list but not the individual images (i.e.
cosign signwithout--recursive)