Add support for Rekor (“transparency log”) uploads to sigstore signing#1784
Add support for Rekor (“transparency log”) uploads to sigstore signing#1784rhatdan merged 3 commits intocontainers:mainfrom
Conversation
|
@vrothberg PTAL. |
|
|
||
| // This is the github.com/sigstore/rekor/pkg/generated/models.Hashedrekord.APIVersion for github.com/sigstore/rekor/pkg/generated/models.HashedrekordV001Schema. | ||
| // We could alternatively use github.com/sigstore/rekor/pkg/types/hashedrekord.APIVERSION, but that subpackage adds too many dependencies. | ||
| const HashedRekordV001APIVersion = "0.0.1" |
There was a problem hiding this comment.
Can you open an issue with them to not pull in imports when defining types?
There was a problem hiding this comment.
The APIVERSION constant lives in a code-focused package that implements various aspects of that type.
The actual type definition lives in https://github.com/sigstore/rekor/blob/main/openapi.yaml , the package we import is Swagger-generated, so that’s already the smaller package. (In fact it’s the smaller one, which is why it doesn’t carry the constant.)
It might be possible to change the YAML file so that a constant is included in the generated model, I couldn’t immediately find a way (if the version field were an enum, it would reject unknown versions completely).
Really, if anything, we’d like to avoid using even the generated types package, because that already adds too many dependencies. So asking upstream to change packages we don’t want to use feels a bit unreasonable.
Only adds a data structure with JSON support, to be shared between the signing and verification code. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to make it easier to add more data to the created signature. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Tested manually in Skopeo. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
fyi @asraa |
|
LGTM |
Tested manually with Skopeo; unit tests to hopefully come later per containers/container-libs#235 .
This provides an API; hooking up to the CLI or other code will be added later.
To test, see the commands at the end of https://github.com/mtrmac/skopeo/blob/c-image-integration-experiment/cmd/skopeo/cosign_test.go (a branch in a horrible state, which nevertheless contains all pending pieces):
skopeo copy --sign-by-sigstore=path/to/file, demonstrates both Rekor + private key, and Rekor + Fulcio.