cosign: tlog-upload flag deprecated

[crazy-max]

While working on #900 and looking at the latest cosign 3.0.3 release notes: https://github.com/sigstore/cosign/releases/tag/v3.0.3

I found that tlog-upload flag has been deprecated: sigstore/cosign#4458

We are using this flag in

actions-toolkit/src/sigstore/sigstore.ts

Lines 82 to 92 in 8b935c6

	const cosignArgs = [
	'sign',
	'--yes',
	'--oidc-provider', 'github-actions',
	'--registry-referrers-mode', 'oci-1-1',
	'--new-bundle-format',
	'--use-signing-config'
	];
	if (noTransparencyLog) {
	cosignArgs.push('--tlog-upload=false');
	}

To disable upload to transparency logs for private repos in our github builder: https://github.com/docker/github-builder-experimental

actions-toolkit/src/sigstore/sigstore.ts

Lines 296 to 298 in 8b935c6

	private static noTransparencyLog(noTransparencyLog?: boolean): boolean {
	return noTransparencyLog ?? GitHub.context.payload.repository?.private;
	}

Looking at the PR description, it seems the right way is to use a "signing config" but not sure what it means. We don't provide any as we rely on the github-actions provider and might be therefore directly generated by cosign?

Not sure it relates to use-signing-config flag?:

    --use-signing-config=true:
        whether to use a TUF-provided signing config for the service URLs. Must set --new-bundle-format, which will
        store verification material in the new format

@haydentherapper Do you have more information about this signing config? Thanks 🙏

cc @tonistiigi

[tonistiigi]

it seems the right way is to use a "signing config" but not sure what it means. We don't provide any as we rely on the github-actions provider and might be therefore directly generated by cosign?

The signing config just has things like rekor/fulcio URL etc. , not Github specific. https://github.com/sigstore/root-signing/blob/main/targets/signing_config.v0.2.json is the Fulcio default(same as the one shown in --help I think).

[crazy-max]

The signing config just has things like rekor/fulcio URL etc. , not Github specific. https://github.com/sigstore/root-signing/blob/main/targets/signing_config.v0.2.json is the Fulcio default(same as the one shown in --help I think).

Ah I see the signing-config flag yeah:

    --signing-config='':
        path to a signing config file. Must provide --new-bundle-format, which will store verification material in the
        new format

That's a bit unfortunate we would need a roundtrip to write a file just to disable upload to transparency log 🤔

[tonistiigi]

Yeah, it is a bit weird. Iiuc default config is loaded from TUF, but if we want to disable tlog for specific builds we need to either hardcode the signing config or fetch directly from some TUF storage without any signature verification.

For our case, maybe we should hardcode anyway, though, as we don't have to support old versions on the signing side. I don't see a big issue with using the TUF one as well, but I wouldn't use a remote one if it is not validated.

[Hayden-IO]

Thanks for the feedback. We're trying to standardize the interface across CLIs and avoid multiple ways of configuring what set of services are used while signing. Concurrently, we also want to make sure that tlog-upload=false is not misused. If an artifact is to be released publicly, it should be transparently auditable. Providing a signing config without a Rekor URL is (at least as I see it) a reasonable speedbump, where an ecosystem explicitly opts out of transparency.

The extra roundtrip is a good point. To avoid the roundtrip, what would you think about using another cosign command that simplifies construction of a signing config from an existing signing config? We already have cosign signing-config create, it'd be simple to add a flag like --from-default-repo or something similar, and then --rekor-url="" to remove Rekor from the service list. This also has the added benefit of still pulling from the TUF repo to avoid hardcoding URLs that become stale.

[tonistiigi]

We already have cosign signing-config create, it'd be simple to add a flag like --from-default-repo or something similar, and then --rekor-url="" to remove Rekor from the service list. This also has the added benefit of still pulling from the TUF repo to avoid hardcoding URLs that become stale.

Yes, that was something that I was looking for, but couldn't find suitable flags.

[Hayden-IO]

Happy to add this flag later this week, unless you'd like to contribute it. You can also hack around this in the meantime with cosign initialize, grab the signing config from the cached ~/.sigstore/root/targets/signing_config.v0.2.json, then rebuild the signing config with cosign signing-config create with all service URLs extracted from the signing config except for Rekor.

[Hayden-IO]

sigstore/cosign#4592 to implement this flag.