feat(sigstore): add cosign signing handler [1/2]#2344
Merged
morri-son merged 66 commits intoMay 12, 2026
Merged
Conversation
✅ Deploy Preview for ocm-website ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThe PR introduces a complete Sigstore keyless signing/verification integration into the OCM Go bindings, including a cosign CLI wrapper with automatic binary provisioning, signing/verification handlers with v1alpha1 configuration types, and comprehensive integration tests using sigstore scaffolding infrastructure. Changes
Sequence DiagramssequenceDiagram
participant Client as OCM Client
participant Handler as Sigstore Handler
participant Executor as Cosign Executor
participant CredGraph as Credential Graph
participant Cosign as Cosign CLI
participant Fulcio as Fulcio CA
participant Rekor as Rekor Log
Client->>Handler: Sign(digest, config, credentials)
Handler->>CredGraph: Resolve OIDC token from credentials
CredGraph-->>Handler: OIDC token
Handler->>Handler: Validate signing config & endpoints
Handler->>Executor: Run cosign sign-blob with token
Executor->>Executor: Ensure cosign binary available (download if needed)
Executor->>Cosign: Execute sign-blob with SIGSTORE_ID_TOKEN env var
Cosign->>Fulcio: Request certificate
Fulcio-->>Cosign: Fulcio certificate + issuer extension
Cosign->>Rekor: Upload signature
Rekor-->>Cosign: Rekor entry response
Cosign-->>Executor: Return Sigstore bundle JSON
Executor-->>Handler: Capture bundle output
Handler->>Handler: Parse bundle, extract issuer from cert
Handler-->>Client: SignatureInfo (base64-encoded bundle)
sequenceDiagram
participant Client as OCM Client
participant Handler as Sigstore Handler
participant Executor as Cosign Executor
participant CredGraph as Credential Graph
participant TrustedRoot as Trusted Root Resolver
participant Cosign as Cosign CLI
participant Verifier as Cosign Verifier
Client->>Handler: Verify(signature, config, credentials)
Handler->>Handler: Validate signature media type & issuer/identity config
Handler->>TrustedRoot: Resolve trusted root (inline → file → config → default)
TrustedRoot->>CredGraph: Fetch from credential graph if available
CredGraph-->>TrustedRoot: Trusted root JSON
TrustedRoot-->>Handler: Trusted root content
Handler->>Executor: Run cosign verify-blob with constraints
Executor->>Cosign: Execute verify-blob with certificate identity/issuer flags
Cosign->>Verifier: Verify bundle against trusted root
Verifier->>Verifier: Check issuer/identity constraints (exact or regexp)
Verifier->>Verifier: Validate signatures against Rekor log
Verifier-->>Cosign: Verification result
Cosign-->>Executor: Success/error output
Executor-->>Handler: Command status
Handler-->>Client: Verification result (success or error)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
Apr 20, 2026
Add testcontainers-based Sigstore stack for end-to-end signing/verification tests: Dex (OIDC), Fulcio (certificate authority), Rekor (transparency log), CT Log, and TSA. Spins up a complete keyless signing infrastructure to validate the cosign handler against a real Sigstore stack. [2/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
2 tasks
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
Apr 20, 2026
Add CLI support for keyless signing and verification via the sigstore cosign handler: - OIDC browser flow for interactive token acquisition - Built-in cosign plugin with OIDC identity token provider - `ocm sign component-version` and `ocm verify component-version` commands wired to the cosign handler [3/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
8 tasks
fabianburth
reviewed
Apr 22, 2026
fabianburth
left a comment
Contributor
There was a problem hiding this comment.
Currently, I'm not completely convinced that we should support the env vars initially. Do we have other places in the CLI where we do this? Or is this required for a certain flow?
fabianburth
reviewed
Apr 22, 2026
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (4)
bindings/go/sigstore/signing/handler/resolve.go (1)
13-19: Consider also rejecting URLs with empty host.
url.Parseis lenient and accepts inputs like"https:///foo"or"https:"without returning an error; the scheme check then passes but the URL is effectively unusable. A smallu.Host == ""guard would catch these cases and produce a clearer error than letting cosign fail later.🛡️ Optional hardening
if u.Scheme != "https" { return fmt.Errorf("%s: URL %q must use https scheme", field, rawURL) } + if u.Host == "" { + return fmt.Errorf("%s: URL %q must include a host", field, rawURL) + } return nil🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/sigstore/signing/handler/resolve.go` around lines 13 - 19, The URL validation in resolve.go uses url.Parse on rawURL and only checks u.Scheme, which allows inputs like "https:" or "https:///foo" with empty host; update the validation after url.Parse (around the u, err := url.Parse(rawURL) block and the existing u.Scheme check) to also reject URLs with empty host by returning an error like fmt.Errorf("%s: URL %q must include a host", field, rawURL) when u.Host == "" so unusable URLs are caught early..github/renovate.json5 (1)
202-211: VerifymanagerFilePatternsglob syntax matches the target file.All other
customManagersentries in this file use regex-delimited patterns (e.g.'/(^|/)\\.env(\\.local)?$/'or'/.github/workflows/**/*.yml'), whereas this new entry uses a bare path string'bindings/go/sigstore/signing/handler/cosign_version.go'. Renovate treats non-delimited strings as minimatch globs, so this should match, but please double-check that Renovate picks up the file in a dry-run (or align it with the existing regex style for consistency, e.g.'/bindings/go/sigstore/signing/handler/cosign_version\\.go$/').🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/renovate.json5 around lines 202 - 211, The managerFilePatterns entry for this custom manager uses a bare path string which Renovate treats as a minimatch glob; update it to the repository's regex-delimited style or verify via a dry-run: replace the current managerFilePatterns value for this custom manager (the managerFilePatterns array entry) with a regex-delimited pattern like '/bindings/go/sigstore/signing/handler/cosign_version\\.go$/' to match exactly, or run Renovate in dry-run to confirm the existing glob picks up bindings/go/sigstore/signing/handler/cosign_version.go; ensure the change is made next to the customManagers entry that contains matchStrings and versioningTemplate so consistency is preserved.bindings/go/sigstore/signing/handler/verify.go (2)
77-95: Credentials precedence over explicit config — confirm this is intentional.
creds[CredentialKeyTrustedRootJSONFile]overridescfg.TrustedRooteven when the user sets both. That's a reasonable choice but worth documenting as a deliberate contract in the package docs so consumers aren't surprised when a credential silently shadows their verifier spec.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/sigstore/signing/handler/verify.go` around lines 77 - 95, Make the precedence of credentials over explicit config an explicit, documented contract: update the package/docs and the comment for resolveTrustedRootPath to state that CredentialKeyTrustedRootJSON (in-memory JSON) then CredentialKeyTrustedRootJSONFile (file path) take precedence over cfg.TrustedRoot, and mention this ordering (CredentialKeyTrustedRootJSON > CredentialKeyTrustedRootJSONFile > cfg.TrustedRoot). Reference the resolveTrustedRootPath function and the symbols CredentialKeyTrustedRootJSON, CredentialKeyTrustedRootJSONFile, and cfg.TrustedRoot so consumers know the credential values will shadow the verifier config.
62-64: Nit: error message double-prefixes with cosign context.
executor.VerifyDataalready wraps errors as"cosign verify-blob failed: ...", so the final message reads"cosign verification failed: cosign verify-blob failed: ...". Consider just returning the executor error directly (or wrapping with a caller-oriented prefix like the signature name) to avoid redundancy.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/sigstore/signing/handler/verify.go` around lines 62 - 64, The current wrapper in the VerifyData call double-prefixes “cosign” because executor.VerifyData already returns errors like "cosign verify-blob failed: ..."; in the block that calls executor.VerifyData (passing digestBytes, bundlePath, opts) remove the fmt.Errorf("cosign verification failed: %w", err) wrapping and either return the executor error directly (return err) or, if caller context is needed, wrap with a non-duplicating prefix (e.g., include the signature name) so the final message does not repeat "cosign".
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/config/wordlist.txt:
- Line 717: Remove the duplicate "Testcontainers" entry from the wordlist by
deleting the redundant line (the second occurrence shown in the diff) so only
the original "Testcontainers" entry remains; locate the duplicate string
"Testcontainers" in .github/config/wordlist.txt (the one matching the diff) and
remove that line.
In `@bindings/go/sigstore/doc.go`:
- Around line 46-53: Update the stale documentation in
bindings/go/sigstore/doc.go to remove the incorrect reference to the
SIGSTORE_ID_TOKEN environment variable and clarify the actual flow: state that
the handler obtains the OIDC token from the credential graph (via
opts.IdentityToken in the cosign handler code) and forwards that token to
cosign, rather than reading it from the ambient environment; specifically remove
or rewrite the sentence(s) that claim users can supply tokens via
SIGSTORE_ID_TOKEN and instead mention the handler uses the credential graph /
opts.IdentityToken and forwards it to cosign.
In `@bindings/go/sigstore/signing/handler/cosign_download.go`:
- Around line 65-79: The cache-hit path currently returns any regular file at
cachedPath without verification; fetch the expected checksum first by calling
fetchExpectedChecksum(CosignVersion, binaryName) before checking the cache, add
a helper verifyFileSHA256(path, expectedHash) that opens the file, computes its
sha256 (using crypto/sha256 and io), compares it to expectedHash and returns an
error on mismatch, and use that helper in the cached-path branch to only return
cachedPath if verification succeeds; otherwise proceed with
cosignDownloadURL(...) and downloadAndVerify(...) as before.
---
Nitpick comments:
In @.github/renovate.json5:
- Around line 202-211: The managerFilePatterns entry for this custom manager
uses a bare path string which Renovate treats as a minimatch glob; update it to
the repository's regex-delimited style or verify via a dry-run: replace the
current managerFilePatterns value for this custom manager (the
managerFilePatterns array entry) with a regex-delimited pattern like
'/bindings/go/sigstore/signing/handler/cosign_version\\.go$/' to match exactly,
or run Renovate in dry-run to confirm the existing glob picks up
bindings/go/sigstore/signing/handler/cosign_version.go; ensure the change is
made next to the customManagers entry that contains matchStrings and
versioningTemplate so consistency is preserved.
In `@bindings/go/sigstore/signing/handler/resolve.go`:
- Around line 13-19: The URL validation in resolve.go uses url.Parse on rawURL
and only checks u.Scheme, which allows inputs like "https:" or "https:///foo"
with empty host; update the validation after url.Parse (around the u, err :=
url.Parse(rawURL) block and the existing u.Scheme check) to also reject URLs
with empty host by returning an error like fmt.Errorf("%s: URL %q must include a
host", field, rawURL) when u.Host == "" so unusable URLs are caught early.
In `@bindings/go/sigstore/signing/handler/verify.go`:
- Around line 77-95: Make the precedence of credentials over explicit config an
explicit, documented contract: update the package/docs and the comment for
resolveTrustedRootPath to state that CredentialKeyTrustedRootJSON (in-memory
JSON) then CredentialKeyTrustedRootJSONFile (file path) take precedence over
cfg.TrustedRoot, and mention this ordering (CredentialKeyTrustedRootJSON >
CredentialKeyTrustedRootJSONFile > cfg.TrustedRoot). Reference the
resolveTrustedRootPath function and the symbols CredentialKeyTrustedRootJSON,
CredentialKeyTrustedRootJSONFile, and cfg.TrustedRoot so consumers know the
credential values will shadow the verifier config.
- Around line 62-64: The current wrapper in the VerifyData call double-prefixes
“cosign” because executor.VerifyData already returns errors like "cosign
verify-blob failed: ..."; in the block that calls executor.VerifyData (passing
digestBytes, bundlePath, opts) remove the fmt.Errorf("cosign verification
failed: %w", err) wrapping and either return the executor error directly (return
err) or, if caller context is needed, wrap with a non-duplicating prefix (e.g.,
include the signature name) so the final message does not repeat "cosign".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: db152b4e-68a7-4666-87d9-3a4a25a402f5
⛔ Files ignored due to path filters (1)
bindings/go/sigstore/go.sumis excluded by!**/*.sum
📒 Files selected for processing (25)
.github/config/wordlist.txt.github/renovate.json5Taskfile.ymlbindings/go/sigstore/Taskfile.ymlbindings/go/sigstore/doc.gobindings/go/sigstore/go.modbindings/go/sigstore/signing/handler/config_test.gobindings/go/sigstore/signing/handler/cosign.gobindings/go/sigstore/signing/handler/cosign_download.gobindings/go/sigstore/signing/handler/cosign_download_test.gobindings/go/sigstore/signing/handler/cosign_version.gobindings/go/sigstore/signing/handler/handler.gobindings/go/sigstore/signing/handler/handler_test.gobindings/go/sigstore/signing/handler/resolve.gobindings/go/sigstore/signing/handler/sign.gobindings/go/sigstore/signing/handler/sign_test.gobindings/go/sigstore/signing/handler/verify.gobindings/go/sigstore/signing/handler/verify_test.gobindings/go/sigstore/signing/v1alpha1/algorithm.gobindings/go/sigstore/signing/v1alpha1/config.gobindings/go/sigstore/signing/v1alpha1/group_version.gobindings/go/sigstore/signing/v1alpha1/oidc_identity_token.gobindings/go/sigstore/signing/v1alpha1/trusted_root_identity.gobindings/go/sigstore/signing/v1alpha1/zz_generated.deepcopy.gobindings/go/sigstore/signing/v1alpha1/zz_generated.ocm_type.go
Contributor
Author
I removed the env var handling completely. The only thing that stays is that we hand over the OIDC token as env var to the cosign cli and that cosign itself still reads env vars when there are some. This is why we keep #2344 (comment) |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bindings/go/sigstore/signing/handler/sign.go`:
- Around line 124-125: The error string returned when v1Issuer == "" violates
staticcheck ST1005 by starting with a capital letter; update the return in the
check for v1Issuer (the return "", errors.New(...)) in sign.go to start the
message lowercase (e.g., "fulcio certificate contains no issuer extension (OID
1.3.6.1.4.1.57264.1.1 or 1.3.6.1.4.1.57264.1.8)") so the error string begins
with a lowercase letter; keep the rest of the message unchanged and ensure the
change is applied where v1Issuer is validated.
In `@bindings/go/sigstore/signing/handler/verify_test.go`:
- Around line 29-42: The test currently mixes exact and regexp forms for
issuer/identity which masks the either/or semantics; update the test suite by
splitting the single case into two distinct tests: one "exact-only" case that
uses testVerifyConfig() defaults and asserts
mock.verifyOpts.CertificateOIDCIssuer and CertificateIdentity are set (and
regexp fields are empty), and a separate "regexp-only" case that sets
CertificateOIDCIssuerRegexp and CertificateIdentityRegexp (and leaves exact
fields empty) and asserts mock.verifyOpts.CertificateOIDCIssuerRegexp and
CertificateIdentityRegexp are forwarded (and exact fields are empty); locate and
modify the test that calls cfgSetup on VerifyConfig and assertions against
mockExecutor.verifyOpts/verifyCalled to implement these two focused test cases.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bd582847-d169-4b60-9988-e09856e4a455
📒 Files selected for processing (7)
.github/config/wordlist.txtbindings/go/sigstore/doc.gobindings/go/sigstore/signing/handler/config_test.gobindings/go/sigstore/signing/handler/sign.gobindings/go/sigstore/signing/handler/verify.gobindings/go/sigstore/signing/handler/verify_test.gobindings/go/sigstore/signing/v1alpha1/config.go
✅ Files skipped from review due to trivial changes (3)
- bindings/go/sigstore/doc.go
- bindings/go/sigstore/signing/handler/verify.go
- bindings/go/sigstore/signing/handler/config_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/config/wordlist.txt
…kfile Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Task v3 forbids dotenv declarations in included Taskfiles. Use a sh: dynamic variable to source .env instead, keeping Renovate management of SCAFFOLDING_VERSION intact. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Introduce defaultHTTPClientTimeout (5 min) for cosign binary downloads, distinct from defaultOperationTimeout (3 min) for subprocess execution. The download needs more headroom on slow networks and is a one-time cached operation, while subprocess timeout can stay tighter. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
On Linux, scaffolding:bridge is skipped (platforms: [darwin]), so scaffolding:setup was never invoked and kubectl hit a non-existent API server. Adding scaffolding:setup as a direct dep ensures the kind cluster is created on all platforms before env extraction runs. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
The call-site warning (Verify uses trivially permissive identity patterns) was removed in the previous commit. The helper function has no remaining callers and is dead code. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Adds source reference and encoding notes for sigstoreIssuerV1OID and sigstoreIssuerV2OID, addressing reviewer request for RFC/spec citations. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
…tpClient from constructor - Move HandlerOption type and With* functions to handler_options.go for readability (addressing review request) - Drop httpClient parameter from NewCosignBinary — constructor always defaults; callers override via WithHTTPClient after construction - Add comment on cosignDownloadURL explaining parametric goos/goarch for testability Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
…scaffolding setup The sigstore scaffolding's Trillian MySQL image (gcr.io/trillian-opensource-ci/db_server) is amd64-only, which broke after PR open-component-model#2293 switched CI to ARM64 runners. Reverts integration tests to ubuntu-latest (amd64). Also adds `run: once` to scaffolding:setup to prevent go-task from invoking it twice in parallel via the scaffolding:env dependency graph. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
The extract-sigstore-env.sh script requires cosign v3.0.6 to build trusted root and signing config from the scaffolding cluster. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
The extract-sigstore-env.sh script invokes cosign but scaffolding:env did not depend on cosign:install and lacked the PATH prefix to find the binary in tmp/bin. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
5a7a0d2 to
72f2e17
Compare
jakobmoellerdev
approved these changes
May 12, 2026
Skarlso
approved these changes
May 12, 2026
Skarlso
left a comment
Contributor
There was a problem hiding this comment.
Well gond!! Let's get this show on the road! :) 🎉 🎉
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 12, 2026
Add CLI support for keyless signing and verification via the sigstore cosign handler: - OIDC browser flow for interactive token acquisition - Built-in cosign plugin with OIDC identity token provider - `ocm sign component-version` and `ocm verify component-version` commands wired to the cosign handler [3/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 12, 2026
The cosignRunner refactor in PR open-component-model#2344 removed the Executor.Ensure method — binary resolution now happens lazily inside sign/verify. The type assertion in GetPlugin is dead code. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
ocmbot2 Bot
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 12, 2026
…l#2344) ## Summary Adds the `bindings/go/sigstore` module — a signing handler wrapping Cosign CLI for keyless signing and verification via Sigstore (Fulcio, Rekor, OIDC). Adds integration test under `bindings/go/sigstore` which are fully based on [sigstore's scaffolding](https://github.com/sigstore/scaffolding) using a kind cluster with a full sigstore stack. - **v1alpha1 types:** `CosignSigningConfig`, `OIDCIdentityToken`, `TrustedRootIdentity`, algorithm constants - **Handler:** sign/verify operations using Cosign CLI subprocess, config resolution, cosign binary auto-download with checksum verification - **Module infra:** `go.mod`, `Taskfile.yml`, root Taskfile include, renovate config for new module ## Merge order This is **PR 1 of 2** — must be merged and tagged first: 1. **This PR** → sigstore handler module (`bindings/go/sigstore`) 2. `feat/cosign-signing-handler-3-cli` → CLI sign/verify commands (`cli/`) PR 2 depend on this module being published ## Test plan - [ ] `task tools:golangci-lint/module ITEM=bindings/go/sigstore/ -- --fix` passes - [ ] `task bindings/go/sigstore:test` passes - [ ] CI module discovery picks up the new module --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (D032990) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Matthias Bruns <github@matthiasbruns.com> cf62896
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 12, 2026
Add CLI support for keyless signing and verification via the sigstore cosign handler: - OIDC browser flow for interactive token acquisition - Built-in cosign plugin with OIDC identity token provider - `ocm sign component-version` and `ocm verify component-version` commands wired to the cosign handler [3/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 12, 2026
The cosignRunner refactor in PR open-component-model#2344 removed the Executor.Ensure method — binary resolution now happens lazily inside sign/verify. The type assertion in GetPlugin is dead code. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
4 tasks
Skarlso
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 15, 2026
Add CLI support for keyless signing and verification via the sigstore cosign handler: - OIDC browser flow for interactive token acquisition - Built-in cosign plugin with OIDC identity token provider - `ocm sign component-version` and `ocm verify component-version` commands wired to the cosign handler [3/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Skarlso
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 15, 2026
The cosignRunner refactor in PR open-component-model#2344 removed the Executor.Ensure method — binary resolution now happens lazily inside sign/verify. The type assertion in GetPlugin is dead code. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 19, 2026
Add CLI support for keyless signing and verification via the sigstore cosign handler: - OIDC browser flow for interactive token acquisition - Built-in cosign plugin with OIDC identity token provider - `ocm sign component-version` and `ocm verify component-version` commands wired to the cosign handler [3/3] Depends on feat/cosign-signing-handler-1-sigstore (open-component-model#2344) being merged and tagged first. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
morri-son
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
May 19, 2026
The cosignRunner refactor in PR open-component-model#2344 removed the Executor.Ensure method — binary resolution now happens lazily inside sign/verify. The type assertion in GetPlugin is dead code. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
morri-son
added a commit
that referenced
this pull request
May 20, 2026
## Summary Integrates the sigstore cosign signing handler (#2344) into the OCM CLI: - **Credential plugin registry** (`bindings/go/plugin/manager/registries/credentialplugin`) — generic registry that discovers and resolves `credentials.CredentialPlugin` implementations by their runtime type; plugins self-declare their scheme so callers never need to pre-register types manually - **OIDC credential plugin** (`cli/internal/plugin/builtin/oidc`) — first concrete credential plugin; acquires OIDC identity tokens via interactive browser flow (`authorization-code`) - **OIDC browser flow** (`cli/internal/oidcflow`) — opens browser for interactive OIDC token acquisition, runs local callback server, uses a copy of the sigstore success page, but OCM branded > **Note:** Contains `replace` directives for `bindings/go/sigstore` — expected to fail in CI until PR 1 is merged and tagged. ## Merge order This is **PR 2 of 2** — merge after PR 1 is tagged: 1. #2344 → sigstore handler module (**merge + tag first**) 2. **This PR** → CLI sign/verify commands ## TODO - [ ] Enhance `sigstore-integration.yml` workflow with CLI sigstore integration tests as a single job that reuses the scaffolding environment: spin up scaffolding once, run handler integration tests, then run CLI integration tests (`cli/integration/`) against the same env - [ ] Ensure `--signer-spec` with `SigstoreSigningConfiguration/v1alpha1` correctly threads `signingConfig` to the handler ## Test plan - [ ] Remove `replace` directives, point to published tag - [ ] Manual: `ocm sign component-version --signing-config <config>` triggers browser OIDC flow - [ ] CI: `sigstore-integration.yml` runs handler + CLI E2E tests against scaffolding cluster - [ ] CI: CLI integration tests sign and verify a CTF using `--signer-spec` and `--verifier-spec` with scaffolding OIDC token - [ ] `credentialplugin.Registry` resolves `OIDCIdentityTokenProvider/v1alpha1` to the OIDC plugin - [ ] Token exchange flow resolves subject token from env var, file, or inline value --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Matthias Bruns <github@matthiasbruns.com>
ocmbot Bot
pushed a commit
that referenced
this pull request
May 20, 2026
## Summary Integrates the sigstore cosign signing handler (#2344) into the OCM CLI: - **Credential plugin registry** (`bindings/go/plugin/manager/registries/credentialplugin`) — generic registry that discovers and resolves `credentials.CredentialPlugin` implementations by their runtime type; plugins self-declare their scheme so callers never need to pre-register types manually - **OIDC credential plugin** (`cli/internal/plugin/builtin/oidc`) — first concrete credential plugin; acquires OIDC identity tokens via interactive browser flow (`authorization-code`) - **OIDC browser flow** (`cli/internal/oidcflow`) — opens browser for interactive OIDC token acquisition, runs local callback server, uses a copy of the sigstore success page, but OCM branded > **Note:** Contains `replace` directives for `bindings/go/sigstore` — expected to fail in CI until PR 1 is merged and tagged. ## Merge order This is **PR 2 of 2** — merge after PR 1 is tagged: 1. #2344 → sigstore handler module (**merge + tag first**) 2. **This PR** → CLI sign/verify commands ## TODO - [ ] Enhance `sigstore-integration.yml` workflow with CLI sigstore integration tests as a single job that reuses the scaffolding environment: spin up scaffolding once, run handler integration tests, then run CLI integration tests (`cli/integration/`) against the same env - [ ] Ensure `--signer-spec` with `SigstoreSigningConfiguration/v1alpha1` correctly threads `signingConfig` to the handler ## Test plan - [ ] Remove `replace` directives, point to published tag - [ ] Manual: `ocm sign component-version --signing-config <config>` triggers browser OIDC flow - [ ] CI: `sigstore-integration.yml` runs handler + CLI E2E tests against scaffolding cluster - [ ] CI: CLI integration tests sign and verify a CTF using `--signer-spec` and `--verifier-spec` with scaffolding OIDC token - [ ] `credentialplugin.Registry` resolves `OIDCIdentityTokenProvider/v1alpha1` to the OIDC plugin - [ ] Token exchange flow resolves subject token from env var, file, or inline value --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Matthias Bruns <github@matthiasbruns.com> 2cd5842
jakobmoellerdev
pushed a commit
to jakobmoellerdev/open-component-model
that referenced
this pull request
May 20, 2026
…el#2346) ## Summary Integrates the sigstore cosign signing handler (open-component-model#2344) into the OCM CLI: - **Credential plugin registry** (`bindings/go/plugin/manager/registries/credentialplugin`) — generic registry that discovers and resolves `credentials.CredentialPlugin` implementations by their runtime type; plugins self-declare their scheme so callers never need to pre-register types manually - **OIDC credential plugin** (`cli/internal/plugin/builtin/oidc`) — first concrete credential plugin; acquires OIDC identity tokens via interactive browser flow (`authorization-code`) - **OIDC browser flow** (`cli/internal/oidcflow`) — opens browser for interactive OIDC token acquisition, runs local callback server, uses a copy of the sigstore success page, but OCM branded > **Note:** Contains `replace` directives for `bindings/go/sigstore` — expected to fail in CI until PR 1 is merged and tagged. ## Merge order This is **PR 2 of 2** — merge after PR 1 is tagged: 1. open-component-model#2344 → sigstore handler module (**merge + tag first**) 2. **This PR** → CLI sign/verify commands ## TODO - [ ] Enhance `sigstore-integration.yml` workflow with CLI sigstore integration tests as a single job that reuses the scaffolding environment: spin up scaffolding once, run handler integration tests, then run CLI integration tests (`cli/integration/`) against the same env - [ ] Ensure `--signer-spec` with `SigstoreSigningConfiguration/v1alpha1` correctly threads `signingConfig` to the handler ## Test plan - [ ] Remove `replace` directives, point to published tag - [ ] Manual: `ocm sign component-version --signing-config <config>` triggers browser OIDC flow - [ ] CI: `sigstore-integration.yml` runs handler + CLI E2E tests against scaffolding cluster - [ ] CI: CLI integration tests sign and verify a CTF using `--signer-spec` and `--verifier-spec` with scaffolding OIDC token - [ ] `credentialplugin.Registry` resolves `OIDCIdentityTokenProvider/v1alpha1` to the OIDC plugin - [ ] Token exchange flow resolves subject token from env var, file, or inline value --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Matthias Bruns <github@matthiasbruns.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
bindings/go/sigstoremodule — a signing handler wrapping Cosign CLI for keyless signing and verification via Sigstore (Fulcio, Rekor, OIDC). Adds integration test underbindings/go/sigstorewhich are fully based on sigstore's scaffolding using a kind cluster with a full sigstore stack.CosignSigningConfig,OIDCIdentityToken,TrustedRootIdentity, algorithm constantsgo.mod,Taskfile.yml, root Taskfile include, renovate config for new moduleMerge order
This is PR 1 of 2 — must be merged and tagged first:
bindings/go/sigstore)feat/cosign-signing-handler-3-cli→ CLI sign/verify commands (cli/)PR 2 depend on this module being published
Test plan
task tools:golangci-lint/module ITEM=bindings/go/sigstore/ -- --fixpassestask bindings/go/sigstore:testpasses