chore(docs): add ADR proposal for signing and verification of component descriptors#599
Conversation
…criptors Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Co-authored-by: Matthias Bruns <github@matthiasbruns.com> Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
Signed-off-by: Matthias Bruns <git@matthiasbruns.com On-behalf-of: SAP <matthias.bruns@sap.com>
28624d9 to
db594e9
Compare
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
|
fyi: texts are improved by ai 🤖 |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an ADR (Architecture Decision Record) for the signing and verification of component descriptors in the Open Component Model (OCM). The proposal establishes a two-step flow for digest calculation and signing, with optional OCI Cosign support for enhanced interoperability.
Key changes:
- Defines a standardized approach to component descriptor signing using JCS canonicalization
- Introduces separate commands for digest calculation and signing operations
- Adds comprehensive Cosign integration with OIDC authentication flows
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docs/adr/0008_signing_verification.md | Complete ADR document defining the signing/verification architecture with CLI examples and implementation details |
| .github/config/wordlist.txt | Adds technical terms used in the ADR to the spell-check allowlist |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| # Step 2 — Signing (no digest mutation) | ||
| # Direct signing via a single --cert (+ optional password). | ||
| # Optional OCI Cosign signing for the same canonical payload. | ||
| ocm sign cv <ref> \ |
There was a problem hiding this comment.
this flag set is completely against our hard coding of signing plugins. we explicitly do not wanted to introduce hard coded flags for signing implementations on the commandline which is why open-component-model/ocm-project#544 exists. Does this here suggest dropping this again?
There was a problem hiding this comment.
applied plugin stuff as far as I understood it
| ### Cosign OIDC token capture (implementation sketch) | ||
|
|
||
| ```go | ||
| func resolveSigstoreIDToken(ctx context.Context, flagToken string) (string, error) { |
There was a problem hiding this comment.
see my comment above: is it possible to sign / verify across binary boundary?
There was a problem hiding this comment.
i can provide a test project for this
|
|
||
| --- | ||
|
|
||
| ## Sequence Diagrams |
There was a problem hiding this comment.
These flows completely omit (maybe on purpose) signing handlers as plugins for OCM. This means we would have to build a hard go.mod dependency to sigstore, which is (for me) and absolute hard rejection argument because of cosigns difficult dependency chain that we would inherit (see https://github.com/sigstore/cosign/blob/main/go.mod)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| 3. Else, if interactive TTY is available, run an **interactive loopback** browser flow to retrieve the token. | ||
| 4. Else, run the **device flow** to retrieve the token. | ||
| - Produce a Cosign signature over the **same canonical bytes**. | ||
| - When `--cosign-upload` is present and `<ref>` maps to an OCI subject (`<name>@<digest>`), attach the Cosign signature to the registry using Cosign conventions. |
There was a problem hiding this comment.
Could you elaborate how the signing and verification workflows would compare for:
- component stored in oci (so, we can upload the signature)
- component not stored in oci (so, we cannot upload the signature)
| - Computes the component-version digest from canonical bytes. | ||
| - If `--pin` is provided, compares and fails on mismatch. |
There was a problem hiding this comment.
I think currently, the ADR does mention the actual original purpose of --pin which was to avoid an additional roundtrip of downloading resources and descriptors after already having done that in add digests. In general, the relationship between those commands is not really apparent here.
…nce our normalization On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
…iasbruns/open-component-model into docs/signing-verification-handler
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
|
I think this PR needs to be rewritten for several reasons:
|
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
…-model into docs/signing-verification-handler
|
closing as discussed |
…nt descriptors (#767) Continuation of #547 and #599 <!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Enable easy interpretation of component descriptors in normalized form and provide a consistent experience for signing and verifying component descriptors. #### Which issue(s) this PR fixes <!-- Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`. --> fix open-component-model/ocm-project#579 --------- Signed-off-by: Jakob Möller <jakob.moeller@sap.com> Co-authored-by: Matthias Bruns <github@matthiasbruns.com> Co-authored-by: Fabian Burth <fabian.burth@sap.com> Co-authored-by: Gergely Brautigam <gergely.brautigam@sap.com>
Continuation of #547
What this PR does / why we need it
Enable easy interpretation of component descriptors in normalized form and provide a consistent experience for signing and verifying component descriptors.
Which issue(s) this PR fixes
fix open-component-model/ocm-project#579