Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provenance attestation does not contain subjects for each tag created. #1594

Open
marcofranssen opened this issue Mar 11, 2022 · 0 comments
Open

Provenance attestation does not contain subjects for each tag created. #1594

marcofranssen opened this issue Mar 11, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@marcofranssen
Copy link
Contributor

marcofranssen commented Mar 11, 2022
edited
Loading

Description

https://github.com/philips-labs/slsa-provenance-action generates provenance where each tag is captured as a subject in the provenance.

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      "name": "philipssoftware/slsa-provenance:dddb40e199ae28d4cd2f17bad7f31545556fdd3d",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    },
    {
      "name": "philipssoftware/slsa-provenance:v0.7.2",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": {
    
  }
}

Cosign is currently only capturing the repository as a subject.

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [
    {
      "name": "philipssoftware/slsa-provenance",
      "digest": {
        "sha256": "e3378aef23821fd6e210229e5b98b5bead2858581b2d590d9e3b49d53c3f71e7"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "predicate": {
    
  }
}

See philips-labs/slsa-provenance-action#159 for more details on how we use both slsa-provenance and cosign in our workflow.

Currently there is no way to instruct cosign to take all the tags for a given digest. The downside of this is that you can't easily relate from the build provenance which tags have been released for a given digest/image.

Is this a feature that can be added to cosign? Or maybe should we drop this feature?
@marcofranssen marcofranssen added the enhancement New feature or request label Mar 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcofranssen