Introduce SignedArtifactBundle #171
Conversation
There was a problem hiding this comment.
I have nothing against adding this new struct, but I'm a bit reluctant to rename the current Bundle struct. This would break our public API, which is not a taboo, but should be pondered.
Why don't we create instead a new struct called SignedArtifactBundle? The bundle you're referencing is created only by the sign-artifact command of cosign.
I think this approach would be more clear about what this new struct is about and avoid the API break.
What do you think?
PS: regardless of that, the new struct should have some inline documentation
|
Indeed, this is a breaking change for |
Sounds good, I'll take a look at this and also add some documentation 👍 |
|
Thanks @danbev! 🙏 |
This commit adds a new struct named SignedArtifactBundle which
represents a signed artifact bundle as produced when signing with cosign
and specifying the --bundle option.
The motivation for change comes from trying to implement an example
that verifies a blob using a bundle. For example, first a blob is
signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txt
The `artifact.bundle` file generated by the above command will look
something like this (shortened to fit the commit message format):
{
"base64Signature": "...",
"cert": "...",
"rekorBundle": {
"SignedEntryTimestamp": "...",
"Payload": {
"body": "...",
"integratedTime": 1669361833,
"logIndex": 7810348,
"logID": "..."
}
}
}
Currently, to create Bundle from this, one would have to parse the
string as json, and then access the `rekorBundle` element, and then
serialize it so that it can be passed to `Bundle::new_verified`.
With the changes in this commit it will be possible to call
`SignedArtifactBundle::new_verified` and pass in the contents for the
bundle file directly.
Refs: sigstore#117
Signed-off-by: Daniel Bevenius <[email protected]>
danbev
changed the title
Add inline documentation. Signed-off-by: Daniel Bevenius <[email protected]>
|
@danbev thanks for the submission! |
Summary
This commit adds a new struct named SignedArtifactBundle which represents a signed artifact bundle as produced when signing with cosign and specifying the --bundle option.
The motivation for change comes from trying to implement an example that verifies a blob using a bundle.
For example, first a blob is signed using the following command:
cosign sign-blob --bundle=artifact.bundle artifact.txtThe
artifact.bundlefile generated by the above command will look something like this (shortened to fit the commit message format):{ "base64Signature": "...", "cert": "...", "rekorBundle": { "SignedEntryTimestamp": "...", "Payload": { "body": "...", "integratedTime": 1669361833, "logIndex": 7810348, "logID": "..." } } }Currently, to create Bundle from this, one would have to parse the string as json, and then access the
rekorBundleelement, and then serialize it so that it can be passed toBundle::new_verified.With the changes in this commit it will be possible to call
SignedArtifactBundle::new_verifiedand pass in the contents for the bundle file directly.Refs: #117
Signed-off-by: Daniel Bevenius [email protected]
Release Note
NONE
Documentation
NONE