Skip to content

Add support for SigningConfig in sign/attest #4371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add support for SigningConfig in sign/attest #4371

wants to merge 4 commits into from

Conversation

haydentherapper
Copy link
Contributor

@haydentherapper haydentherapper commented Aug 27, 2025
edited
Loading

Summary

This will indirectly add support for signing with Rekor v2, since signing will be handled by sigstore-go rather than Cosign.

This also brings sign/attest up to par with the recent changes to sign-blob/attest-blob, including signing with a key and providing a path to a trusted root when providing a signing config to verify after signing.

This feature is gated behind one of two signing config flags, which in a later version of Cosign will be flipped to on by default. Once this is the default, we'll be able to refactor the core signing and verification logic in Cosign, largely replacing it with sigstore-go.

Fixes #4324

Release Note

Documentation

@codecov Codecov
Copy link

codecov bot commented Aug 27, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 11.38393% with 397 lines in your changes missing coverage. Please review.
✅ Project coverage is 33.88%. Comparing base (2ef6022) to head (ee986f2).
⚠️ Report is 491 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/sign/sign.go 2.24% 87 Missing ⚠️
cmd/cosign/cli/attest/attest.go 0.00% 69 Missing ⚠️
cmd/cosign/cli/attest.go 0.00% 51 Missing ⚠️
cmd/cosign/cli/attest/attest_blob.go 2.22% 43 Missing and 1 partial ⚠️
cmd/cosign/cli/sign/sign_blob.go 2.22% 43 Missing and 1 partial ⚠️
cmd/cosign/cli/attest_blob.go 0.00% 29 Missing ⚠️
cmd/cosign/cli/sign.go 0.00% 29 Missing ⚠️
cmd/cosign/cli/options/attest.go 0.00% 14 Missing ⚠️
cmd/cosign/cli/options/sign.go 0.00% 11 Missing ⚠️
internal/key/svkeypair.go 81.03% 8 Missing and 3 partials ⚠️
... and 2 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4371      +/-   ##
==========================================
- Coverage   40.10%   33.88%   -6.22%     
==========================================
  Files         155      217      +62     
  Lines       10044    15341    +5297     
==========================================
+ Hits         4028     5199    +1171     
- Misses       5530     9473    +3943     
- Partials      486      669     +183

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@haydentherapper haydentherapper force-pushed the sc-sign-attest branch 2 times, most recently from 1d07438 to 8dbe6bf Compare August 27, 2025 23:15
@haydentherapper haydentherapper changed the title Sc sign attest Add support for SigningConfig in sign/attest Aug 27, 2025
@haydentherapper haydentherapper marked this pull request as ready for review August 27, 2025 23:44
@haydentherapper haydentherapper requested a review from a team as a code owner August 27, 2025 23:44
@haydentherapper
Copy link
Contributor Author

Putting this up for an early review. Only the last commit is new, the first two commits will be merged in other open PRs. I also am currently doing some manual testing.

@haydentherapper
Copy link
Contributor Author

haydentherapper commented Aug 28, 2025
edited
Loading

Testing against staging with a local zot instance:

Sign:

cosign sign --new-bundle-format --use-signing-config --yes localhost:5050/busybox:latest
cosign verify --new-bundle-format --certificate-identity=$email --certificate-oidc-issuer=https://accounts.google.com --use-signed-timestamps localhost:5050/busybox:latest

oras blob fetch --output - localhost:5050/busybox@sha256:2e6e693c1a62b4f9e006eead11076f39b5a7940a71f4c608324568fe12f396fc | jq .

{
  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
  "verificationMaterial": {
    "certificate": {
      "rawBytes": "MIICzjCCAlOgAwIBAgIUF/ZyPksSsstDsqaZISaWcDBL684wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjUwODI4MDAwNDMwWhcNMjUwODI4MDAxNDMwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEt2xsbKVrtLu0YZxn/TJqlu05/vSnRXRUsCzhGsbJTnkl9g9vRnh113MXvXZ+8EwPK3F4wes7fv4q8rJY+fe4XqOCAXIwggFuMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU5U00OtEMmKLnP/Ma2cHO9lLDXUQwHwYDVR0jBBgwFoAUcYYwphR8Ym/599b0BRp/X//rb6wwIwYDVR0RAQH/BBkwF4EVaGJsYXV6dmVybkBnb29nbGUuY29tMCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEEAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBiQYKKwYBBAHWeQIEAgR7BHkAdwB1ACswvNxoiMni4dgmKV50H0g5MZYC8pwzy15DQP6yrIZ6AAABmO39gk8AAAQDAEYwRAIgRC0J8n46B7zf2+5uYPHvqUO4qPSMPvmzupDuUyCjeFcCIHcVR3wdAEL/NJqq1PVRHXbiAgFHWQiV9jl1KHU8/3HoMAoGCCqGSM49BAMDA2kAMGYCMQC1UPOz7HdO9RbHz37o7ogyDKLC2lFUvyJV8AIXHFuO79K+W3RlFHcOxicBXT23ERUCMQDKv6MJzilBEdbVRL8JamO79ASQkL0yaY8jEAbx2vyAkM+bRDSDPN3VbHFcGoXeKyA="
    },
    "tlogEntries": [
      {
        "logIndex": "12653",
        "logId": {
          "keyId": "KfSiSX2iRLyhK62SUVL47vVcqqRx/RAewpKJm8IdZTo="
        },
        "kindVersion": {
          "kind": "dsse",
          "version": "0.0.2"
        },
        "inclusionProof": {
          "logIndex": "12653",
          "rootHash": "fYshRW6nXqcskwfN7nsKsSafcKRgg2ecRB2esuCvfsY=",
          "treeSize": "12654",
          "hashes": [
            "MVX3t35pWRVJT8kI8E8VhzXEtaMiBW5X+yTg+c5rRZ8=",
            "xo0nSM6X1VP86U0LV0080T85/1GhoNbKhKWqXs6ittw=",
            "kB/wdWX34RvwCwwrx8hZhzxqDNTmAGNfDsgVOhkWq1I=",
            "vXnnwpJ5OqciN9qMZwmmYK4xEI028u3zHYDuTYmc1co=",
            "OMXJPMCyNGqHkMduha23XycScArnTg26vxwUXJKNVMI=",
            "+frQeMrCfT9QFlGbcibAql8UWJFZmufwvKNxgbpVCA4=",
            "0KNqXR/+75uSLph/Fx2weSQRzJL39gQLZbIvS42Ol+U=",
            "pXaQv2zTqk7DxhnCqnfuzVrpMtX5u3D9hF1QmrEewVY="
          ],
          "checkpoint": {
            "envelope": "log2025-alpha2.rekor.sigstage.dev\n12654\nfYshRW6nXqcskwfN7nsKsSafcKRgg2ecRB2esuCvfsY=\n\n— log2025-alpha2.rekor.sigstage.dev KfSiSWAmlkAgcGnlRA4eqZxfAN9EFtmXTY92ZtSqTTWJtN6Nz+mtWRx0nS38ZZ6k7FC4KgKTbqZ8u3A3NNgSLbqaRAQ=\n"
          }
        },
        "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZHNzZVYwMDIiOnsicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoiU0hBMl8yNTYiLCJkaWdlc3QiOiJoQVBwMmtlTFc3VjdaOWl1QWtFSTZabmRGSHg0a1VTQmx5M2NwbFNTKzJBPSJ9LCJzaWduYXR1cmVzIjpbeyJjb250ZW50IjoiTUVVQ0lEeHViMmI4M0VoTStXL0lOSmJUTnkycVhWZXJjSERTY2dtYXp4ZklCZzVqQWlFQXkxbkM2a0lMb1ZsSHNJU2huQ1dRaHBWYzc4MnI4VE5lZXp2a1FPc1kwWG89IiwidmVyaWZpZXIiOnsia2V5RGV0YWlscyI6IlBLSVhfRUNEU0FfUDI1Nl9TSEFfMjU2IiwieDUwOUNlcnRpZmljYXRlIjp7InJhd0J5dGVzIjoiTUlJQ3pqQ0NBbE9nQXdJQkFnSVVGL1p5UGtzU3NzdERzcWFaSVNhV2NEQkw2ODR3Q2dZSUtvWkl6ajBFQXdNd056RVZNQk1HQTFVRUNoTU1jMmxuYzNSdmNtVXVaR1YyTVI0d0hBWURWUVFERXhWemFXZHpkRzl5WlMxcGJuUmxjbTFsWkdsaGRHVXdIaGNOTWpVd09ESTRNREF3TkRNd1doY05NalV3T0RJNE1EQXhORE13V2pBQU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRXQyeHNiS1ZydEx1MFlaeG4vVEpxbHUwNS92U25SWFJVc0N6aEdzYkpUbmtsOWc5dlJuaDExM01YdlhaKzhFd1BLM0Y0d2VzN2Z2NHE4ckpZK2ZlNFhxT0NBWEl3Z2dGdU1BNEdBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVU1VTAwT3RFTW1LTG5QL01hMmNITzlsTERYVVF3SHdZRFZSMGpCQmd3Rm9BVWNZWXdwaFI4WW0vNTk5YjBCUnAvWC8vcmI2d3dJd1lEVlIwUkFRSC9CQmt3RjRFVmFHSnNZWFY2ZG1WeWJrQm5iMjluYkdVdVkyOXRNQ2tHQ2lzR0FRUUJnNzh3QVFFRUcyaDBkSEJ6T2k4dllXTmpiM1Z1ZEhNdVoyOXZaMnhsTG1OdmJUQXJCZ29yQmdFRUFZTy9NQUVJQkIwTUcyaDBkSEJ6T2k4dllXTmpiM1Z1ZEhNdVoyOXZaMnhsTG1OdmJUQ0JpUVlLS3dZQkJBSFdlUUlFQWdSN0JIa0Fkd0IxQUNzd3ZOeG9pTW5pNGRnbUtWNTBIMGc1TVpZQzhwd3p5MTVEUVA2eXJJWjZBQUFCbU8zOWdrOEFBQVFEQUVZd1JBSWdSQzBKOG40NkI3emYyKzV1WVBIdnFVTzRxUFNNUHZtenVwRHVVeUNqZUZjQ0lIY1ZSM3dkQUVML05KcXExUFZSSFhiaUFnRkhXUWlWOWpsMUtIVTgvM0hvTUFvR0NDcUdTTTQ5QkFNREEya0FNR1lDTVFDMVVQT3o3SGRPOVJiSHozN283b2d5REtMQzJsRlV2eUpWOEFJWEhGdU83OUsrVzNSbEZIY094aWNCWFQyM0VSVUNNUURLdjZNSnppbEJFZGJWUkw4SmFtTzc5QVNRa0wweWFZOGpFQWJ4MnZ5QWtNK2JSRFNEUE4zVmJIRmNHb1hlS3lBPSJ9fX1dfX19"
      }
    ],
    "timestampVerificationData": {
      "rfc3161Timestamps": [
        {
          "signedTimestamp": "MIICyjADAgEAMIICwQYJKoZIhvcNAQcCoIICsjCCAq4CAQMxDTALBglghkgBZQMEAgEwgbcGCyqGSIb3DQEJEAEEoIGnBIGkMIGhAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgGGfZkOs6G0l/Ru9ehHnpRmRTY2FbcsGUcIEy3jmLS8kCFEUlORhirfcrCjPBa1c6wmXo7MvIGA8yMDI1MDgyODAwMDQzMVowAwIBAaAypDAwLjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MRUwEwYDVQQDEwxzaWdzdG9yZS10c2GgADGCAdwwggHYAgEBMFEwOTEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MSAwHgYDVQQDExdzaWdzdG9yZS10c2Etc2VsZnNpZ25lZAIUCjWhBmHV4kFzxomWp/J98n4DfKcwCwYJYIZIAWUDBAIBoIH8MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjUwODI4MDAwNDMxWjAvBgkqhkiG9w0BCQQxIgQgPQlYpFqcww0wNwa7AUz2HPIJlYlh+P0YBiD+0/nC4XEwgY4GCyqGSIb3DQEJEAIvMX8wfTB7MHkEIAb0/+BH/rNZmbczsNejI1Ac/BjkwDNmqEXXdTbnSydEMFUwPaQ7MDkxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEgMB4GA1UEAxMXc2lnc3RvcmUtdHNhLXNlbGZzaWduZWQCFAo1oQZh1eJBc8aJlqfyffJ+A3ynMAoGCCqGSM49BAMCBGgwZgIxAL/aDJeQYRxQtDxHZ0NcCD4v+DoYI+u1lzQVU0xDyANUkI9PhE9eaX+K6Pr6F+gs9QIxAP5+g/PDHa0d7g8WZorpJsUJq/srouE0Ma5zYD6xHGPScpTwbu4yIlktu+lpgHO9mA=="
        }
      ]
    }
  },
  "dsseEnvelope": {
    "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJkaWdlc3QiOnsic2hhMjU2IjoiYWIzM2VhY2M4MjUxZTM4MDdiODViYjZkYmE1NzBlNDY5OGMzOTk4ZWNhNmYwZmMyY2NiNjA1NzVhNTYzZWE3NCJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3NpZ3N0b3JlLmRldi9jb3NpZ24vc2lnbi92MSJ9",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [
      {
        "sig": "MEUCIDxub2b83EhM+W/INJbTNy2qXVercHDScgmazxfIBg5jAiEAy1nC6kILoVlHsIShnCWQhpVc782r8TNeezvkQOsY0Xo="
      }
    ]
  }
}

Attest:

cosign attest --predicate predicate.json --new-bundle-format --use-signing-config --yes localhost:5050/busybox:latest
cosign verify-attestation --new-bundle-format --certificate-identity=$email --certificate-oidc-issuer=https://accounts.google.com --use-signed-timestamps --check-claims localhost:5050/busybox:latest

oras discover localhost:5050/busybox:latest

localhost:5050/busybox@sha256:ab33eacc8251e3807b85bb6dba570e4698c3998eca6f0fc2ccb60575a563ea74
└── application/vnd.dev.sigstore.bundle.v0.3+json
    └── sha256:35e2d0bf2dfcad705b31b1d97f4c54cecbae6ef091b35a42d80e28838f47e3cf

oras blob fetch --output - localhost:5050/busybox@sha256:5a7f96b09c6f4583801e1a79ae39b9d729fac8149f8789cfb2a0cb9066d1e71f | jq .
# A bundle is there!

@haydentherapper
Copy link
Contributor Author

haydentherapper commented Aug 28, 2025
edited
Loading

Note to reviewers: Going to take a pass over trying to reduce duplication.

Edit: Reviewing the code, I'd rather not try to reduce duplication for now between sign and attest. These commands will be nearly identical post-Cosign v3, so I'd rather just remove one later on then try to determine a good API for shared logic between the two right now.

@haydentherapper
Support self-managed keys when signing with sigstore-go
c3df26d 
This creates a wrapper around the Keypair interface when a
SignerVerifier is provided for signing with KMS or any other provided
keys. This also retains support for --issue-certificate to request a
certificate for a managed key.

Fixes sigstore#4327

Signed-off-by: Hayden <[email protected]>
@haydentherapper
Add issue-certificate flags to attest and attest-blob
be57b46 
This is for uniformity with sign/sign-blob.

Signed-off-by: Hayden <[email protected]>
@haydentherapper
Refactor SignerFromKeyOpts to split Fulcio signer into its own method
6d27d43 
Now, we can generate a SignerVerifier from a provided key without
mandating that we also request a Fulcio certificate when
"issue-certificate" is provided.

Signed-off-by: Hayden <[email protected]>
@haydentherapper
Add support for SigningConfig in sign/attest
ee986f2 
This will indirectly add support for signing with Rekor v2, since
signing will be handled by sigstore-go rather than Cosign.

This also brings sign/attest up to par with sign-blob/attest-blob with
respect to signing with a key and providing a trusted root when
providing a signing config.

This feature is gated behind one of two signing config flags, which in a
later version of Cosign will be flipped to on by default.

Signed-off-by: Hayden <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SigningConfig for Sign and Attest
1 participant
@haydentherapper