Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

download attestation: support --platform flag #2980

Merged
merged 2 commits into from May 16, 2023
Merged

download attestation: support --platform flag #2980

merged 2 commits into from May 16, 2023

Conversation

imjasonh
Copy link
Member

Similar to #2356

Summary

cosign download sbom accepts a --platform flag, which chooses a platform when the provided image ref is a multi-arch image. This change adds the same support to cosign download attestation, using the same code and semantics.

Before:

cosign download attestation --predicate-type="https://spdx.dev/Document" cgr.dev/chainguard/git | jq -r '.payload' | base64 -d | jq -r '.predicate.packages[].SPDXID'
SPDXRef-Package-sha256-9d9fd8ecc9cf80c7aabd83be201b9065a09557d8e1a66d4bd8e2dbeade2c1c28
SPDXRef-Package-sha256-c28b09fd03e2fd1a4332c37062e46aa4a7a3a8755ffd78d1f7d38d80f180b70b
SPDXRef-Package-sha256-59b2854e4a3b25cdd038f3f596cbf79d9ee79ba4a82b154f396170db89264657
SPDXRef-Package-sha256-ebb516bbdb1757401bb866e4949c682e2e471113d09801170d8f798acb50aaca
SPDXRef-Package-sha256-a06b5339d37bae4d2311a68e34f94445d2709a6020595a820aa3bd4ca09aa04a
SPDXRef-Package-sha256-ebf3034b3b122f06b5f2921043a75da0c8098cae8d536401bd2014ffb90ace6d
SPDXRef-Package-sha256-29ed835d586d284e3c67eefedd77cddf844eb5a2baffc3cbf1ec5effa0ace21c
SPDXRef-Package-sha256-a043cc5723dada67915371df09674687cc8a6cde6961d6e216f7639351e0fbad
SPDXRef-Package-sha256-173c078001ecad8fbd94970ecb6dab6ea07131d3b9590ed697fe7604ead5d92b
SPDXRef-Package-https-C47C47github.comC47chainguard-imagesC47imagesC6467e49fd819fde6e6508f5a24851c10b8595c23ad

(this could only tell you the attestation of the multi-platform index, which contains its sub-images)

After:

go run ./cmd/cosign download attestation --platform=linux/amd64 --predicate-type="https://spdx.dev/Document" cgr.dev/chainguard/git | jq -r '.payload' | base64 -d | jq -r '.predicate.packages[].SPDXID'
SPDXRef-Package-sha256-59b2854e4a3b25cdd038f3f596cbf79d9ee79ba4a82b154f396170db89264657
SPDXRef-Package-https-C47C47github.comC47chainguard-imagesC47imagesC6467e49fd819fde6e6508f5a24851c10b8595c23ad
SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344
SPDXRef-Package-SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344-alpine-baselayout-data-3.4.3-r1
SPDXRef-Package-SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344-alpine-keys-2.4-r1
SPDXRef-Package-SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344-alpine-release-3.18.0-r0
SPDXRef-Package-SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344-ca-certificates-bundle-20230506-r0
SPDXRef-Package-SPDXRef-Package-sha256-c2cd62db799e0c1ea4deda34c6665b3a50fbf9d898ec841d02cd54859144c344-musl-1.2.4-r0
...

(this can tell you the attested contents of a specific image within the multi-platform index)

Release Note

  • Added --platform flag to cosign download attestation

Documentation

--help output and generated docs include this new flag.

@imjasonh
download attestation: support --platform flag
819f993 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@codecov
Copy link

codecov bot commented May 15, 2023
edited

Codecov Report

Merging #2980 (6496c4d) into main (95ae338) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2980      +/-   ##
==========================================
- Coverage   30.26%   30.25%   -0.02%     
==========================================
  Files         151      151              
  Lines        9469     9473       +4     
==========================================
  Hits         2866     2866              
- Misses       6158     6162       +4     
  Partials      445      445
Impacted Files Coverage Δ
cmd/cosign/cli/options/download.go 0.00% <0.00%> (ø)
pkg/cosign/fetch.go 0.00% <0.00%> (ø)

@imjasonh
review feedback
6496c4d 
Signed-off-by: Jason Hall <jason@chainguard.dev>
mattmoor
mattmoor approved these changes May 15, 2023
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

hectorj2f
hectorj2f approved these changes May 15, 2023
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

cpanato
cpanato approved these changes May 16, 2023
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool

@cpanato cpanato merged commit d3e90a7 into sigstore:main May 16, 2023
26 checks passed
@github-actions github-actions bot added this to the v1.14.0 milestone May 16, 2023
@imjasonh imjasonh mentioned this pull request Aug 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor approved these changes

@hectorj2f hectorj2f hectorj2f approved these changes

@cpanato cpanato cpanato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.14.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@imjasonh @mattmoor @hectorj2f @cpanato