Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove unsigned SBOM section from SBOM tutorial #1826

Merged
merged 1 commit into from
Sep 26, 2024
Merged

remove unsigned SBOM section from SBOM tutorial #1826

merged 1 commit into from
Sep 26, 2024

Conversation

imjasonh
Copy link
Member

Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better.

WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations.
WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate amd_64.spdx --key <key path>'.

Type of change

deletion

What should this PR do?

remove the section about unsigned SBOMs

Why are we making this change?

we shouldn't recommend unsigned SBOMs, since Cosign complains about them, and signed SBOMs are better.

What are the acceptance criteria?

clarity and flow

How should this PR be tested?

n/a, nothing to test

@imjasonh
remove unsigned SBOM section from SBOM tutorial
ab96e23 
Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better.

```
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations.
WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate amd_64.spdx --key <key path>'.
```

Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh imjasonh requested a review from a team as a code owner September 26, 2024 12:43
@netlify Netlify
Copy link

netlify bot commented Sep 26, 2024
edited
Loading

Deploy Preview for ornate-narwhal-088216 ready!

Name Link
🔨 Latest commit ab96e23
🔍 Latest deploy log https://app.netlify.com/sites/ornate-narwhal-088216/deploys/66f556d8fcb71f00088effde
😎 Deploy Preview https://deploy-preview-1826--ornate-narwhal-088216.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

TimKnight-DWP
TimKnight-DWP suggested changes Sep 26, 2024
View reviewed changes
content/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign.md
@@ -128,27 +128,6 @@ ExternalRef: PACKAGE_MANAGER purl pkg:alpine/zlib@1.2.12-r0?arch=aarch64&upstrea

Next, you’ll use Cosign to work with the SBOM and the image.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth linking out to cosign docs directly, as they're likely to be more up to date and then don't have to keep trying to keep this in synch? https://docs.sigstore.dev/cosign/signing/other_types/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll raise this with the team. 👍 There are some upsides to maintaining our own docs on tools we use frequently or that are also used a lot in the secure container space (good for our SEO and pipeline). But the downside is that things can get out of sync. We're actually working on a new docs update cadence that should roll out soon as well. cc @sheesh

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For sure yeah, two sides of the coin 😄 @smythp

Will keep my eyes open for new docs cadence

smythp
smythp reviewed Sep 26, 2024
View reviewed changes
Copy link
Member

@smythp smythp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal looks good. I'll merge and then look into if anything needs to be added back for this use case. Thanks for jumping in with the PR 🆒

smythp
smythp approved these changes Sep 26, 2024
View reviewed changes
Copy link
Member

@smythp smythp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removal looks good. I'll merge and then look into if anything needs to be added back for this use case. Thanks for jumping in with the PR 🆒

@smythp smythp merged commit b3bf03b into main Sep 26, 2024
10 checks passed
@smythp smythp deleted the imjasonh-patch-1 branch September 26, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TimKnight-DWP TimKnight-DWP TimKnight-DWP requested changes

@smythp smythp smythp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imjasonh @smythp @TimKnight-DWP