Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cosign to v2.0.2 #979

Closed
developer-guy opened this issue Dec 12, 2022 · 5 comments · Fixed by #1096
Closed

Update cosign to v2.0.2 #979

developer-guy opened this issue Dec 12, 2022 · 5 comments · Fixed by #1096
Labels
help wanted Extra attention is needed

Comments

@developer-guy
Copy link
Member

Abstract

OCI Reference Types has made a tremendous effort to make the relationships easier between the OCI Image and its materials such as SBOMs, attestations, vuln scan results, and build information. go-containerregistry is working on adding support for the Referrers API. Once this has landed, cosign plans to change how to store signatures. It will also affect the Flux projects since they use cosign under the hood to verify the signatures of the OCI Artifacts.

Helper Resources

  • Also, thanks to @dlorenc for writing an introductory guide for OCI Reference Types.
  • Another excellent presentation by @sudobmitch about Referrers API

/cc @souleb @stefanprodan @Dentrax
@developer-guy
Copy link
Member Author

sigstore/cosign#2684

@developer-guy
Copy link
Member Author

https://www.chainguard.dev/unchained/building-towards-oci-v1-1-support-in-cosign

@souleb
Copy link
Member

souleb commented Feb 18, 2023

Thanks @developer-guy, after reading the PRs, my understand is that with the fall back for 1.0 registries there is nothing to do in Flux.

@stefanprodan
Copy link
Member

stefanprodan commented May 11, 2023
edited
Loading

We need to update SC to latest cosign as rekor has a CVE. This is not just a simple bump in go.mod as cosign v2 comes with many breaking changes. Can someone please look into it?

@stefanprodan stefanprodan changed the title Tracking Issue for Referrers API Update cosign to v2.0.2 May 11, 2023
@stefanprodan stefanprodan added the help wanted Extra attention is needed label May 11, 2023
@makkes
Copy link
Member

makkes commented May 11, 2023

related: #1083

@stefanprodan stefanprodan mentioned this issue May 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update cosign to v2 fluxcd/source-controller
4 participants
@makkes @stefanprodan @souleb @developer-guy