Deprecate --attachment sbom commands
#2755
Comments
|
sgtm! Based on our deprecation policy, we need to:
|
|
I am confused about this proposal. Do you want to effectively deprecate the We currently prefer to use SBOMs over attestations because attestations are too hard to work with: I agree that the current two-step process of uploading and signing, or downloading and verifying an SBOM is cumbersome and also produces unavoidable warnings. That's why I've created this issue a while ago: If cosign decides to deprecate and eventually remove SBOMs in favor of attestations, I would be fine with that, because we are currently struggling to decide which attachment type we should use for our SBOMs. We are currently using |
|
@ChristianCiach, I just realized the main downside of using attachments. The connection between the attachment (SBOM) and the underlying image is done via tag convention, i.e. Contrast this with attestations. An attestation contains the data and the subject in a signed envelope. Swapping SBOMs requires re-signing the envelope. The relationship between an attestation and an image is signed. For this reason, and the possibility of TOCTOU attacks (mentioned in the description), I am convinced that the attachments approach should be deprecated ASAP. UPDATE: The SBOM itself does mention which image it describes. For CycloneDX, this is found under |
This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security. Resolves sigstore#2755 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security. Fixes sigstore#2755 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security. Resolves sigstore#2755 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security. Resolves #2755 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
|
It's a bit sad to see that the |
This change marks any usage of SBOM attachments as deprecated. Instead, users are recommended to use SBOM attestations due to its increased security. Resolves sigstore#2755 Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
|
Seeing that SBOM attachments will be removed soon, I want to point out that it's still not possible to push SBOM attestations as an OCI compliant artifact, because #1397 only added (still experimental) support for pushing signatures and SBOM attachments as OCI artifacts, but not attestations. This makes it currently impossible to push attestations to https://zotregistry.dev See related issue: |
|
Hey @ChristianCiach, happy to revisit this. Reviewing this issue, I think both approaches are not ideal - SBOM signatures as separate artifacts have the TOCTOU concerns @lcarva brought up, while attestations as signatures are more heavyweight. Are there efforts to standardize signed SBOMs that we could implement? Something like SBOMit? Or can we design detached signatures in such a way to mitigate TOCTOU concerns? I'm not very familiar with this space. @lumjjb did you have thoughts on this, detached SBOM sigs vs attestations over SBOMs vs something more standardized? |
|
I think attestations are the way to go. There is nothing wrong with using attestations for SBOM purposes, IMHO. The only thing missing in Cosign is the support for the OCI 1.1 Referrers-API to store attestations. Related issue: Or, at the very least, Cosign should support using OCI compliant media-types instead of the proprietary Docker media-types. |
|
Attestations for an SBOM is good to be able to be able to provide integrity and provenance for an SBOM, as well as an optional effect of attaching it to a subject. I believe SBOMs should still be their own blobs (i.e. not an embedded predicate), since they are meant to be composable by bundling SBOM files together, and they reference each other by their file hash, and they can become very large (we've seen 500MB+ SBOMs). +1 to OCI 1.1 referrers api, that's what we're implementing as well for GUAC OCI collector. |
Currently, Cilium attaches SBOMs to images using
cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.
This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest
Fixes: cilium#30664
Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
Currently, Cilium attaches SBOMs to images using
cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.
This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest
Fixes: #30664
Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
Currently, Cilium attaches SBOMs to images using
cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.
This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest
Fixes: cilium#30664
Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
[ upstream commit dbc52a0 ] Currently, Cilium attaches SBOMs to images using cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }} during build images workflows. This raises the following warning: --- WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations. --- Cilium build image workflows need to migrate to using cosign attest Fixes: #30664 Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better. ``` WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations. WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate amd_64.spdx --key <key path>'. ``` Signed-off-by: Jason Hall <jason@chainguard.dev>
Description
There are two ways to sign an SBOM and connect it an image.
The first option relies on
cosign attach sbomto push the SBOM to the OCI registry and connect it to the image. Then, the user must usecosign sign --attachment sbomto sign the SBOM image attached to the underlying image. NOTE: this is a new.sigimage for the SBOM image itself. The verification is also a two step process. 1)cosign verify --attachment sbom; then B)cosign download .... Given that these commands take the digest of the underlying image and not the digest of the SBOM image, the verification process is susceptible to TOCTOU attacks.The second option adds a new layer to the
.attimage which includes the signed SBOM data. This is done viacosign attest --type .... It can be verified in one step viacosign verify-attestation type .... It is also a more generic approach since it can also be used to verify SLSA Provenance and other attestations types.As a user, it is confusing that both options are available. It is also not obvious, at first, which option is better.
Let's deprecate the
--attachmentparameter ofcosign signandcosign attestaccording to the deprecation guidelines.The text was updated successfully, but these errors were encountered: