Protobuf bundle support for subcommands save and load

[steiza]

Summary

Continuing to make progress on #4470.

To test:

• Run local registries on port 1338 (default) and port 1337 (to test loading)

• Build and sign an image:

sigstore/sigstore-go/examples/sigstore-go-verification$ ko build .
sigstore/cosign$ go run cmd/cosign/main.go sign --key cosign.key --use-signing-config=false --tlog-upload=false localhost:1338/demo/sigstore-go-verification-ce4f5bf3233ac2b951c3667b2d19da3a:latest

• Save it from registry:

$ go run cmd/cosign/main.go save --dir save localhost:1338/demo/sigstore-go-verification-ce4f5bf3233ac2b951c3667b2d19da3a

• Load it into mirror registry:

$ go run cmd/cosign/main.go load --dir save localhost:1337/demo/sigstore-go-verification-ce4f5bf3233ac2b951c3667b2d19da3a

• List out files that are saved:

$ ls save/blobs/sha256/*

• Use oras to confirm they are in new registry:

$ oras manifest fetch localhost:1337/demo/sigstore-go-verification-ce4f5bf3233ac2b951c3667b2d19da3a@sha256:...

Release Note

• Added protobuf bundle support to cosign save and cosign load

Documentation

N/A

[codecov]

Codecov Report

❌ Patch coverage is 13.46154% with 45 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.34%. Comparing base (2ef6022) to head (ac605e0).
⚠️ Report is 592 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/cosign/cli/save.go	0.00%	13 Missing ⚠️
pkg/oci/remote/write.go	0.00%	12 Missing ⚠️
pkg/oci/layout/index.go	50.00%	4 Missing and 2 partials ⚠️
pkg/oci/empty/signed.go	33.33%	2 Missing ⚠️
pkg/oci/mutate/mutate.go	0.00%	2 Missing ⚠️
pkg/oci/remote/image.go	0.00%	2 Missing ⚠️
pkg/oci/remote/index.go	0.00%	2 Missing ⚠️
pkg/oci/remote/unknown.go	0.00%	2 Missing ⚠️
pkg/oci/signed/image.go	0.00%	2 Missing ⚠️
pkg/oci/signed/index.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4530      +/-   ##
==========================================
- Coverage   40.10%   36.34%   -3.76%     
==========================================
  Files         155      220      +65     
  Lines       10044    12285    +2241     
==========================================
+ Hits         4028     4465     +437     
- Misses       5530     7127    +1597     
- Partials      486      693     +207     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[haydentherapper]

Definitely not at all an expert in this part of the codebase, so I'm trying to wrap my head around how WriteSignaturesExperimentalOCI works here. Is this now needed because we were writing referring artifacts to OCI using a different API?

[steiza]

Yeah, I also had to do a lot of digging in this code base to understand what was going on.

But that's exactly right - we don't want to "just" write the protobuf bundle as an OCI blob, we also need to write an OCI manifest that (1) points at the protobuf bundle blob and (2) has a subject referring to the signed image - which is how the registry knows that this is a "referring artifact".

[haydentherapper]

That makes sense, thanks. So how were things working previously? Was it that we were looking up the referring artifact directly rather than going through the OCI manifest?

[haydentherapper]

I guess to add to that, is there a change we need to make to the verification code?

[steiza]

Yeah, so previously signatures were pushed to a tag made from the digest of the image manifest.

So if your container was example.com/myapp@sha256:abcd, then you would ask for the signature at example.com/myapp:sha256-abcd.sig (note that this is a tag, even though it looks like a digest).

The verification code shouldn't need to change. New protobuf bundle signatures should always use the OCI referrers API. But I still need to update tests 😅

[haydentherapper]

Sorry, by previously I meant with bundles and OCI. If we were only publishing the referring artifact and not the manifest that points to the referring artifact, how was verification working? How did the OCI library know how to look up the referring artifact without a manifest?

[steiza]

I don't think this should be part of v3.0.3 anymore 😅

Saving is pretty straightforward. For loading you basically need to implement something that behaves like the OCI referring API (look at the files for manifests that are the subject of the container image). Such a thing is possible, but I'm really not familiar with sigstore/cosign/pkg/oci and google/go-containerregistry.

[haydentherapper]

I'm wondering if not writing the manifest is a bug that needs to be fixed before a new release?