feat: add OCI 1.1 Referrers API support with configurable encoding format#1691
feat: add OCI 1.1 Referrers API support with configurable encoding format#1691anithapriyanatarajan wants to merge 1 commit into
Conversation
|
@anithapriyanatarajan: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
7ff8190 to
d757d46
Compare
|
@tektoncd/chains-collaborators @arewm - Please review and share your comments. Thank you |
d757d46 to
c429a7e
Compare
|
Detailed steps to test and observations are captured here for reference - https://gist.github.com/anithapriyanatarajan/b112638e7b3d78ee6638c6fec4f51bc8 Observed Gaps, which would be analyzed further with appropriate follow ups:
Registry readiness for OCI 1.1 is much critical to realize the benefit of this PR for users. |
c429a7e to
4d43d45
Compare
4d43d45 to
ee93f82
Compare
| if err != nil { | ||
| return nil, errors.Wrap(err, "attaching attestation to entity") | ||
| } | ||
| if err := ociremote.WriteAttestationsReferrer(req.Artifact, newImage, ociremote.WithRemoteOptions(s.remoteOpts...)); err != nil { |
There was a problem hiding this comment.
Just want to confirm, here we are using req.Artifact, which drops the override of repo and ignores the storage.oci.repository. Should we use the overridden repo instead?
|
More details on why we are doing this change - sigstore/docs#411 & kubernetes-sigs/tejolote#639 |
|
@anithapriyanatarajan |
|
@anithapriyanatarajan can you add e2e tests ? |
ee93f82 to
904528b
Compare
@jkhelil - Yes, storage.oci.format=referrers-api can be safely configured without knowing the registry's OCI 1.1 support status. The fallback to the Referrers Tag Schema is handled automatically by go-containerregistry (the underlying library used by cosign and vendored in Chains). If the registry natively supports the Referrers API (e.g., Quay), it is used directly. If not, go-containerregistry automatically falls back to storing referrers as an OCI Image Index tag, per the OCI distribution spec mandate (spec lines 777–806). Since this fallback is transparent at the library level, Chains does not need to implement its own fallback logic, and users do not need to manually revert to the legacy storage format based on registry capability. I have verified this behavior with quay and ghcr. For quay it takes the referrers API path while for ghcr it takes the referrers tag path. Will share evidences after fixing a few other findings. Thank you |
904528b to
78d47da
Compare
78d47da to
276c83e
Compare
276c83e to
93d718e
Compare
41446d2 to
0dd4ea1
Compare
0dd4ea1 to
049070b
Compare
Done |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jkhelil The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jkhelil - I would like to reiterate to see the feasibility of accommodating #1691 (comment). Hence marking this as work in progress. |
049070b to
d98ed11
Compare
d98ed11 to
49cba8f
Compare
…rmat
Introduces storage.oci.encoding-format config key with two values:
- dsse (default): DSSE envelope stored under .att/.sig tags
- sigstore-bundle: Cosign protobuf bundle via OCI 1.1 Referrers API
The name reflects what users care about — the on-disk format — rather
than the distribution mechanism, which is an implementation detail.
Documentation updated to match:
- docs/oci-encoding-format.md (renamed from
oci-artifact-distribution-format-referrers-schema.md)
- test/oci_sigstore_bundle_e2e_test.go (renamed from
referrers_api_e2e_test.go)
Signed-off-by: Anitha Natarajan <anataraj@redhat.com>
Assisted-by: Claude Sonnet 4.6 (via GitHub Copilot)
49cba8f to
290e84a
Compare
Manual test evidenceTested manually on a Full write-up with every command and its output (cosign tree/verify/verify-attestation, cosign download, oras discover, crane manifest for the image/signature/attestation) is attached below for reference Summary
Scenarios 1–3 confirm the default/legacy path is unchanged (no behavior change when the key is unset or set to |
NOTE TO REVIEWERS: Originally this PR intended to allow a user-configurable approach for both distribution and serialization. During later review and iterative testing it became clear this adds needless complexity for users, and we additionally discovered via sigstore/cosign#4841 that the
sigstore-bundle+ DSSE combination is not supported in cosign. The PR therefore distills to two simple scenarios behind a single config knob, summarized below.Changes
Chains currently stores all OCI signatures and attestations using a tag-based scheme (
sha256-<digest>.sig/.att). This creates extra tags in the registry for every signed artifact. This PR adds support for the OCI 1.1 Referrers API as an alternative storage mechanism.New configuration key
A single new key controls both the serialization format and the distribution mechanism. They are intentionally coupled — not separately configurable:
storage.oci.encoding-formatdsse,sigstore-bundledssePossible Scenarios:
encoding-formatdsse.sig/.atttags) — unchanged defaultsigstore-bundle.sig/.atttagsdsse+ protobuf-bundle andsigstore-bundle+ DSSE are intentionally not offered: cosign's verification for referrer-stored attestations expects the protobuf bundle, andsigstore-bundleexists precisely to move away from the legacy tag layout, which has downsides:This keeps the surface to one knob and avoids a confusing matrix of combinations, some of which no tool can verify.
Backward compatibility
All existing deployments with no OCI encoding format config set continue to behave identically (
dsse+ tag-based). No action required.Implementation
config.go—OCIStorageConfiggains anEncodingFormatfield; new constants (OCIEncodingFormatDSSE,OCIEncodingFormatSigstoreBundle) and avalidateOCIEncodingFormatvalidator. Defaults todssewhen unset.options.go— NewWithEncodingFormat()option function; houses thereferrersRepoOverrideIgnoredhelper.attestation.go/simple.go— Dispatch keys offencodingFormat;sigstore-bundlewrites attestations as a protobuf bundle viaociremote.WriteAttestationNewBundleFormat, while signatures use cosign's native signature referrer.legacy.go— Backend passesWithEncodingFormatwhen constructing storers.signing.go/signing/iface.go—signing.BundleandStorageOptsgain aPublicKey crypto.PublicKeyfield;PublicKey()extraction after signing is non-fatal (logs a warning, storage continues) so KMS signers don't break the default path. Also wires up Rekor bundle population before storage so the bundle annotation is available for offline verification.Tests
config_test.go— Tests the default, valid/invalid values forencoding-format, and thevalidateOCIEncodingFormatvalidator.oci_test.go— TestsWithEncodingFormat, empty defaults, the Backend config, and thatstorage.oci.repositoryoverride is ignored insigstore-bundlemode.store_test.go— UpdateddefaultStorageto reflect the struct field rename.attestation_test.go/simple_test.go— Tests for thesigstore-bundlestore path including dedup.referrers_api_e2e_test.go(new) — E2E tests forTestOCIStorageSigstoreBundle_TaskRunandTestOCIStorageSigstoreBundle_PipelineRun.Docs
oci-artifact-distribution-format-referrers-schema.md(new) — Tutorial-style page explaining the Referrers schema, how cosign and Chains enable it, why referrers + protobuf bundle (not DSSE), registry compatibility, and verification examples.config.md— Newstorage.oci.encoding-formatrow in the storage configuration table.Submitter Checklist
As the author of this PR, please check off the items in this checklist:
Release Notes
/kind feature
Co-Authored-by: Copilot (Claude Sonnet 4.6)