Cosign sign #1597
Cosign sign #1597
Conversation
mtrmac
force-pushed
the
cosign-sign
branch
4 times, most recently
from
7ca39ec
to
3fee212
Compare
|
In manual testing, this produces signatures that Cosign accepts. So, calling this ready for review. It could definitely do with unit tests, and integration tests in the Skopeo repo. |
copy/sign.go
Outdated
| } | ||
| } | ||
|
|
||
| c.Printf("Signing manifest\n") |
There was a problem hiding this comment.
Shall we indicate the signing mechanism?
There was a problem hiding this comment.
Good idea, done.
(I’ll gladly change the wording to any other names as long as I’m not required to participate in that discussion.)
| @@ -1,4 +1,6 @@ | |||
| 4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo= | |||
There was a problem hiding this comment.
Does go mod tidy clean up go.sum? I was surprised about the size of the diff and it seems go.sum changes account for it.
There was a problem hiding this comment.
go mod tidy does clean up completely unused packages. Some of the added entries are test dependencies (e.g. note the presence of github.com/golangci/golangci-lint)
Still, these are the dependencies that total 10 MB.
There was a problem hiding this comment.
@Luap99 FYI, to prevent a heart attack. Much better than 90 MB but I am sure we can trim the size down over time.
Private key only, no Fulcio/Rekor. The extra dependencies are not ideal, but not too bad (notably the scary go-tuf addition is only a small subpackage). Still, it's about extra 10 MB. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
|
LGTM |
|
LGTM |
⚠️ Warning: This is write-only code, as in I haven’t read it after myself, it has never been run, and it has no tests yet. Might be completely broken.Private key only, no Fulcio/Rekor. Figuring out a sane UI for non-default Fulcio servers is quite a bit of more work than this (probably commits us to defining a new config file format).
Depends on unmerged #1594 and #1596.