signing auto-generated SBOM using cosign

[Dentrax]

With new ko release, it creates and pushes an SBOM file by default. ¹ We can also pass a new flag called --sbom-sign <true|false> to sign before publishing it. In the SBOM push stage, we can execute cosign's SignCmd if aforesaid flag is set true.

Still not sure what kind of flags should be needed since we might use keyless mode, PKI, etc. options.

@developer-guy

Footnotes

1. https://github.com/google/ko/releases/tag/v0.10.0 ↩

[imjasonh]

+1, but we should depend on cosign SDK packages instead of it's CLI commands. We would also need to figure out what flags from cosign we want to bring over and what to do when they conflict (e.g., -a annotates signatures, but also might annotate images; should it also annotate signatures on SBOMs?)

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[Dentrax]

/remove-lifecycle stale

For depending on the cosign SDK concern, let me link the related issue: sigstore/cosign#1462

[ChaosInTheCRD]

@imjasonh Is there any update on this? Happy to try and help with the process of making this possible.

[developer-guy]

we can work in a collaboration @ChaosInTheCRD, WDYT?

[imjasonh]

This is likely currently blocked on refactoring/rewriting the sigstore Go client to trim its dependencies and simplify the interface.

This is closely related to (and likely blocked on) #357, since as soon as we can easily sign the image we produce, we can also sign the SBOMs we produce. See that issue for discussions and open questions about how this should work, what CLI surface it should have, and open questions currently blocking.

[ChaosInTheCRD]

@imjasonh noted, and figured this could well be the case.

@developer-guy that sounds like a great idea to me! only problem is that I am planning on being on holiday from tomorrow until 20th, so won't be possible to do so until then. If the offer is still open when I get back, that sounds good.

[developer-guy]

kindly ping @Dentrax

[ribbybibby]

Is there a good way to do this right now by invoking cosign after ko?

I was thinking about doing something like:

img=$(ko build)
cosign sign ${img}
cosign sign --attachment sbom ${img}

But I think the --attachment sbom call is unsafe because the sha256-xxxx.sbom tag could be modified and we could unwittingly end up signing something that ko didn't actually produce.

[leongross]

I would be interested in this feature as well!

[evankanderson]

With the maturing of https://github.com/sigstore/sigstore-go, does it make sense to revisit this issue to add SBOM signing using the lower-dependency sigstore-go library?

[evankanderson]

In particular, sigstore/sigstore-go#30 may provide some hints on constructing these signatures using sigstore-go.

[ChaosInTheCRD]

@evankanderson I would be interested in doing some work on this. maybe there is scope for us to pair?

[evankanderson]

Yes, I just wanted to check that this would fit the project goals before getting started.