Skip to content

Add support to download and attach for protobuf bundles #4477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add support to download and attach for protobuf bundles #4477

wants to merge 3 commits into from

Conversation

@steiza
Copy link
Member

@steiza steiza commented Oct 20, 2025
edited
Loading

Summary

Continuing to make progress on #4470.

This adds protobuf bundle support for cosign download attestation and cosign download signature (which will work if you do cosign sign with the new protobuf format), as well as adding support for cosign attach attestation and cosign attach signature.

This does not add any support (yet) for cosign save.

Release Note

  • Added protobuf bundle support to subcommands download attestation, download signature, attach attestation, and attach signature (where you should use the new --bundle flag).

Documentation

N/A

@steiza steiza requested a review from a team as a code owner October 20, 2025 13:09
@codecov
Copy link

codecov bot commented Oct 20, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0.97087% with 102 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.23%. Comparing base (2ef6022) to head (691a625).
⚠️ Report is 562 commits behind head on main.

Files with missing lines Patch % Lines
cmd/cosign/cli/attach/attach.go 0.00% 39 Missing ⚠️
cmd/cosign/cli/download/attestation.go 0.00% 26 Missing ⚠️
cmd/cosign/cli/download/signature.go 0.00% 17 Missing ⚠️
cmd/cosign/cli/attach/sig.go 0.00% 10 Missing ⚠️
cmd/cosign/cli/options/attach.go 0.00% 3 Missing ⚠️
pkg/cosign/verify.go 25.00% 2 Missing and 1 partial ⚠️
cmd/cosign/cli/download.go 0.00% 2 Missing ⚠️
cmd/cosign/cli/verify/verify.go 0.00% 1 Missing ⚠️
cmd/cosign/cli/verify/verify_attestation.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4477      +/-   ##
==========================================
- Coverage   40.10%   35.23%   -4.88%     
==========================================
  Files         155      220      +65     
  Lines       10044    15230    +5186     
==========================================
+ Hits         4028     5366    +1338     
- Misses       5530     9176    +3646     
- Partials      486      688     +202

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

cmurphy
cmurphy reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@cmurphy cmurphy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Support for attach signature would be somewhat strange, as it did not even support the old cosign bundle format (just raw signatures and certificates). If you do cosign sign and then cosign download signature, you should attach it with cosign attach attestation

I'm finding this pretty confusing, and I think users will have a hard time understanding it. Could we make it so that attach signature works for bundles?

Alternatively - I think the problem stems from the naming, where downloading/attaching bundles just isn't very well described by the words "attestation" or "signature" any more. What about adding a new subcommand attach bundle instead of trying to coerce attach signature and attach attestation to do this?

@steiza
Copy link
Member Author

steiza commented Oct 21, 2025

I'm finding this pretty confusing, and I think users will have a hard time understanding it.

This was my first time using these commands and looking at how they were implemented, so I agree 😅. These commands are old (relative to the age of Cosign), implemented in 2021 and not really updated since 2023, so it's not surprising that Sigstore usage has evolved while these commands have not.

Could we make it so that attach signature works for bundles?

I think this is the most promising path forward. Looking over the flags again, --payload is closest to a bundle. We could re-use --payload and check if it's a new protobuf bundles, and / or add a --bundle alias for --payload to make it clearer what's going on.

Alternatively - I think the problem stems from the naming, where downloading/attaching bundles just isn't very well described by the words "attestation" or "signature" any more.

I agree generally, but I think we should wait a bit before tackling this problem. I want to make sure Cosign v3 is working for folks first, helping them transition to protobuf bundles, trusted roots, and signing configs, before we start changing the command set.

But this is very much in scope for Cosign v4, and it's not just cosign attach signature / cosign attach attestation! With protobuf bundles, cosign sign and cosign attest are also quite similar, and (as you point out) it's not clear we need separate sign / attest commands generally. But this is a larger change, and I think we should hold off for a bit to when we're ready to iterate on the set of commands as a whole.

steiza added 2 commits October 21, 2025 16:04
@steiza
Add protobuf support to attach signature
ccca98f 
Signed-off-by: Zach Steindler <[email protected]>
@steiza
Update docs
691a625 
Signed-off-by: Zach Steindler <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cmurphy cmurphy cmurphy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steiza @cmurphy