feat: add artifacts.oci.disable-signing to skip signing#1419
Conversation
tekton-robot
added
the
size/S
|
The following is the coverage report on the affected files.
|
tekton-robot
added
size/L
|
The following is the coverage report on the affected files.
|
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
857501b to
a85accf
Compare
|
The following is the coverage report on the affected files.
|
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
a85accf to
431323f
Compare
|
The following is the coverage report on the affected files.
|
There was a problem hiding this comment.
@waveywaves can you please add a e2e test with
artifacts.oci.disable-signing: "true"
artifacts.taskrun.storage: "oci"
checking that signature for image is not pushed while attestation for taskrun is pushed to oci
I am wondering what will be the taskrun attestion target repository now, as chains is using type hinting to idenitfy where to push image signature, do we need storage.oci.repository in the case of artifacts.oci.disable-signing( not sure, we need some e2e tests)
can you clarify this in doc also please
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
431323f to
87b72df
Compare
- Add TestDisableOCISigning to verify that OCI image signatures are not created when disabled - Verify that attestations are still pushed to OCI registry when signing is disabled - Update documentation to clarify that type hinting still determines attestation repository - Clarify that storage.oci.repository is optional and type hinting works as expected Addresses review feedback from PR tektoncd#1419
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
87b72df to
5cc663f
Compare
|
@jawed I have added the necessary documentation mentioning that the artifact storage still needs to be set to OCI so that the generated attestations are pushed to the registries. |
- Add TestDisableOCISigning to verify that OCI image signatures are not created when disabled - Verify that attestations are still pushed to OCI registry when signing is disabled - Update documentation to clarify that type hinting still determines attestation repository - Clarify that storage.oci.repository is optional and type hinting works as expected Addresses review feedback from PR tektoncd#1419
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
3 times, most recently
from
ffcb767 to
1a16d53
Compare
docs/config.md
Outdated
| | `artifacts.oci.signer` | The signature backend to sign `OCI` payloads with. | `x509`, `kms` | `x509` | | ||
| | `artifacts.oci.disable-signing` | Whether to skip signing of OCI artifacts while still allowing provenance generation and attestation signing. Note: This only disables OCI image signing; attestations are still generated. To push attestations to registries, set `artifacts.taskrun.storage` and/or `artifacts.pipelinerun.storage` to include `oci`. When enabled, attestations will still be pushed to the same location determined by type hinting (IMAGE_URL/IMAGE_DIGEST results) or `storage.oci.repository` if configured. | `"true"`, `"false"` | `"false"` | |
There was a problem hiding this comment.
Suggestion: instead of a dedicated setting, would it make sense to instead add a new supported value to artifacts.oci.signer so a user could set artifacts.oci.signer: none? In the interest of consistency, would it also make sense in the usecase to make this setting (either the dedicated disable-signing setting or signer: none value) applicable to artifacts.taskrun and artifacts.pipelinerun as well?
There was a problem hiding this comment.
I do like this direction better, I think the current default signer should stay the same and then it should be possible to disable signing this way if needed for the user.
There was a problem hiding this comment.
I'll make this change and amend the commit
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
1a16d53 to
b84c54f
Compare
Add "none" as a valid signer option for OCI, TaskRun, and PipelineRun artifacts to disable signing while maintaining attestation generation and storage capabilities. Changes: - Add "none" as valid signer value in config.go for all artifact types - Update Artifact.Enabled() to return false when signer is "none" - Remove DisableSigning field from Artifact struct - Update tests to use signer: "none" instead of disable-signing field - Update documentation to list "none" as a valid signer option - Update e2e test to use artifacts.oci.signer: "none" Addresses review feedback to use signer field instead of separate disable-signing configuration.
waveywaves
force-pushed
the
feature/configurable-artifact-signing-skip
branch
from
b84c54f to
102b73a
Compare
aThorp96
left a comment
aThorp96
left a comment
There was a problem hiding this comment.
This looks good to me! Thank you for the docs update as well. I have one optional docs suggestion to improve the "skimmability" of the docs.
As a general question: in what circumstance might a user want to skip signing? Would this be for performance reasons or something else?
Co-authored-by: Andrew Thorp <[email protected]>
@aThorp96 we should be able to generate provenance attestations that aren't signed by us; it should be possible to use external signers and not the prebuilt ones. This is what I understand. This opens doors for external signing infrastructure to be used and not be locked in with tekton chains signing. |
@waveywaves @aThorp96 - The goal is to allow users to optionally skip signing the built images in Tekton, while still ensuring that the provenance of the build steps is generated and signed by Tekton Chains. In other words, users may choose to skip artifact.oci.signer (This gives more flexibility for users to choose different signing keys/providers for different cases) , but signing of taskruns and pipelineruns must always be enforced to be SLSA compliant. Please refer #1406 for more details |
Actually, signing artifacts is not something Chains should be doing: #1346 (artifacts.oci.signer) It should, however, always sign the content it generates (SLSA Provenance). artifacts.taskrun.signer controls generating and signing SLSA Provenance for TaskRuns, while artifacts.pipelinerun.signer does so for PipelineRuns. Different folks may be interested in only one of those. I don't think there's any point, other than debugging/development reasons, to ever run Chains with all @anithapriyanatarajan and I responded at the same time. I support her answer as well. |
|
Thanks all for help understanding the use-case.
@lcarva It sounds like you're saying this setting does make sense to have on |
I think it makes sense to have it on at least one of |
|
/ok-to-test |
tekton-robot
added
the
ok-to-test
|
Not sure why the checks were cancelled... Trying to re-run them. |
|
@lcarva seems like all are passing but one |
lcarva
left a comment
lcarva
left a comment
There was a problem hiding this comment.
/lgtm
Thanks for all the tests!
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aThorp96, lcarva The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
6 participants
Changes
this change allows users to disable image signing while still allowing provenance generation and attestation signing
partially fixes #1406
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes