Support Sigstore bundle verification for cosign v3 by SequeI · Pull Request #3 · SequeI/cli · GitHub
Skip to content

Support Sigstore bundle verification for cosign v3#3

Merged
SequeI merged 33 commits into
mainfrom
bundleAware
Apr 2, 2026
Merged

Support Sigstore bundle verification for cosign v3#3
SequeI merged 33 commits into
mainfrom
bundleAware

Conversation

@SequeI

@SequeI SequeI commented Feb 24, 2026

Copy link
Copy Markdown
Owner

cosign v3 stores signatures as OCI referrer bundles by default, but ec only supported the legacy tag-based format. Detect bundles via cosign.GetBundles() and route verification through the bundle-aware code path, matching what the cosign CLI already does internally.

Also fix typos and incorrect examples in CLI help text.

ec-automation Bot and others added 6 commits February 16, 2026 09:45
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…st to c7d4414

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Add log.WithField("function", ...) to PURL and sigstore custom Rego
builtin functions to ease troubleshooting. This follows the same
pattern already used in the OCI builtin functions.

Functions updated:
- ec.purl.is_valid
- ec.purl.parse
- ec.sigstore.verify_image
- ec.sigstore.verify_attestation

Ref: EC-1668
Resolves: conforma#1361
Signed-off-by: Rob Nester <rnester@redhat.com>
add structured logging to PURL and sigstore Rego builtins
simonbaird and others added 21 commits February 24, 2026 23:29
Not related to, but done in the PR for...

Ref: https://issues.redhat.com/browse/EC-1647
This adds a --skip-image-sig-check flag to ec validate image. It
defaults to false currently so we're not changing the default
behavior.

Motivation: It's been suggested that the image signing that Tekton
Chains does is low value, since it will sign whatever image ref is
found in a task or pipeline result. See
tektoncd/chains#1346 which suggests it
should stop doing it. (Attestation signing remains crucial though
since Chains is the thing creating those.)

Additionally, we need to support verifying "keyless" signatures in
our Tekton task, which IIUC will require providing different oidc
identities for each component image, since in Konflux the service
account is different for different components, and a different
identity to verify the attestation signature. Conforma doesn't
support this currently. We could implement support for providing
multiple oidc identities, but being able to skip the image signature
check means we can more quickly support verifying keylessly signed
attestations.

Ref: https://issues.redhat.com/browse/EC-1647
Co-authored-by: Claude Code <noreply@anthropic.com>
Covers scenarios where the image sig is valid, and also when it is
invalid.

Ref: https://issues.redhat.com/browse/EC-1647
…mages

Update registry.access.redhat.com/ubi9/ubi-minimal:latest Docker digest to c7d4414 (main)
…registry

Bump conforma/go-containerregistry
…-main/docker-images

Update registry.access.redhat.com/ubi9/ubi-minimal:latest Docker digest to c7d4414 (main)
…b.com-sigstore-rekor-vulnerability

Update module github.com/sigstore/rekor to v1.5.0 [SECURITY] (main)
…thub-actions

Update github/codeql-action action to v4.32.4 (main)
…ctions

Update github actions (main) (minor)
I guess our Renovate PRs don't do this.

Unrelated cleanup while working on the PR for....

Ref: https://issues.redhat.com/browse/EC-1681
The goal is to be able to access the task definitions inside a
Tekton task bundle, so we can then apply task definition related
policy checks to them, but I think this is a generally useful
addition to our custom oci functions.

Ref: https://issues.redhat.com/browse/EC-1681
Co-authored-by: Claude Code <noreply@anthropic.com>
Introduce a limit to avoid potential memory exhaustion attacks.

Honestly I'm not sure how important this is, but I guess it's fine.
It was suggested by in code review by Qodo.

We actually did have a limit in the past, but it was too small, and
caused problems with large SBOMs. I hestiated to bring back a limit,
however, the context is a little different, ociBlob vs ociBlobFile,
and I'm making the limit 500MB instead of 10MB.

Ref: https://issues.redhat.com/browse/EC-1681
Co-authored-by: Claude Code <noreply@anthropic.com>
Multiple LLMs are worried about using the same cache key for two
potentially different things. Let's make it clear that it's not a
problem.

In reality I don't think it could be a problem, since the cache key
includes the image ref, which in the case of a blob will always have
a digest. But, I figure there's no harm in making the code intent
clear, and avoid having to explain that subtle detail to the bots.

Ref: https://issues.redhat.com/browse/EC-1681
Co-authored-by: Claude Code <noreply@anthropic.com>
Sometimes Claude doesn't format everything so I want an easy way to
fix the formatting. There might be a better way to do it (and maybe
make lintfix will do it?), but this works for me.

Unrelated tweak while working on...

Ref: https://issues.redhat.com/browse/EC-1681
Well the bot wanted the limit checks, then the bot pointed out that
they aren't very effective. I don't want to add limit checks on all
the oci fetches, but I also don't want to re-remove what we have
here, so let's at least point out that its value is questionable.

Ref: https://issues.redhat.com/browse/EC-1681
Since we're using the cache for both image files and blob files,
let's stop calling it imageFilesCache. Same thing for single flight.

Suggested by Qodo in code review.

Co-authored-by: Claude Code <noreply@anthropic.com>
Ref: https://issues.redhat.com/browse/EC-1681
@github-actions github-actions Bot added size: XL and removed size: L labels Mar 2, 2026
simonbaird and others added 6 commits March 2, 2026 10:59
Done like this:
  curl -sL https://github.com/simonbaird/konflux-pipeline-patcher/raw/main/pipeline-patcher | bash -s bump-task-refs

But I manually updated these since the bash script doesn't update the tag versions:
- init                   0.3 -> 0.4
- buildah-remote-oci-ta  0.8 -> 0.9
- push-dockerfile-oci-ta 0.1 -> 0.2

No migrations are needed iiuc.

The init task was the motivation for this since the 0.3 versions are
now expired. I'm doing the other two to keep ahead of things.
…r-konflux-refs

chore(deps): Update Konflux task refs
cosign v3 stores signatures as OCI referrer bundles by default, but ec
only supported the legacy tag-based format. Detect bundles via
cosign.GetBundles() and route verification through the bundle-aware
code path, matching what the cosign CLI already does internally.

Also fix typos and incorrect examples in CLI help text.

Signed-off-by: SequeI <asiek@redhat.com>
Signed-off-by: SequeI <asiek@redhat.com>
Signed-off-by: SequeI <asiek@redhat.com>
@SequeI SequeI merged commit bb47538 into main Apr 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants