Figure out how to store attestations on OCI images #203
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
dlorenc
added
the
kind/feature
|
I think we can check if the payload we're uploading is an OCI image or an in-toto statement, and if it's the image then create the signature the way we've been doing it with cosign chains/pkg/chains/storage/oci/oci.go Line 89 in 407e75f and if it's the in-toto statement we can use the cosign library for generating the attestation layer & used the is there anything i'm missing? |
|
nope, sgtm |
This was referenced Aug 24, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We've started storing attestations for images in cosign using a ".att" suffix. We should figure out how to do that here in chains (right now we don't support storing attestations in OCI). I think the biggest challenge will be that the storage backends don't know what they're storing (signatures vs. attestations), and we hardcoded the ".sig" suffix.
cc @priyawadhwa any ideas?
The text was updated successfully, but these errors were encountered: