Replace cosign binary with bash wrapper [0.4] #1897
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is now possible to initialize the TUF root directly with the ec-cli. No need to use another binary, e.g. cosign, to perform this operation. Ref: EC-584 Signed-off-by: Luiz Carvalho <[email protected]>
Modify the verify-enterprise-contract Task to no longer rely on the cosign binary to initialize the TUF root. Instead, use the newly added `ec sigstore initialize` command. As a consequence, the cosign binary is also removed from the ec-cli container image. Ref: EC-584 Signed-off-by: Luiz Carvalho <[email protected]>
simonbaird
changed the title
simonbaird
changed the title
|
Ha! I love it. If we're doing that approach, let's revert the change to the Task. This will tell us for user if the wrapper is working as intended. |
simonbaird
force-pushed
the
no-cosign-with-wrapper-v04
branch
from
8103157 to
d821d76
Compare
simonbaird
force-pushed
the
no-cosign-with-wrapper-v04
branch
4 times, most recently
from
10d8b00 to
d54394f
Compare
|
New revision switches back to |
lcarva
approved these changes
Aug 29, 2024
Add a bash script wrapper for ec sigstore initialize that allows a "cosign initialize" command to work. It's a long story, but we're trying to remove the cosign binary from the image. It's done already in main branch, but removing it from this image in the release branch makes me worry about RHTAP users since I'm not confident when or how they'd get an upgraded version of the tekton task. The task used by RHTAP users is in the tssc-sample-pipelines repo, see [1] and [2], so we could update that, but it's possible that the RHTAP users forked that repo, or copied the task and customized it, etc. So there would be a good chance we'd break them if cosign was removed. Also changed the task definition back to "cosign initialize". Either would work, but this way our test suite should confirm the backwards compatibility wrapper script works as expected. Ref: https://issues.redhat.com/browse/EC-584 Ref: https://issues.redhat.com/browse/EC-817 [1] https://github.com/redhat-appstudio/tssc-sample-pipelines/blob/822d9a01d031ceb772bd2cca0fc7495ad91ac3c1/pac/gitops-repo/gitops-on-pull-request.yaml#L11 [2] https://github.com/redhat-appstudio/tssc-sample-pipelines/blob/822d9a01d031ceb772bd2cca0fc7495ad91ac3c1/pac/tasks/verify-enterprise-contract.yaml#L107
simonbaird
force-pushed
the
no-cosign-with-wrapper-v04
branch
from
d54394f to
6f11f6a
Compare
This was referenced Aug 29, 2024
|
I want to merge this a little after merging #1900 due to https://issues.redhat.com/browse/CLOUDWF-10542 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Same as #1873 but with an extra hack-cherry on top.
Ref: https://issues.redhat.com/browse/EC-817