Replace cosign binary with bash wrapper [0.2] #1900
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is now possible to initialize the TUF root directly with the ec-cli. No need to use another binary, e.g. cosign, to perform this operation. Ref: EC-584 Signed-off-by: Luiz Carvalho <[email protected]>
Modify the verify-enterprise-contract Task to no longer rely on the cosign binary to initialize the TUF root. Instead, use the newly added `ec sigstore initialize` command. As a consequence, the cosign binary is also removed from the ec-cli container image. Ref: EC-584 Signed-off-by: Luiz Carvalho <[email protected]>
Add a bash script wrapper for ec sigstore initialize that allows a "cosign initialize" command to work. It's a long story, but we're trying to remove the cosign binary from the image. It's done already in main branch, but removing it from this image in the release branch makes me worry about RHTAP users since I'm not confident when or how they'd get an upgraded version of the tekton task. The task used by RHTAP users is in the tssc-sample-pipelines repo, see [1] and [2], so we could update that, but it's possible that the RHTAP users forked that repo, or copied the task and customized it, etc. So there would be a good chance we'd break them if cosign was removed. Also changed the task definition back to "cosign initialize". Either would work, but this way our test suite should confirm the backwards compatibility wrapper script works as expected. Ref: https://issues.redhat.com/browse/EC-584 Ref: https://issues.redhat.com/browse/EC-817 [1] https://github.com/redhat-appstudio/tssc-sample-pipelines/blob/822d9a01d031ceb772bd2cca0fc7495ad91ac3c1/pac/gitops-repo/gitops-on-pull-request.yaml#L11 [2] https://github.com/redhat-appstudio/tssc-sample-pipelines/blob/822d9a01d031ceb772bd2cca0fc7495ad91ac3c1/pac/tasks/verify-enterprise-contract.yaml#L107 (cherry picked from commit 6f11f6a)
lcarva
approved these changes
Aug 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The v0.2 version of #1897.
Brings back the commits from (abandoned) #1874.
Ref: https://issues.redhat.com/browse/EC-817