Skip to content

sigstore-bundle: add sigstore bundle image verification #567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
p5 wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

sigstore-bundle: add sigstore bundle image verification #567

p5 wants to merge 5 commits into from

Conversation

@p5
Copy link

@p5 p5 commented Dec 24, 2025
edited
Loading

Fixes #388

This is a very early stage implementation of the new sigstore bundle format verification for use in podman, skopeo and co.

Cosign v3 was released a few months ago with a change to the default format they use for signatures. The new format is not compatible with this library, and therefore verification fails on any image pushed using the default settings in cosign v3.

This depends on being able to run Go 1.25+, but some dependencies need updating before this is possible.

This does NOT implement pushing new signatures, purely reading and verifying.

This introduces a new library from sigstore themselves to prevent reinventing the wheel. The subdependencies pulled in seem okay and have been vendored.

I expect to iterate over this PR in draft for a while. Just raised this here for some early feedback. Fulcio is completely new to me and have not yet been able to test this use-case, yet.

Assisted by: Claude Opus 4.5 via Cursor

p5 added 2 commits December 24, 2025 02:04
@p5
sigstore-bundle: add sigstore bundle media type consts and helpers
842b51a 
Signed-off-by: Robert Sturla <rsturla@redhat.com>
@p5
sigstore-bundle: add in-toto statement parsing for attestations
0f228dc 
Signed-off-by: Robert Sturla <rsturla@redhat.com>
@p5 p5 changed the title sigstore-bundle: add sigstore bundle media type consts and helpers sigstore-bundle: add sigstore bundle image verification Dec 24, 2025
@github-actions github-actions bot added the image Related to "image" package label Dec 24, 2025
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Dec 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#567
ddb418c
@podmanbot
Copy link

podmanbot commented Dec 24, 2025

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6613

@podmanbot podmanbot mentioned this pull request Dec 24, 2025
Draft
@packit-as-a-service
Copy link

packit-as-a-service bot commented Dec 24, 2025

Packit jobs failed. @containers/packit-build please check.

p5 added 3 commits December 24, 2025 03:25
@p5
sigstore-bundle: add sigstore-go bundle parsing and verification
621dfbc 
Signed-off-by: Robert Sturla <rsturla@redhat.com>
@p5
sigstore-bundle: add oci v1.1 referrers API support for fetching sign…
e29377d 
…atures

Signed-off-by: Robert Sturla <rsturla@redhat.com>
@p5
sigstore-bundle: add policy verification for sigstore bundle format
1f0c308 
Signed-off-by: Robert Sturla <rsturla@redhat.com>
@p5 p5 force-pushed the dev/robertsturla/sigstore-bundle-verification branch from a285903 to 1f0c308 Compare December 24, 2025 03:29
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Dec 24, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#567
7dbf3ec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fails to verify signatures for Cosign v3 bundle format

2 participants

@p5 @podmanbot