1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
# Cosign Bundle Specification
This document aims to describe how `cosign` attaches Sigstore attestation
[bundles](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto)
to container images.
The goal is to specify the behavior well enough to promote other implementations
and enable interoperability. Attestations attached with `cosign` should be
retrievable in other tools, and vice-versa.
This document focuses on the layout of attestations within an
[OCI Image Manifest V1.1](https://github.com/opencontainers/image-spec/blob/v1.1.0/manifest.md)
object.
This document makes no assumptions about the contents of the Sigstore bundle.
Any attestation which can be represented as a Sigstore bundle (message
signatures, DSSE-wrapped in-toto statements, etc) can be attached to a container
image stored in an OCI registry.
Multiple Attestations may be "attached" to one image.
Attestations attached to a container image are generally assumed to refer to
that image in some way.
## Storage
The approach for storing Sigstore bundles in an OCI registry follows the
[guidelines for artifact usage](https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage)
in the OCI
[image spec](https://github.com/opencontainers/image-spec/blob/main/README.md).
### Publishing
First, the bundle itself is stored in its JSON-serialized form as a blob in the
registry:
```
POST /v2/foo/blobs/uploads/?digest=cafed00d...
Content-Type: application/octet-stream
{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json", ...}
```
In this example “foo” is the name of the repository within the registry to which
the artifact is being uploaded. The digest included as part of the POST is the
hex-encoded SHA-256 digest of the raw bytes of the bundle itself.
Once the blob has been created, the next step is to create a manifest that
associates the bundle blob with the image it describes:
```
PUT /v2/foo/manifests/sha256:badf00d...
Content-Type: application/vnd.oci.image.manifest.v1+json
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"schemaVersion": 2,
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"config": {
"mediaType": "application/vnd.oci.empty.v1+json",
"digest": "sha256:44136fa3...",
"size": 2
},
"layers": [
{
"digest": "sha256:cafed00d...",
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"size": 4971
}
],
"subject": {
"digest": "sha256:c00010ff...",
"mediaType": "application/vnd.oci.image.index.v1+json"
}
}
```
The manifest must have an `artifactType` field which identifies the type of the
artifact being referenced -- in this case, it's the Sigstore bundle media type.
The `layers` collection will have a single entry that points to the bundle's
blob by referencing its size, digest and media type.
The `subject` field associates this artifact with some other artifact which
already exists in this repository (in this case, an image with the digest
`c00010ff`)
Sigstore bundles don't require any additional configuration data, so the
`config` field references the
[empty descriptor](https://github.com/opencontainers/image-spec/blob/f5f87016de46439ccf91b5381cf76faaae2bc28f/manifest.md#guidance-for-an-empty-descriptor).
At this point, any registry which supports the
[referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers)
will automatically associate this manifest with the listed subject and make it
available in the referrers index for that subject.
If the registry DOES NOT support the referrers API, a referrers list must be
manually created/updated using the
[referrers tag scheme](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#referrers-tag-schema).
```
PUT /v2/foo/manifests/sha256-c00010ff...
Content-Type: application/vnd.oci.image.index.v1+json
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:badf00d..",
"size": 779,
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json"
}
]
}
```
This index is uploaded with a tag that references the digest of the image to
which all of the listed artifacts are associated. Each of the items in the
`manifests` collection points to some other related artifact.
### Retrieval
When a client wants to locate Sigstore bundles which may be associated with a
given image, they would first make a request to
[referrers API](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers)
with the image's digest:
```
GET /v2/foo/referrers/sha256:c000100ff...
```
A `404 Not Found` response indicates that the registry does not support the
referrers API and the referrers tag scheme should be used as a fallback:
```
GET /v2/foo/manifests/sha256-c000100ff...
```
A `404` here would indicate that there are no artifacts associated with the
image.
Assuming there are artifacts present, one of the two above calls will return an
image index listing the artifacts which have been associated with the specified
image:
```
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:badf00d..",
"size": 779,
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json"
}
]
}
```
From this the client can identify any Sigstore bundles by looking at the
`artifactType` field.
Using the `digest` listed in the image index, the next step is to retrieve the
manifest for the bundle:
```
GET /v2/foo/manifests/sha256:badf00d..
```
```
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"schemaVersion": 2,
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"config": {
"mediaType": "application/vnd.oci.empty.v1+json",
"digest": "sha256:44136fa3...",
"size": 2
},
"layers": [
{
"digest": "sha256:cafed00d...",
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"size": 4971
}
],
"subject": {
"digest": "sha256:c00010ff...",
"mediaType": "application/vnd.oci.image.index.v1+json"
}
}
```
The final step is to use the `digest` from the first of the `layers` to retrieve
the bundle blob:
```
GET /v2/foo/blobs/uploads/?digest=cafed00d...
```
```
{
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"verificationMaterial": {...},
"messageSignature": {...}
}
```
## Annotations
For any given image, there may be any number of attached attestation bundles.
When there are multiple Sigstore bundles associated with an image it may be
difficult to identify which artifact is which in the image index:
```json
{
"mediaType": "application/vnd.oci.image.index.v1+json",
"schemaVersion": 2,
"manifests": [
{
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"digest": "sha256:facefeed",
"mediaType": "application/vnd.oci.image.manifest.v1+json"
},
{
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"digest": "sha256:d0d0caca",
"mediaType": "application/vnd.oci.image.manifest.v1+json"
}
]
}
```
To help disambiguate attestations, clients may add annotations to the items in
the `manifests` list which indicate what is contained within each bundle and
when it was created:
- `dev.sigstore.bundle.content` - Must be one "message-signature" or
"dsse-envelope" and should match the type of content embedded in the Sigstore
bundle.
- `dev.sigstore.bundle.predicateType` - When the bundle contains a DSSE-wrapped
in-toto statement, the statement's predicate can be reflected here.
- `org.opencontainers.image.created` - Date and time when the attestation bundle
was created, conforming to
[RFC 3339](https://tools.ietf.org/html/rfc3339#section-5.6) (this is one of
the pre-defined annotation keys identified in the
[OCI spec](https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys)).
These annotations should be included as part of the bundle manifest:
```json
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"schemaVersion": 2,
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"annotations": {
"dev.sigstore.bundle.content": "dsse-envelope",
"dev.sigstore.bundle.predicateType": "https://slsa.dev/provenance/v1",
"org.opencontainers.image.created": "2024-03-08T18:18:20.406Z"
},
"config": {
"mediaType": "application/vnd.oci.empty.v1+json",
"digest": "sha256:44136fa3...",
"size": 2
},
"layers": [
{
"digest": "sha256:cafed00d...",
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"size": 4971
}
],
"subject": {
"digest": "sha256:c00010ff...",
"mediaType": "application/vnd.oci.image.index.v1+json"
}
}
```
Registries which support the referrers API will automatically propagate any
annotations on the referring manifest to the index. For registries which do NOT
support the referrers API, the annotations should be added to the index when it
is updated manually. In either case, the end result should look something like
the following:
```json
{
"mediaType": "application/vnd.oci.image.index.v1+json",
"schemaVersion": 2,
"manifests": [
{
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"digest": "sha256:facefeed",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"annotations": {
"dev.sigstore.bundle.content": "message-signature",
"org.opencontainers.image.created": "2024-03-07T18:17:38.000Z"
}
},
{
"artifactType": "application/vnd.dev.sigstore.bundle.v0.3+json",
"digest": "sha256:d0d0caca",
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"annotations": {
"dev.sigstore.bundle.content": "dsse-envelope",
"dev.sigstore.bundle.predicateType": "https://slsa.dev/provenance/v1",
"org.opencontainers.image.created": "2024-03-08T18:18:20.406Z"
}
}
]
}
```
|
