Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate --attachment sbom commands #2755

Closed
lcarva opened this issue Feb 28, 2023 · 8 comments · Fixed by #3256
Closed

Deprecate --attachment sbom commands #2755

lcarva opened this issue Feb 28, 2023 · 8 comments · Fixed by #3256
Labels
enhancement New feature or request sbom

Comments

@lcarva
Copy link
Contributor

lcarva commented Feb 28, 2023

Description

There are two ways to sign an SBOM and connect it an image.

The first option relies on cosign attach sbom to push the SBOM to the OCI registry and connect it to the image. Then, the user must use cosign sign --attachment sbom to sign the SBOM image attached to the underlying image. NOTE: this is a new .sig image for the SBOM image itself. The verification is also a two step process. 1) cosign verify --attachment sbom; then B) cosign download ... . Given that these commands take the digest of the underlying image and not the digest of the SBOM image, the verification process is susceptible to TOCTOU attacks.

The second option adds a new layer to the .att image which includes the signed SBOM data. This is done via cosign attest --type .... It can be verified in one step via cosign verify-attestation type ... . It is also a more generic approach since it can also be used to verify SLSA Provenance and other attestations types.

As a user, it is confusing that both options are available. It is also not obvious, at first, which option is better.

Let's deprecate the --attachment parameter of cosign sign and cosign attest according to the deprecation guidelines.

@lcarva lcarva added the enhancement New feature or request label Feb 28, 2023
@priyawadhwa
Copy link
Contributor

sgtm! Based on our deprecation policy, we need to:

  1. Print a deprecation messaged to stderr whenever the --attachment flag is passed. We should mention that the cosign attest command should be used instead.
  2. Remove the flag in 6 months :)

@ChristianCiach
Copy link
Contributor

ChristianCiach commented Mar 1, 2023

I am confused about this proposal. Do you want to effectively deprecate the .sbom artifacts in favor of the .att artifacts?

We currently prefer to use SBOMs over attestations because attestations are too hard to work with:

I agree that the current two-step process of uploading and signing, or downloading and verifying an SBOM is cumbersome and also produces unavoidable warnings. That's why I've created this issue a while ago:

If cosign decides to deprecate and eventually remove SBOMs in favor of attestations, I would be fine with that, because we are currently struggling to decide which attachment type we should use for our SBOMs. We are currently using .sbom for the sole reason that these are easily retrieved by using cosign download sbom. Before making attestations the only option, please solve #2307 before doing so.

@lcarva
Copy link
Contributor Author

lcarva commented Mar 2, 2023

@ChristianCiach, I just realized the main downside of using attachments. The connection between the attachment (SBOM) and the underlying image is done via tag convention, i.e. :sha256-<digest>.sbom. If image A has SBOM A', and image B has SBOM B', someone with registry access can swap the relationship so image A has SBOM B', and vice-versa.

Contrast this with attestations. An attestation contains the data and the subject in a signed envelope. Swapping SBOMs requires re-signing the envelope. The relationship between an attestation and an image is signed.

For this reason, and the possibility of TOCTOU attacks (mentioned in the description), I am convinced that the attachments approach should be deprecated ASAP.

UPDATE: The SBOM itself does mention which image it describes. For CycloneDX, this is found under .metadata.component. This does provide a stronger connection between the SBOM and the underlying image. Of course, this is highly dependent on the SBOM format itself, and requires custom verification.

lcarva added a commit to lcarva/cosign that referenced this issue Sep 22, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
lcarva added a commit to lcarva/cosign that referenced this issue Sep 22, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Fixes sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
lcarva added a commit to lcarva/cosign that referenced this issue Sep 22, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
haydentherapper pushed a commit that referenced this issue Sep 25, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves #2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
@ChristianCiach
Copy link
Contributor

ChristianCiach commented Sep 25, 2023

It's a bit sad to see that the sbom commands have been deprecated while the consumption of attestations (like extracting the SBOM from an attestion) is still so cumbersome and needs external tooling, as described in my previous comment.

lance pushed a commit to securesign/cosign that referenced this issue Sep 25, 2023
This change marks any usage of SBOM attachments as deprecated. Instead,
users are recommended to use SBOM attestations due to its increased
security.

Resolves sigstore#2755

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
@ChristianCiach
Copy link
Contributor

ChristianCiach commented Feb 1, 2024

Seeing that SBOM attachments will be removed soon, I want to point out that it's still not possible to push SBOM attestations as an OCI compliant artifact, because #1397 only added (still experimental) support for pushing signatures and SBOM attachments as OCI artifacts, but not attestations. This makes it currently impossible to push attestations to https://zotregistry.dev

See related issue:

@haydentherapper
Copy link
Contributor

haydentherapper commented Feb 12, 2024

Hey @ChristianCiach, happy to revisit this. Reviewing this issue, I think both approaches are not ideal - SBOM signatures as separate artifacts have the TOCTOU concerns @lcarva brought up, while attestations as signatures are more heavyweight.

Are there efforts to standardize signed SBOMs that we could implement? Something like SBOMit? Or can we design detached signatures in such a way to mitigate TOCTOU concerns?

I'm not very familiar with this space. @lumjjb did you have thoughts on this, detached SBOM sigs vs attestations over SBOMs vs something more standardized?

@ChristianCiach
Copy link
Contributor

ChristianCiach commented Feb 12, 2024

I think attestations are the way to go. There is nothing wrong with using attestations for SBOM purposes, IMHO. The only thing missing in Cosign is the support for the OCI 1.1 Referrers-API to store attestations. Related issue:

Or, at the very least, Cosign should support using OCI compliant media-types instead of the proprietary Docker media-types.

@lumjjb
Copy link

lumjjb commented Feb 13, 2024

Attestations for an SBOM is good to be able to be able to provide integrity and provenance for an SBOM, as well as an optional effect of attaching it to a subject.

I believe SBOMs should still be their own blobs (i.e. not an embedded predicate), since they are meant to be composable by bundling SBOM files together, and they reference each other by their file hash, and they can become very large (we've seen 500MB+ SBOMs).

+1 to OCI 1.1 referrers api, that's what we're implementing as well for GUAC OCI collector.

umesh3034 added a commit to umesh3034/cilium that referenced this issue Feb 17, 2024
Currently, Cilium attaches SBOMs to images using
 cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.

This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest

Fixes: cilium#30664

Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
github-merge-queue bot pushed a commit to cilium/cilium that referenced this issue Feb 17, 2024
Currently, Cilium attaches SBOMs to images using
 cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.

This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest

Fixes: #30664

Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
aanm pushed a commit to aanm/cilium that referenced this issue Feb 19, 2024
Currently, Cilium attaches SBOMs to images using
 cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.

This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest

Fixes: cilium#30664

Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
tklauser pushed a commit to cilium/cilium that referenced this issue Feb 20, 2024
[ upstream commit dbc52a0 ]

Currently, Cilium attaches SBOMs to images using
 cosign attach sbom --sbom sbom.spdx quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }}
during build images workflows.

This raises the following warning:
---
WARNING: SBOM attachments are deprecated and support will be removed
in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755).
Instead, please use SBOM attestations.
---
Cilium build image workflows need to migrate to using cosign attest

Fixes: #30664

Signed-off-by: Umesh Keerthy <umesh.freelance@gmail.com>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
imjasonh added a commit to chainguard-dev/edu that referenced this issue Sep 26, 2024
Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better.

```
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations.
WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate amd_64.spdx --key <key path>'.
```

Signed-off-by: Jason Hall <jason@chainguard.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request sbom
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants