"Created" date for signature is always Dec 31, 0 #522
Comments
|
We generally avoid unnecessarily breaking reproducibility whenever possible, which means setting such timestamps to a constant value. If there's demand for it, we could add a flag to timestamp the signature images |
|
On GitLab, the signature or attestation files would be created as a very old date. |
|
I'd be fine setting this to a real value. Reproduciblity is good, but the signatures are random anyway. What do people think? Setting a real time could be useful, with a flag for reproducible? Time seems like it would be better to set by default TBH. |
|
I like the idea of using wall time by default and allowing clamping if an option is passed (maybe even using |
|
What's the main goal of adding the creation timestamp to the sig images? I'd be worried about potentially misleading interpretation when an image has multiple signatures, if the goal is to associate a signature with the timestamp. |
|
FWIW I'd also want to go through some formal design process and consider registry implementations if we just want to easily enable age-based garbage collection. Guess what contributed to "GKE's largest outage?" |
I can confirm that they do get removed 😅 |
|
Cc @imjasonh who has been talking about timestamps lately |
|
ref: docs for Gitlab Registry housekeeping: https://docs.gitlab.com/ee/user/packages/container_registry/reduce_container_registry_storage.html I don't totally agree with Gitlab's decision to implement housekeeping in this way, but since they do, I think it makes sense to set the |
|
I tried to have a look where in the code base this date is set but I could not find it. Using reflect to modify the signature does not seem like a good idea, so if one could drop me a hint where to set this date I could try to create a pr for this issue (: |
|
The reason you can't find code for setting that date is because we don't set that date anywhere, and the zero date is the default. Sorry that's a bit confusing. The place where we'd set the time is probably in https://github.com/sigstore/cosign/blob/main/pkg/oci/mutate/signatures.go when we append a signature to the existing set of signatures. When there aren't any previous signatures, we append to an So where we
edit again: Nevermind, there's |
When signing images and pushing them to Google Cloud Registry, the signature's "Created" date is always Dec 31, 0.
I would have expected the "Created" date for the signature to be the date the container was signed.
printenv GCR_ACCOUNT | docker login -u _json_key --password-stdin gcr.iocosign sign -key cosign.key $NAMESPACE:$versionThe text was updated successfully, but these errors were encountered: