Skip to content

Setup to allow sign/attest using both cosign v2 and v3#483

Draft
jdolitsky wants to merge 14 commits intochainguard-dev:mainfrom
jdolitsky:legacy-secant
Draft

Setup to allow sign/attest using both cosign v2 and v3#483
jdolitsky wants to merge 14 commits intochainguard-dev:mainfrom
jdolitsky:legacy-secant

Conversation

@jdolitsky
Copy link
Copy Markdown
Contributor

@jdolitsky jdolitsky commented Mar 23, 2026

Add a "legacy" secant package, which reverts some of the changes in #471. This means we have 2 isolated secant packages that can be used by the provider to sign using either v2 or v3.

Not included here is a way to configure the provider to sign in one of 3 modes:

  • Just v3
  • Just v2 ("legacy")
  • Both

@jdolitsky jdolitsky requested a review from codysoyland March 23, 2026 21:36
@jdolitsky jdolitsky force-pushed the legacy-secant branch 2 times, most recently from a9d457a to f2c16f0 Compare March 23, 2026 22:00
@jdolitsky
Setup to allow sign/attest using both cosign v2 and v3
f7c558d 
Add a "legacy" secant package, which reverts some of the
changes in chainguard-dev#471. This means we have 2 isolated secant packages
that can be used by the provider to sign using either v2 or v3.

Not included here is a way to configure the provider to sign
in one of 3 modes:
- Just v3
- Just v2 ("legacy")
- Both

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
jdolitsky
jdolitsky commented Mar 23, 2026
View reviewed changes
jdolitsky
jdolitsky commented Mar 23, 2026
View reviewed changes
@jdolitsky jdolitsky marked this pull request as draft March 23, 2026 22:44
jdolitsky added 13 commits March 24, 2026 10:31
@jdolitsky
Add signing_format_mode configurable param
cd308c0 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
Merge branch 'main' of github.com:chainguard-dev/terraform-provider-c…
2468c08 
…osign into legacy-secant
@jdolitsky
pull in latest changes, re-add cosign v2 to go.mod
3a8f7dc 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
fix lint
106801e 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
updates
71d17fb 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
run go mod tidy
ea7fa6d 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
updates
d74f76f 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
updates
991ed0d 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
updates
be4c49c 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
update
cf739e1 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
update
df33326 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
update
97f419f 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@jdolitsky
drop secant usage for new format
3f80f2a 
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
@codysoyland
Copy link
Copy Markdown

codysoyland commented Apr 2, 2026

I know this is still draft, but I did want to call out a couple of things:

  • We'll need to implement certificate caching like secant. I think we'll have to copy some code from cosign but sigstore-go offers BundleOptions.CertificateProvider which should help us with this.
  • I would really like to have some e2e tests for this. I see that secant doesn't have this currently but I think it's a good time to add it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codysoyland codysoyland Awaiting requested review from codysoyland

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdolitsky @codysoyland