feat: add cosign binary to nerdctl-full #680
Conversation
|
Please remove this Line 243 in e785883 |
thank you for bringing it to my attention, I've removed this line. ✌️ |
| echo "- IPFS: ${IPFS_VERSION}" >> /out/share/doc/nerdctl-full/README.md \ | ||
| ARG COSIGN_VERSION | ||
| RUN fname="cosign-${TARGETOS:-linux}-${TARGETARCH:-amd64}" && \ | ||
| curl -o "${fname}" -fSL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}" && \ |
There was a problem hiding this comment.
it says so because it seems that COSIGN_VERSION is not replaced in the URL, why is that? I've defined it as an ARG with a value of v1.4.1.
There was a problem hiding this comment.
did I do something wrong?
There was a problem hiding this comment.
The URL that I'm trying to construct is correct:
- fname=cosign-linux-amd64
- COSIGN_VERSION=v1.4.1
- https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${fname}
👉 https://github.com/sigstore/cosign/releases/download/v1.4.1/cosign-linux-amd64
There was a problem hiding this comment.
kindly ping 🙋🏻♂️
There was a problem hiding this comment.
Maybe try to echo the same string in your Dockerfile to say if it is expected.
Why is this binary so large? |
idk actually :( |
|
kindly ping @AkihiroSuda 🙋🏻♂️ |
|
kindly ping @AkihiroSuda 🙋🏻♂️ |
|
Sorry for going back and forth, but I'd like to see binary footprint to be reduced I'd expect it to be around 10MB |
|
There's an issue tracking size reduction here: sigstore/cosign#1462 FWIW I don't think 10mb is doable today, the Go binaries are just too large. I've seen it hit ~20mb with compression and stripping out some features. |
|
WDYT @AkihiroSuda? 🙋🏻♂️ |
|
Thanks, 20MB is probably fine |
|
I know @AkihiroSuda you don't want to add cosign until its binary size shrinks, but according to the issue1, once we generate an SBOM of an image, we should use cosign to attach it to the registry along with an image by default. Also, there is an ongoing issue in Syft to support uploading SBOM results directly to an OCI registry.2 Footnotes |
|
kindly ping @AkihiroSuda |
|
With the latest improvements, the binary size of cosign is shrunk to approximately ~70MB. exiftool $(which cosign)
ExifTool Version Number : 12.42
File Name : cosign
Directory : /Users/batuhan.apaydin/.nix-profile/bin
File Size : 71 MB
File Modification Date/Time : 1970:01:01 02:00:01+02:00
File Access Date/Time : 2022:11:04 14:17:49+03:00
File Inode Change Date/Time : 2022:11:04 14:15:38+03:00
File Permissions : -r-xr-xr-x
File Type : Mach-O executable
File Type Extension :
MIME Type : application/octet-stream
CPU Architecture : 64 bit
CPU Byte Order : Little endian
CPU Type : x86 64-bit
CPU Subtype : i386 (all) 64-bit
Object File Type : Demand paged executable
Object Flags : No undefs, Dyld link, Two levelIs it still big enough for adding this binary into lima VM? |
This is a darwin binary, not for Linux |
|
for Linux, it is even better, ~64 MB 🙉 |
|
Hello @AkihiroSuda, this PR will fix the problems related to signing&verifying images with cosign because, at the moment, people can't use the new features of nerdctl and nerdctl compose for signing. |
Signed-off-by: Batuhan Apaydın <[email protected]> Co-authored-by: Furkan Türkal <[email protected]>
|
I think you should try to get the distros to support aptgetting cosign. If it faces difficulty we can revisit this PR. |
|
Looks like cosign is now providing deb and rpm packages (although delivered from github). Is this here still relevant in that context? |
Signed-off-by: Batuhan Apaydın [email protected]
Co-authored-by: Furkan Türkal [email protected]
fixes #679
cc: @Dentrax