Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V1 go tuf update #3598

Merged
merged 7 commits into from Mar 21, 2024
Merged

V1 go tuf update #3598

merged 7 commits into from Mar 21, 2024

Conversation

kommendorkapten
Copy link
Member

Summary

Per the latest sigstore/root-signing#1164 in Sigstore Public Good instance, the key type is changing for the TUF keys, to keep cosign v1 continue to work I've updated to the latest go-tuf version.

This is the same PR as #3597 but against release-1.13 branch. We should probably push it to a new branch instead, but opening to get all the tests to run.

Release Note

  • Updated go-tuf version to v0.7.0
  • Updated sigstore/sigstore to v1.8.0

Documentation

N/A

kommendorkapten and others added 7 commits March 14, 2024 10:26
@kommendorkapten
Updated v1 to support latest version of go-tuf
d2a5cce 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@kommendorkapten
Udated documentation to be correct
8d86517 
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
@bobcallaway @kommendorkapten
Update sign_test.go
8e59c5e 
swap out deprecated lib

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update keys.go
738ffa6 
swap out deprecated lib

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update sign_test.go
7cc54fd 
fix gofmt issue

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update go.mod
2cb3bd5 
go mod tidy

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@bobcallaway @kommendorkapten
Update validate-release.yml
be9bf89 
free up space ahead of running goreleaser

Signed-off-by: Bob Callaway <bobcallaway@users.noreply.github.com>
@codecov Codecov
Copy link

codecov bot commented Mar 14, 2024

Codecov Report

Attention: Patch coverage is 1.57480% with 125 lines in your changes are missing coverage. Please review.

Project coverage is 29.73%. Comparing base (ea92927) to head (be9bf89).

Files Patch % Lines
cmd/cosign/cli/tuf_policy.go 0.00% 117 Missing ⚠️
cmd/cosign/cli/policy_init.go 0.00% 7 Missing ⚠️
cmd/cosign/cli/verify/verify_blob_attestation.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.13    #3598      +/-   ##
================================================
- Coverage         30.14%   29.73%   -0.42%     
================================================
  Files               136      137       +1     
  Lines              8443     8560     +117     
================================================
  Hits               2545     2545              
- Misses             5568     5685     +117     
  Partials            330      330

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

haydentherapper
haydentherapper approved these changes Mar 14, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpanato any concerns with adding this to the release-1.13 branch? and anything special we need to know about triggering a release for 1.13.2?

@cpanato
Copy link
Member

cpanato commented Mar 15, 2024

@haydentherapper nothing, will be similar from the previous one.

but this will be the last for the branch? or how long will we maintain this?

@kommendorkapten
Copy link
Member Author

I would hope this would be the last update for v1, i.e we won't continue to maintain it anymore. But of course, I'm not the authoritative person to make such a decision :)

@kommendorkapten
Copy link
Member Author

Do we have any data on how many people are still downloading or using cosign v1?

@haydentherapper
Copy link
Contributor

I’m still skeptical that we need this. Kyverno was the only major customer I was aware of but they’ve upgraded to v2. We could hold off on merging until after the root is upgraded and see if there’s any complaints from v1 users?

@cpanato
Copy link
Member

cpanato commented Mar 16, 2024

Only kyverno was asking in the past.

I think we can hold this for a while

@haydentherapper
Copy link
Contributor

We've had a request for it, so moving forward it this.

@haydentherapper haydentherapper merged commit 566ab9d into sigstore:release-1.13 Mar 21, 2024
35 checks passed
@kommendorkapten kommendorkapten deleted the v1-go-tuf-update branch March 22, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

@cpanato cpanato cpanato approved these changes

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kommendorkapten @cpanato @haydentherapper @hectorj2f @bobcallaway