Hi @developer-guy! Thanks for taking a look at implementing this feature. I don't think we should go the route of shelling out to cosign to tackle this for a few reasons: conftest users now have to know what cosign is and install cosign separately, we have no good way of testing the interaction between the two meaning changes to cosign can break this functionality for us, and there are some potential security issues from running any cosign binary in $PATH.

I think there are two options here. First, is we import cosign as a library and use its functions, and the second is we update conftest to write the OCI out to disk via conftest bundle or similar so a script can then sign the bundle with the separate cosign binary, which can then be read back and uploaded with conftest push. Let me know your thoughts.

hello @jalseth, sorry for the late reply, I have been so busy these days, missed this one sorry 🤦‍♂️ cosign has lots of dependencies, one of the downsides of using it as a Go module is that it might increase the binary size, also make code more complex, or also, it might cause some dependency conflicts. Similar work is already being done for nerdctl project¹ that's why I'm proposing that I mean, using cosign as an executable. Btw, we did all the tests on nerdctl cosign to make sure that everything works fine, we can do the same tests for conftest too.

WDYT?

@developer-guy I would lean towards what @jalseth has proposed as well.

Assuming it is possible to import the signing capability as a library, I think it's worth seeing if conflicts exist and how much bigger were talking. Maybe it's negligible.

If that fails horribly, instead of shelling out, I'd rather see this as a plugin e.g. https://github.com/open-policy-agent/conftest/blob/master/contrib/plugins/kubectl/kubectl-conftest.sh

Any additional thoughts on this @developer-guy ?

Yep, I agree with you. I can convert that code to use cosign as a Go package to adapt signing/verifying capabilities 🙋🏻‍♂️ Does it make sense? Then, we can talk about which method we want to continue with.

I honestly think the plugin route would be easiest, at least to start. The trade off is that the user needs the cosign binary, but given the original proposal was to shell out to it -- that seems acceptable.

As you've mentioned, importing cosign could cause bloat which hurts users who don't want to use it. Also given that the project is relatively new, dealing with changes could be more difficult in code.

Hello @developer-guy. Friendly ping, please provide an update on the status of this PR.

imho: +1 to consume it as an external plug-in, without adding a dependency

AFAIK, cosign side is planning to reduce the dependency size, then, at that time, we might start using cosign packages. But I guess in the meantime, the best option using cosign would be calling it's executable like @boranx said above.

kindly ping 🙋🏻‍♂️

Are there anymore status updates for this? I think we've all agreed to introduce this functionality as a plugin, so the next step would be to update this PR to add a cosign plugin.

Sorry If I'm misunderstood, but what do you mean by a plugin?

@developer-guy conftest has the ability to support plugins (docs here: https://www.conftest.dev/plugins/)

One example is the kubectl plugin (https://github.com/open-policy-agent/conftest/tree/master/contrib/plugins/kubectl)

So this would be similar in that you would add a plugin to the plugins directory, and call cosign through that

Closing this due to inactivity. Please feel free to reopen or create a new PR if you decide to pick this up again.