refactor: rename attach to attest (#89)

WORKSPACE

@@ -107,9 +107,9 @@ new_local_repository(
     path = "examples/sign_external/workspace",
 )
 
-# For attach_external test
+# For attest_external test
 new_local_repository(
     name = "example_sbom",
-    build_file = "//examples/attach_external:BUILD.template",
-    path = "examples/attach_external/workspace",
+    build_file = "//examples/attest_external:BUILD.template",
+    path = "examples/attest_external/workspace",
 )

cosign/defs.bzl

@@ -1,7 +1,7 @@
 "Public API"
 
 load("//cosign/private:sign.bzl", _cosign_sign = "cosign_sign")
-load("//cosign/private:attach.bzl", _cosign_attach = "cosign_attach")
+load("//cosign/private:attest.bzl", _cosign_attest = "cosign_attest")
 
 cosign_sign = _cosign_sign
-cosign_attach = _cosign_attach
+cosign_attest = _cosign_attest

cosign/private/BUILD.bazel

@@ -7,7 +7,7 @@ exports_files(
 
 exports_files([
     "sign.sh.tpl",
-    "attach.sh.tpl",
+    "attest.sh.tpl",
 ])
 
 bzl_library(
@@ -20,8 +20,8 @@ bzl_library(
 )
 
 bzl_library(
-    name = "attach",
-    srcs = ["attach.bzl"],
+    name = "attest",
+    srcs = ["attest.bzl"],
     visibility = [
         "//cosign:__subpackages__",
         "//docs:__pkg__",

cosign/private/attach.bzl → cosign/private/attest.bzl

@@ -1,16 +1,16 @@
-"Implementation details for attach rule"
+"Implementation details for attest rule"
 
-_DOC = """Attach an attachment to an oci_image at a remote registry using cosign.
+_DOC = """Attest an oci_image using cosign binary at a remote registry.
 
 ```starlark
 oci_image(
     name = "image"
 )
 
-cosign_attach(
-    name = "attach_sbom",
-    type = "sbom"
-    attachment = "image.sbom.spdx.json",
+cosign_attest(
+    name = "attest_spdx",
+    type = "spdx"
+    predicate = "image.sbom.spdx.json",
     repository = "index.docker.io/org/image"
 )
 ```
@@ -22,47 +22,47 @@ oci_image(
     name = "image"
 )
 
-cosign_attach(
-    name = "attach_sbom",
-    type = "sbom"
-    attachment = "image.sbom.spdx.json",
+cosign_attest(
+    name = "attest_spdx",
+    type = "spdx"
+    attestment = "image.sbom.spdx.json",
     repository = "index.docker.io/org/image"
 )
 ```
 
-via `bazel run :attach_sbom -- --repository=index.docker.io/org/test`
+via `bazel run :attest_spdx -- --repository=index.docker.io/org/test`
 """
 
 _attrs = {
     "image": attr.label(allow_single_file = True, mandatory = True, doc = "Label to an oci_image"),
-    "type": attr.string(values = ["attestation", "sbom", "signature"], mandatory = True, doc = "Type of attachment. Acceptable values are: `attestation`, `sbom`, and `signature`"),
-    "attachment": attr.label(allow_single_file = True, mandatory = True, doc = "Label to the attachment. Only files are allowed. eg: sbom.spdx, in-toto.json"),
+    "type": attr.string(values = ["slsaprovenance", "link", "spdx", "vuln", "custom"], mandatory = True, doc = "Type of predicate. Acceptable values are (slsaprovenance|link|spdx|vuln|custom)"),
+    "predicate": attr.label(allow_single_file = True, mandatory = True, doc = "Label to the predicate file. Only files are allowed. eg: sbom.spdx, in-toto.json"),
     "repository": attr.string(mandatory = True, doc = """\
         Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.
         Digests and tags are not allowed.
     """),
-    "_attach_sh_tpl": attr.label(default = "attach.sh.tpl", allow_single_file = True),
+    "_attest_sh_tpl": attr.label(default = "attest.sh.tpl", allow_single_file = True),
 }
 
-def _cosign_attach_impl(ctx):
+def _cosign_attest_impl(ctx):
     cosign = ctx.toolchains["@contrib_rules_oci//cosign:toolchain_type"]
     yq = ctx.toolchains["@aspect_bazel_lib//lib:yq_toolchain_type"]
 
     if ctx.attr.repository.find(":") != -1 or ctx.attr.repository.find("@") != -1:
         fail("repository attribute should not contain digest or tag.")
 
-    fixed_args = ["--repository", ctx.attr.repository]
+    fixed_args = [
+        "--repository",
+        ctx.attr.repository,
+        "--predicate",
+        ctx.file.predicate.short_path,
+        "--type",
+        ctx.attr.type,
+    ]
 
-    if ctx.attr.type == "sbom":
-        fixed_args.extend(["--sbom", ctx.file.attachment.short_path])
-    elif ctx.attr.type == "attestation":
-        fixed_args.extend(["--attestation", ctx.file.attachment.short_path])
-    else:
-        fixed_args.extend(["--signature", ctx.file.attachment.short_path])
-
-    executable = ctx.actions.declare_file("cosign_attach_{}.sh".format(ctx.label.name))
+    executable = ctx.actions.declare_file("cosign_attest_{}.sh".format(ctx.label.name))
     ctx.actions.expand_template(
-        template = ctx.file._attach_sh_tpl,
+        template = ctx.file._attest_sh_tpl,
         output = executable,
         is_executable = True,
         substitutions = {
@@ -74,14 +74,14 @@ def _cosign_attach_impl(ctx):
         },
     )
 
-    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.attachment])
+    runfiles = ctx.runfiles(files = [ctx.file.image, ctx.file.predicate])
     runfiles = runfiles.merge(yq.default.default_runfiles)
     runfiles = runfiles.merge(cosign.default.default_runfiles)
 
     return DefaultInfo(executable = executable, runfiles = runfiles)
 
-cosign_attach = rule(
-    implementation = _cosign_attach_impl,
+cosign_attest = rule(
+    implementation = _cosign_attest_impl,
     attrs = _attrs,
     doc = _DOC,
     executable = True,

cosign/private/attach.sh.tpl → cosign/private/attest.sh.tpl

@@ -6,7 +6,7 @@ readonly YQ="{{yq_path}}"
 readonly IMAGE_DIR="{{image_dir}}"
 readonly DIGEST=$("${YQ}" '.manifests[].digest' "${IMAGE_DIR}/index.json")
 readonly FIXED_ARGS=({{fixed_args}})
-readonly TYPE="{{type}}"
+
 
 # set $@ to be FIXED_ARGS+$@
 ARGS=(${FIXED_ARGS[@]} $@)
@@ -23,5 +23,5 @@ while (( $# > 0 )); do
     esac
 done
 
-exec "${COSIGN}" attach "${TYPE}" "${REPOSITORY}@${DIGEST}" ${ARGS[@]+"${ARGS[@]}"}
+exec "${COSIGN}" attest "${REPOSITORY}@${DIGEST}" ${ARGS[@]+"${ARGS[@]}"}
 

docs/BUILD.bazel

@@ -38,8 +38,8 @@ stardoc_with_diff_test(
 )
 
 stardoc_with_diff_test(
-    name = "cosign_attach",
-    bzl_library_target = "//cosign/private:attach",
+    name = "cosign_attest",
+    bzl_library_target = "//cosign/private:attest",
 )
 
 update_docs(name = "update")

docs/cosign_attest.md

@@ -0,0 +1,57 @@
+<!-- Generated with Stardoc: http://skydoc.bazel.build -->
+
+Implementation details for attest rule
+
+<a id="#cosign_attest"></a>
+
+## cosign_attest
+
+<pre>
+cosign_attest(<a href="#cosign_attest-name">name</a>, <a href="#cosign_attest-image">image</a>, <a href="#cosign_attest-predicate">predicate</a>, <a href="#cosign_attest-repository">repository</a>, <a href="#cosign_attest-type">type</a>)
+</pre>
+
+Attest an oci_image using cosign binary at a remote registry.
+
+```starlark
+oci_image(
+    name = "image"
+)
+
+cosign_attest(
+    name = "attest_spdx",
+    type = "spdx"
+    predicate = "image.sbom.spdx.json",
+    repository = "index.docker.io/org/image"
+)
+```
+
+`repository` attribute can be overridden using the `--repository` flag.
+
+```starlark
+oci_image(
+    name = "image"
+)
+
+cosign_attest(
+    name = "attest_spdx",
+    type = "spdx"
+    attestment = "image.sbom.spdx.json",
+    repository = "index.docker.io/org/image"
+)
+```
+
+via `bazel run :attest_spdx -- --repository=index.docker.io/org/test`
+
+
+**ATTRIBUTES**
+
+
+| Name  | Description | Type | Mandatory | Default |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| <a id="cosign_attest-name"></a>name |  A unique name for this target.   | <a href="https://bazel.build/docs/build-ref.html#name">Name</a> | required |  |
+| <a id="cosign_attest-image"></a>image |  Label to an oci_image   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | required |  |
+| <a id="cosign_attest-predicate"></a>predicate |  Label to the predicate file. Only files are allowed. eg: sbom.spdx, in-toto.json   | <a href="https://bazel.build/docs/build-ref.html#labels">Label</a> | required |  |
+| <a id="cosign_attest-repository"></a>repository |  Repository URL where the image will be signed at, e.g.: <code>index.docker.io/&lt;user&gt;/image</code>.         Digests and tags are not allowed.   | String | required |  |
+| <a id="cosign_attest-type"></a>type |  Type of predicate. Acceptable values are (slsaprovenance|link|spdx|vuln|custom)   | String | required |  |
+
+

examples/attach/BUILD.bazel → examples/attest/BUILD.bazel

@@ -1,4 +1,4 @@
-load("//cosign:defs.bzl", "cosign_attach")
+load("//cosign:defs.bzl", "cosign_attest")
 load("//oci:defs.bzl", "oci_image")
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
 
@@ -15,29 +15,31 @@ oci_image(
     os = "linux",
 )
 
-cosign_attach(
-    name = "attach",
-    attachment = ":sbom_generated.spdx",
+cosign_attest(
+    name = "attest",
     image = ":image",
+    predicate = ":sbom_generated.spdx",
     repository = "test",
-    type = "sbom",
+    type = "spdx",
 )
 
 sh_test(
     name = "test",
     srcs = ["test.bash"],
     args = [
+        "$(JQ_BIN)",
         "$(COSIGN_BIN)",
         "$(CRANE_BIN)",
         "$(LAUNCHER_WRAPPER)",
-        "$(location :attach)",
+        "$(location :attest)",
         "$(location :image)",
         "$(location sbom.spdx)",
     ],
     data = [
         "sbom.spdx",
-        ":attach",
+        ":attest",
         ":image",
+        "@jq_toolchains//:resolved_toolchain",
         "@oci_cosign_toolchains//:current_toolchain",
         "@oci_crane_toolchains//:current_toolchain",
         "@oci_zot_toolchains//:current_toolchain",
@@ -46,5 +48,6 @@ sh_test(
         "@oci_zot_toolchains//:current_toolchain",
         "@oci_cosign_toolchains//:current_toolchain",
         "@oci_crane_toolchains//:current_toolchain",
+        "@jq_toolchains//:resolved_toolchain",
     ],
 )

examples/attach/test.bash → examples/attest/test.bash

@@ -3,12 +3,13 @@ set -o pipefail -o errexit -o nounset
 
 export HOME="$TEST_TMPDIR"
 
-readonly COSIGN="${1/external\//../}"
-readonly CRANE="${2/external\//../}"
-readonly REGISTRY_LAUNCHER="${3/external\//../}"
-readonly ATTACHER="$4"
-readonly IMAGE_PATH="$5"
-readonly SBOM_PATH="$6"
+readonly JQ="${1/external\//../}"
+readonly COSIGN="${2/external\//../}"
+readonly CRANE="${3/external\//../}"
+readonly REGISTRY_LAUNCHER="${4/external\//../}"
+readonly ATTACHER="$5"
+readonly IMAGE_PATH="$6"
+readonly SBOM_PATH="$7"
 
 
 # Launch a registry instance at a random port
@@ -18,14 +19,17 @@ echo "Registry is running at ${REGISTRY}"
 
 readonly REPOSITORY="${REGISTRY}/local" 
 
-# attach the sbom
-"${ATTACHER}" --repository "${REPOSITORY}"
+# generate key
+COSIGN_PASSWORD=123 "${COSIGN}" generate-key-pair 
 
 # due to https://github.com/sigstore/cosign/issues/2603 push the image 
 REF=$(mktemp)
 "${CRANE}" push "${IMAGE_PATH}" "${REPOSITORY}" --image-refs="${REF}"
 
+# attach the sbom
+COSIGN_PASSWORD=123 "${ATTACHER}" --repository "${REPOSITORY}" --key=cosign.key -y
+
 # download the sbom
-"${COSIGN}" download sbom $(cat $REF) > "$TEST_TMPDIR/download.sbom"
+"${COSIGN}" verify-attestation $(cat $REF) --key=cosign.pub --type spdx | "${JQ}" -r '.payload' | base64 --decode | "${JQ}" -r '.predicate' > "$TEST_TMPDIR/download.sbom" 
 
 diff -u --ignore-space-change --strip-trailing-cr "$SBOM_PATH"  "$TEST_TMPDIR/download.sbom" || (echo "FAIL: downloaded SBOM does not match the original" && exit 1)