Add cosign-based signing, attestation, and verification for modelkits #1023
Conversation
Signed-off-by: Keerthan KK <[email protected]>
…cific flags Signed-off-by: Keerthan KK <[email protected]>
Signed-off-by: Keerthan KK <[email protected]>
Signed-off-by: Keerthan KK <[email protected]>
Signed-off-by: Keerthan KK <[email protected]>
| ) | ||
|
|
||
| func RunSign(ctx context.Context, options *signOptions) error { | ||
| cmd := exec.CommandContext(ctx, "cosign", options.cosignArgs...) |
There was a problem hiding this comment.
Commands will panic with "executable file not found" when cosign binary is not installed on the system. This needs pre-flight checks before making these calls. Also is there a possibility to use cosign as a library instead of an external CLI ?
| "os/exec" | ||
| ) | ||
|
|
||
| func RunAttest(context context.Context, options *attestOptions) any { |
There was a problem hiding this comment.
Why does this return any and not error?
| return cmd | ||
| } | ||
|
|
||
| func runCommand(opts []verifyOptions) func(cmd *cobra.Command, args []string) error { |
There was a problem hiding this comment.
While this code works due to reassignment of opts it's confusing. The function signature runCommand([]verifyOptions{})suggests it takes an initialized slice, but it's always called with an empty slice and immediately populated. Refactor to use local variable for opts
|
|
||
| err := cmd.Run() | ||
| if err != nil { | ||
| return fmt.Errorf("signing failed %s", err) |
| func VerifyCommand() *cobra.Command { | ||
|
|
||
| cmd := &cobra.Command{ | ||
| Use: "verify [FLAGS]", |
|
|
||
| func AttestCommand() *cobra.Command { | ||
| cmd := &cobra.Command{ | ||
| Use: "attest [FLAGS]", |
| return output.Fatalf("Failed to %s: %s", commands[i], err) | ||
| } | ||
| } | ||
| output.Infof("Modelkit signed") |
There was a problem hiding this comment.
Looks like a copy/paste error should be output.Infof("Modelkit verification successful")
2 participants
Description
This PR adds support for signing, attesting, and verifying modelkits using the kit commands directly. These commands use cosign internally. The users doesn't have to switch between multiple tools. The verify command enables the user to run both verify and verify attestation using a single command.
Linked issues
closes #857
AI-Assisted Code