Skip to content

feat(ISV-6377): let cosign use HashedRekord for TLOG verification of attestations #4490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(ISV-6377): let cosign use HashedRekord for TLOG verification of attestations #4490

wants to merge 1 commit into from
+327 −8

Conversation

@BorekZnovustvoritel
Copy link

@BorekZnovustvoritel BorekZnovustvoritel commented Oct 22, 2025
edited
Loading

Assisted-by: claude-4.5-sonnet (Cursor)
Signed-off-by: Marek Szymutko [email protected]

Addresses the verification part of #3599

Summary

Without this feature, the hashedRekords cannot be used as TLOG entries for attestations because the cosign verify-attestation would fail. The problem is described in #3599 but the brief summary is:

  • cosign attest uses DSSE or in-toto payloads, sends the whole payload to the Rekor server
  • In case of SBOMs, the attestations can be too large to be processed by Rekor, disallowing the usage of Rekor for attesting SBOMs
  • This change only addresses the verification part. With this change, the command cosign verify-attestation now also supports HashedRekord TLOG entries, which makes sure that a digest is sufficient payload to be uploaded to Rekor.
  • Additional changes are required for the full functionality, cosign attest doesn't support uploading the HashedRekord entries. A workaround must be used as of now, the workaround is described in this write-up (with the only difference that when using the version of Cosign built from this PR, the verification succeeds)

Release Note

  • New feature: Support for HashedRekords TLOG entries was added to cosign verify-attestation

Documentation

No user-facing API was changed in this PR, I believe comments in code are a sufficient change.

@BorekZnovustvoritel
feat(ISV-6377): let cosign use HashedRekord for TLOG verification of …
2b3f513 
…attestations

Assisted-by: calude-4.5-sonnet (Cursor)
Signed-off-by: Marek Szymutko <[email protected]>
@BorekZnovustvoritel BorekZnovustvoritel requested a review from a team as a code owner October 22, 2025 08:55
@arewm
Copy link
Contributor

arewm commented Oct 29, 2025

@steiza, fya as I mentioned this to you on a call a couple weeks back.

@haydentherapper
Copy link
Contributor

haydentherapper commented Nov 4, 2025

Hey y'all, sorry to leave this PR hanging. I will get back to it in a week or so. The approach seems reasonable, but I need to dedicate a bit of time to think through this and if there's any unintended consequences.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BorekZnovustvoritel @arewm @haydentherapper