copy: introduce new --sbom-only, --att-only flags

[Dentrax]

Description

Currently, we only have --sig-only flag to copy only image signature. I thought it would be nice to have also --sbom-only for copy SBOM and --sbom-only for copy ATT.

But using both these flags in the same time might be mutually exclusive since flags have -only suffix means do not copy anything but only ...

UX design:

# 1. mutually exclusive, throw an error
$ cosign copy --sbom-only --sig-only --att-only <SRC> <DST>

# 2. remove -only suffix to do both operations in the same time
# this would also mean: _also copy the image itself_, but actually does not
$ cosign copy --sbom --sig --att <SRC> <DST>

# 3. if user want to copy sig, sbom and att, have to run the followings
$ cosign copy --sig-only <SRC> <DST>
$ cosign copy --sbom-only <SRC> <DST>
$ cosign copy --att-only <SRC> <DST>

# 4. introduce a new --copy-only flag that accept custom string array
# no need to call cosign twice
$ cosign copy --copy-only=sbom,sign,att,etc <SRC> <DST>

# 5. happiest path
$ cosign copy --sig-only <SRC> <DST>
$ cosign copy --sbom-only <SRC> <DST>
$ cosign copy --att-only <SRC> <DST>

PTAL @developer-guy

[znewman01]

I strongly prefer (4) (--copy-only), and deprecating the --sig-only flag; I think that's very clear as a CLI user.

[joshuabezaleel]

Hi @Dentrax @znewman01 ! I've just recently gotten interested in the supply chain security and Chainguard with its set of tools is definitely something I came to really appreciate for what you folks contribute to the community, thank you! I've just scoured on the Chainguard Academy and looking to find my way to contribute to Chainguard's repos which I think would be good to start with either sigstore or cosign.

Is this repo open to public contribution and would this issue be a good candidate for first-time contributors like me to have a shot on?

Thank you lots in advance! 🙂

[znewman01]

Give me a few minutes to give you a detailed answer but just want to point out that, while Chainguard is proud to contribute to Sigstore and Cosign, the projects have been successful because of contributors from a huge number of companies and the support of the OpenSSF :)

…

On Nov 8, 2022, at 7:04 AM, Joshua Bezaleel Abednego ***@***.***> wrote:  Hi @Dentrax @znewman01 ! I've just recently gotten interested in the supply chain security and Chainguard with its set of tools is definitely something I came to really appreciate for what you folks contribute to the community, thank you! I've just scoured on the Chainguard Academy and looking to find my way to contribute to Chainguard's repos which I think would be good to start with either sigstore or cosign. Is this repo open to public contribution and would this issue be a good candidate for first-time contributors like me to have a shot on? Thank you lots in advance! 🙂 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

[joshuabezaleel]

@znewman01 Oh no that was definitely my fault I think I got it swapped in my mind when I was typing that comment since my first entry point to learning was from the chainguard academy and I recognized some of the folks earlier, but what I was intended to mean in my previous comment was the Sigstore project and OpenSSF in general not only Chainguard specifically. I am so ashamed of that earlier comment of mine and I am so sorry for that ... I did not mean to disregard the other companies and people which collaborate and contribute to the Sigstore and OpenSSF community 😔 My bad ..

[znewman01]

I am so sorry for that ... I did not mean to disregard the other companies and people which collaborate and contribute to the Sigstore and OpenSSF community 😔

Not a big deal! We're just glad that you're excited about the project :)

Is this repo open to public contribution

Yes, definitely! There's a "good first issue" label that has a bunch of good candidates for new contributors to work on.

and would this issue be a good candidate for first-time contributors like me to have a shot on?

I think so! I've just added the "good first issue" label. Just ask if you need any advice on how to contribute :)

[Dentrax]

Thank you, @joshuabezaleel, for your kind words! Welcome to the community. This would be a good starting point to get into it. We are ready to help!

---

I strongly prefer (4) (--copy-only), and deprecating the --sig-only flag

I agree with Zack. Maybe just --only would better since copy keyword seems as a duplicate in the first place: cosign copy --copy-only -> cosign copy --only.

We should deprecate the --sig-only flag. To respect backward compatibility, maybe it'd better to print out a warning message: "hey, we will remove this sometime. consider use new flag".

[joshuabezaleel]

Hi @Dentrax , thank you for the kind words and really warm welcome! Sorry for the really late reply.

There are 2 things that I want to verify first:

1. Flag argument is not mutually exclusive since it accepts an array meaning that there could be 2 copy inputs at a particular command execution, right?
   For example, cosign copy --only=sbom,sign means that it will copy both the sbom AND the signature of the image.

2. At the 4th example at your first comment of the issue you gave an example of
   $ cosign copy --copy-only=sbom,sign,att,etc <SRC> <DST>
   Since you use etc there would there be other possibilities of inputs other than sbom, sign and att? I take a look at the code and there is only these 3 options being available.

[znewman01]

1. Flag argument is not mutually exclusive since it accepts an array meaning that there could be 2 copy inputs at a particular command execution, right?
   For example, cosign copy --only=sbom,sign means that it will copy both the sbom AND the signature of the image.

Correct.

2. At the 4th example at your first comment of the issue you gave an example of
   $ cosign copy --copy-only=sbom,sign,att,etc <SRC> <DST>
   Since you use etc there would there be other possibilities of inputs other than sbom, sign and att? I take a look at the code and there is only these 3 options being available.

For now, sbom, sign, and att are okay. We may add more later.

I'd also recommend that you use full names: sbom, signature, and attestation. You can additionally accept short versions (sig/sign, att).

[joshuabezaleel]

Got it, will update soon if there's any blocker that I encounter. Thank you for the really helpful reply, @znewman01 ! 🙂