Skip to content

Add sigstore bundle support for creation artifact's evidences #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mnsboev merged 6 commits into from
Jul 16, 2025
Merged

Add sigstore bundle support for creation artifact's evidences #104

mnsboev merged 6 commits into from
Jul 16, 2025

Conversation

@mnsboev
Copy link
Collaborator

@mnsboev mnsboev commented Jul 14, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • Appropriate label is added to auto generate release notes.
  • I used gofmt for formatting the code before submitting the pull request.
  • PR description is clear and concise, and it includes the proposed solution/fix.

Description

Added a new flag --sigstore-bundle to the evidence create command.
Updated the help-output file to include the new flag.
Made predicate and predicate-type optional, as they are not needed when using the --sigstore-bundle flag (since the sigstore bundle contains this content).
Enabled automatic resolution of the subject (subject-repo-path) if it is present in the DSSE envelope in the correct format.

Examples of Usage:

./jf evd create --sigstore-bundle bundle.json
./jf evd create --sigstore-bundle bundle.json --subject-repo-path cli-sigstore-test/commons-1.0.0.txt

Validations:

Possible verification errors to watch for include:

  • The parameter --subject-sha256 cannot be used with --sigstore-bundle. When using --sigstore-bundle, the subject hash is extracted from the bundle itself.
  • The following parameters cannot be used with --sigstore-bundle: --key, --key-alias, --predicate, --predicate-type. These values are extracted from the bundle itself.
  • The --sigstore-bundle is currently not supported for release bundle evidence. This feature may be supported in future releases.

@mnsboev mnsboev added the new feature Automatically generated release notes label Jul 14, 2025
@mnsboev mnsboev force-pushed the evidence-create-by-sigstore-bundle branch from 4add04d to 5a66579 Compare July 14, 2025 13:43
@mnsboev mnsboev force-pushed the evidence-create-by-sigstore-bundle branch from 5a66579 to 6bb1c10 Compare July 14, 2025 13:52
@mnsboev mnsboev force-pushed the evidence-create-by-sigstore-bundle branch from 6bb1c10 to b17919d Compare July 14, 2025 14:22
@mnsboev mnsboev requested review from alenon, dortam888 and osaidwtd July 15, 2025 06:46
alenon
alenon requested changes Jul 15, 2025
View reviewed changes
@mnsboev mnsboev force-pushed the evidence-create-by-sigstore-bundle branch from cbc0800 to 4a4f3f6 Compare July 16, 2025 11:12
@mnsboev mnsboev requested a review from alenon July 16, 2025 11:23
dortam888
dortam888 approved these changes Jul 16, 2025
View reviewed changes
Copy link
Collaborator

@dortam888 dortam888 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with small comments

@mnsboev mnsboev merged commit 34d79ad into jfrog:main Jul 16, 2025
10 of 11 checks passed
naveenku-jfrog pushed a commit to naveenku-jfrog/jfrog-cli-artifactory that referenced this pull request Aug 13, 2025
@mnsboev @naveenku-jfrog
Add sigstore bundle support for creation artifact's evidences (jfrog#104
0c2f32b 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alenon alenon alenon approved these changes

@dortam888 dortam888 dortam888 approved these changes

@osaidwtd osaidwtd Awaiting requested review from osaidwtd

Assignees

No one assigned

Labels

new feature Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mnsboev @alenon @dortam888