feat: add support for referrers attestations

While the backwards compatible tag-based attestation method works, it
can result in a lot of additional tags being pushed to OCI registries.
In order to maintain fewer tags, Chains should be able to use the
referrer's API when pushing signatures and attestations.

Co-Authored-By: Claude <[email protected]>
Signed-off-by: arewm <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: arewm

docs/config.md

@@ -66,6 +66,7 @@ Supported keys include:
 |:-------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|
 | `storage.gcs.bucket`                             | The GCS bucket for storage                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |         |
 | `storage.oci.repository`                         | The OCI repo to store OCI signatures and attestation in                                                                                                                                                                                                                                                             | If left undefined _and_ one of `artifacts.{oci,taskrun}.storage` includes `oci` storage, attestations will be stored alongside the stored OCI artifact itself. ([example on GCP](../images/attestations-in-artifact-registry.png)) Defining this value results in the OCI bundle stored in the designated location _instead of_ alongside the image. See [cosign documentation](https://github.com/sigstore/cosign#specifying-registry) for additional information. |         |
+| `storage.oci.referrers-api`                      | Enable OCI 1.1 referrers API for storing signatures and attestations. When enabled, uses the referrers API instead of tag-based storage, reducing the number of additional tags pushed to OCI registries. **Note:** This feature is experimental as it relies on an experimental feature in cosign. | `true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                     | `false` |
 | `storage.docdb.url`                              | The go-cloud URI reference to a docstore collection                                                                                                                                                                                                                                                                 | `firestore://projects/[PROJECT]/databases/(default)/documents/[COLLECTION]?name_field=name`                                                                                                                                                                                                                                                                                                                                                                         |         |
 | `storage.docdb.mongo-server-url` (optional)      | The value of MONGO_SERVER_URL env var with the MongoDB connection URI                                                                                                                                                                                                                                               | Example: `mongodb://[USER]:[PASSWORD]@[HOST]:[PORT]/[DATABASE]`                                                                                                                                                                                                                                                                                                                                                                                                     |         |
 | `storage.docdb.mongo-server-url-dir` (optional)  | The path of the directory that contains the file named MONGO_SERVER_URL that stores the value of MONGO_SERVER_URL env var                                                                                                                                                                                           | If the file `/mnt/mongo-creds-secret/MONGO_SERVER_URL` has the value of MONGO_SERVER_URL, then set `storage.docdb.mongo-server-url-dir: /mnt/mongo-creds-secret`                                                                                                                                                                                                                                                                                                    |         |
@@ -189,4 +190,4 @@ To restrict the controller to the dev and test namespaces, you would start the c
 ```shell
 --namespace=dev,test
 ```
-In this example, the controller will only monitor resources (pipelinesruns and taskruns) within the dev and test namespaces.
+In this example, the controller will only monitor resources (pipelinesruns and taskruns) within the dev and test namespaces.

pkg/chains/storage/oci/legacy.go

@@ -34,7 +34,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/v2/pkg/oci"
+	"github.com/sigstore/cosign/v2/pkg/oci/mutate"
 	ociremote "github.com/sigstore/cosign/v2/pkg/oci/remote"
+	"github.com/sigstore/cosign/v2/pkg/oci/static"
 	"github.com/tektoncd/chains/pkg/artifacts"
 	"github.com/tektoncd/chains/pkg/chains/formats/simple"
 	"github.com/tektoncd/chains/pkg/config"
@@ -105,6 +107,13 @@ func (b *Backend) StorePayload(ctx context.Context, obj objects.TektonObject, ra
 			return nil
 		}
 
+		// Use new AttestationStorer with potential referrers API support
+		logger.Infof("ReferrersAPI config value: %v", b.cfg.Storage.OCI.ReferrersAPI)
+		if b.cfg.Storage.OCI.ReferrersAPI {
+			logger.Info("Using referrers API for attestation upload")
+			return b.uploadAttestationWithReferrers(ctx, &attestation, signature, storageOpts, auth)
+		}
+		logger.Info("Using traditional tag-based attestation upload")
 		return b.uploadAttestation(ctx, &attestation, signature, storageOpts, auth)
 	}
 
@@ -115,6 +124,13 @@ func (b *Backend) StorePayload(ctx context.Context, obj objects.TektonObject, ra
 
 func (b *Backend) uploadSignature(ctx context.Context, format simple.SimpleContainerImage, rawPayload []byte, signature string, storageOpts config.StorageOpts, remoteOpts ...remote.Option) error {
 	logger := logging.FromContext(ctx)
+	// Use new SimpleStorer with potential referrers API support
+	logger.Infof("ReferrersAPI config value: %v", b.cfg.Storage.OCI.ReferrersAPI)
+	if b.cfg.Storage.OCI.ReferrersAPI {
+		logger.Info("Using referrers API for signature upload")
+		return b.uploadSignatureWithReferrers(ctx, format, rawPayload, signature, storageOpts, remoteOpts...)
+	}
+	logger.Info("Using traditional tag-based signature upload")
 
 	imageName := format.ImageName()
 	logger.Infof("Uploading %s signature", imageName)
@@ -299,3 +315,90 @@ func newRepo(cfg config.Config, imageName name.Digest) (name.Repository, error)
 	}
 	return name.NewRepository(imageName.Repository.Name(), opts...)
 }
+
+// uploadSignatureWithReferrers uses cosign's OCI 1.1 experimental API for signatures
+func (b *Backend) uploadSignatureWithReferrers(ctx context.Context, format simple.SimpleContainerImage, rawPayload []byte, signature string, storageOpts config.StorageOpts, remoteOpts ...remote.Option) error {
+	logger := logging.FromContext(ctx)
+	imageName := format.ImageName()
+	ref, err := name.NewDigest(imageName)
+	if err != nil {
+		return errors.Wrap(err, "getting digest")
+	}
+
+	// Get or create the SignedEntity (same as SimpleStorer.Store)
+	se, err := ociremote.SignedEntity(ref, ociremote.WithRemoteOptions(remoteOpts...))
+	var entityNotFoundError *ociremote.EntityNotFoundError
+	if errors.As(err, &entityNotFoundError) {
+		se = ociremote.SignedUnknown(ref)
+	} else if err != nil {
+		return errors.Wrap(err, "getting signed entity")
+	}
+
+	// Create signature options (same as SimpleStorer.Store)
+	sigOpts := []static.Option{}
+	if storageOpts.Cert != "" {
+		sigOpts = append(sigOpts, static.WithCertChain([]byte(storageOpts.Cert), []byte(storageOpts.Chain)))
+	}
+
+	// Create the new signature for this entity
+	b64sig := base64.StdEncoding.EncodeToString([]byte(signature))
+	sig, err := static.NewSignature(rawPayload, b64sig, sigOpts...)
+	if err != nil {
+		return errors.Wrap(err, "creating signature")
+	}
+
+	// Attach the signature to the entity
+	newSE, err := mutate.AttachSignatureToEntity(se, sig)
+	if err != nil {
+		return errors.Wrap(err, "attaching signature to entity")
+	}
+
+	// Use cosign's OCI 1.1 experimental function instead of WriteSignatures
+	logger.Info("Using OCI 1.1 referrers API for signature upload")
+	return ociremote.WriteSignaturesExperimentalOCI(ref, newSE, ociremote.WithRemoteOptions(remoteOpts...))
+}
+
+// uploadAttestationWithReferrers uses cosign's OCI 1.1 experimental API for attestations
+func (b *Backend) uploadAttestationWithReferrers(ctx context.Context, attestation *intoto.Statement, signature string, storageOpts config.StorageOpts, remoteOpts ...remote.Option) error {
+	logger := logging.FromContext(ctx)
+	if len(attestation.Subject) == 0 {
+		return errors.New("no subjects in attestation")
+	}
+
+	// Get the first subject (main image)
+	subject := attestation.Subject[0]
+	imageName := fmt.Sprintf("%s@sha256:%s", subject.Name, subject.Digest["sha256"])
+	ref, err := name.NewDigest(imageName)
+	if err != nil {
+		return errors.Wrap(err, "parsing subject digest")
+	}
+
+	// Create DSSE envelope with the attestation
+	payload, err := json.Marshal(attestation)
+	if err != nil {
+		return errors.Wrap(err, "marshaling attestation")
+	}
+
+	envelope := dsse.Envelope{
+		PayloadType: "application/vnd.in-toto+json",
+		Payload:     base64.StdEncoding.EncodeToString(payload),
+		Signatures: []dsse.Signature{
+			{
+				Sig: signature,
+			},
+		},
+	}
+
+	// Marshal the envelope to create bundle bytes
+	bundleBytes, err := json.Marshal(envelope)
+	if err != nil {
+		return errors.Wrap(err, "marshaling DSSE envelope")
+	}
+
+	// Extract predicate type from attestation
+	predicateType := attestation.PredicateType
+
+	// Use cosign's OCI 1.1 experimental function for attestations
+	logger.Info("Using OCI 1.1 referrers API for attestation upload")
+	return ociremote.WriteAttestationNewBundleFormat(ref, bundleBytes, predicateType, ociremote.WithRemoteOptions(remoteOpts...))
+}

pkg/chains/storage/oci/options.go

@@ -14,7 +14,12 @@
 
 package oci
 
-import "github.com/google/go-containerregistry/pkg/name"
+import (
+	"os"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+)
 
 // Option provides a config option compatible with all OCI storers.
 type Option interface {
@@ -52,3 +57,32 @@ func (o *targetRepoOption) applySimpleStorer(s *SimpleStorer) error {
 	s.repo = &o.repo
 	return nil
 }
+
+// WithReferrersAPI configures the storers to use OCI 1.1 referrers API.
+func WithReferrersAPI(enabled bool) Option {
+	return &referrersAPIOption{
+		enabled: enabled,
+	}
+}
+
+type referrersAPIOption struct {
+	enabled bool
+}
+
+func (o *referrersAPIOption) applyAttestationStorer(s *AttestationStorer) error {
+	if o.enabled {
+		// Enable cosign experimental mode to activate OCI 1.1 referrers API
+		os.Setenv("COSIGN_EXPERIMENTAL", "1")
+		s.remoteOpts = append(s.remoteOpts, remote.WithUserAgent("chains/referrers-api"))
+	}
+	return nil
+}
+
+func (o *referrersAPIOption) applySimpleStorer(s *SimpleStorer) error {
+	if o.enabled {
+		// Enable cosign experimental mode to activate OCI 1.1 referrers API
+		os.Setenv("COSIGN_EXPERIMENTAL", "1")
+		s.remoteOpts = append(s.remoteOpts, remote.WithUserAgent("chains/referrers-api"))
+	}
+	return nil
+}

pkg/chains/storage/oci/referrers_test.go

@@ -0,0 +1,133 @@
+/*
+Copyright 2023 The Tekton Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oci
+
+import (
+	"os"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/tektoncd/chains/pkg/config"
+)
+
+func TestReferrersAPIOption(t *testing.T) {
+	// Test that WithReferrersAPI option sets COSIGN_EXPERIMENTAL
+
+	// Clear any existing env var
+	originalValue := os.Getenv("COSIGN_EXPERIMENTAL")
+	defer func() {
+		if originalValue != "" {
+			os.Setenv("COSIGN_EXPERIMENTAL", originalValue)
+		} else {
+			os.Unsetenv("COSIGN_EXPERIMENTAL")
+		}
+	}()
+	os.Unsetenv("COSIGN_EXPERIMENTAL")
+
+	// Create storer with referrers API enabled
+	repo, err := name.NewRepository("example.com/test")
+	if err != nil {
+		t.Fatalf("Failed to create repository: %v", err)
+	}
+
+	opts := []AttestationStorerOption{
+		WithTargetRepository(repo),
+		WithReferrersAPI(true),
+	}
+
+	storer, err := NewAttestationStorer(opts...)
+	if err != nil {
+		t.Fatalf("Failed to create attestation storer: %v", err)
+	}
+
+	// Check that COSIGN_EXPERIMENTAL was set
+	if os.Getenv("COSIGN_EXPERIMENTAL") != "1" {
+		t.Errorf("Expected COSIGN_EXPERIMENTAL to be set to '1', got '%s'", os.Getenv("COSIGN_EXPERIMENTAL"))
+	}
+
+	// Check that the storer was configured correctly
+	if storer.repo == nil {
+		t.Errorf("Expected storer.repo to be set")
+	}
+
+	if storer.repo.Name() != "example.com/test" {
+		t.Errorf("Expected repo name to be 'example.com/test', got '%s'", storer.repo.Name())
+	}
+}
+
+func TestReferrersAPIDisabled(t *testing.T) {
+	// Test that WithReferrersAPI(false) doesn't set COSIGN_EXPERIMENTAL
+
+	// Clear any existing env var
+	originalValue := os.Getenv("COSIGN_EXPERIMENTAL")
+	defer func() {
+		if originalValue != "" {
+			os.Setenv("COSIGN_EXPERIMENTAL", originalValue)
+		} else {
+			os.Unsetenv("COSIGN_EXPERIMENTAL")
+		}
+	}()
+	os.Unsetenv("COSIGN_EXPERIMENTAL")
+
+	// Create storer with referrers API disabled
+	repo, err := name.NewRepository("example.com/test")
+	if err != nil {
+		t.Fatalf("Failed to create repository: %v", err)
+	}
+
+	opts := []SimpleStorerOption{
+		WithTargetRepository(repo),
+		WithReferrersAPI(false),
+	}
+
+	storer, err := NewSimpleStorerFromConfig(opts...)
+	if err != nil {
+		t.Fatalf("Failed to create simple storer: %v", err)
+	}
+
+	// Check that COSIGN_EXPERIMENTAL was not set
+	if os.Getenv("COSIGN_EXPERIMENTAL") != "" {
+		t.Errorf("Expected COSIGN_EXPERIMENTAL to be unset, got '%s'", os.Getenv("COSIGN_EXPERIMENTAL"))
+	}
+
+	// Check that the storer was configured correctly
+	if storer.repo == nil {
+		t.Errorf("Expected storer.repo to be set")
+	}
+}
+
+func TestOCIBackendReferrersConfig(t *testing.T) {
+	// Test that the OCI backend respects the referrers API configuration
+	cfg := config.Config{
+		Storage: config.StorageConfigs{
+			OCI: config.OCIStorageConfig{
+				Repository:   "example.com/repo",
+				ReferrersAPI: true,
+			},
+		},
+	}
+
+	backend := &Backend{
+		cfg: cfg,
+	}
+
+	// Verify that the config is accessible
+	if !backend.cfg.Storage.OCI.ReferrersAPI {
+		t.Errorf("Expected ReferrersAPI to be enabled in backend config")
+	}
+
+	if backend.cfg.Storage.OCI.Repository != "example.com/repo" {
+		t.Errorf("Expected repository to be 'example.com/repo', got '%s'", backend.cfg.Storage.OCI.Repository)
+	}
+}

pkg/config/config.go

@@ -116,8 +116,9 @@ type GCSStorageConfig struct {
 }
 
 type OCIStorageConfig struct {
-	Repository string
-	Insecure   bool
+	Repository   string
+	Insecure     bool
+	ReferrersAPI bool
 }
 
 type TektonStorageConfig struct {
@@ -179,6 +180,7 @@ const (
 	gcsBucketKey               = "storage.gcs.bucket"
 	ociRepositoryKey           = "storage.oci.repository"
 	ociRepositoryInsecureKey   = "storage.oci.repository.insecure"
+	ociReferrersAPIKey         = "storage.oci.referrers-api"
 	docDBUrlKey                = "storage.docdb.url"
 	docDBMongoServerURLKey     = "storage.docdb.mongo-server-url"
 	docDBMongoServerURLDirKey  = "storage.docdb.mongo-server-url-dir"
@@ -310,6 +312,7 @@ func NewConfigFromMap(data map[string]string) (*Config, error) {
 		asString(gcsBucketKey, &cfg.Storage.GCS.Bucket),
 		asString(ociRepositoryKey, &cfg.Storage.OCI.Repository),
 		asBool(ociRepositoryInsecureKey, &cfg.Storage.OCI.Insecure),
+		asBool(ociReferrersAPIKey, &cfg.Storage.OCI.ReferrersAPI),
 		asString(docDBUrlKey, &cfg.Storage.DocDB.URL),
 		asString(docDBMongoServerURLKey, &cfg.Storage.DocDB.MongoServerURL),
 		asString(docDBMongoServerURLDirKey, &cfg.Storage.DocDB.MongoServerURLDir),