-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Smaller cosign-verify binary #3961
Comments
Is the primary goal to make a smaller binary? I wonder if the work being done in sigstore/sigstore#1901 for making KMS providers pluggable could reduce it substantially, or we there are other means to reducing cosign's binary size. Would it try to mirror the verification commands/flags that exist in cosign today, or would verification be rewritten to solely use sigstore-go and simplify the flags? If this is a simplified rewrite, I worry how much this overlaps/conflicts with the idea of migrating the cosign commands to support trustedroots/bundles natively and deprecating existing functionality. This proposal could be the start of a "rewrite" of cosign, and I worry a bit about fragmentation when maintaining two command sets with overlapping functionality. I'm definitely in favor of having a cosign verifier that is much smaller, and perhaps a rewrite is the right answer, but I want to understand how this fits into cosign's strategy and if we could accomplish the same goals while improving the overall cosign codebase. |
Yes, so if we did this we would definitely want to do it in a way that was minimally disruptive to the cosign codebase and this would definitely not be a rewrite. I haven't been thinking about this for very long, but for example, what if we split out the way we add subcommands to I'm not committing to that exact implementation strategy (I want to think about it more) but that's an example of how we could achieve this without a lot of work upfront or maintenance work in the future. |
It would definitely be interesting to see how far we can get with only a minor refactor and deadcode detection. If it used the same codebase, that would be a huge win for maintainability. |
Description
The compiled cosign binary is quite large (~100 MB) and unlikely to get dramatically smaller in the near term. Part of this is due to the flexibility of cosign, in the number of different ways you can sign content, which our users appreciate.
But at the same time, ecosystems adopting Sigstore might want a smaller, self-contained, utility specifically for verifying Sigstore content. This repository could produce a smaller binary, named something like
cosign-verify
, that just handles the verification commandscosign
supports, and hopefully would be an order of magnitude smaller (~10 MB).The text was updated successfully, but these errors were encountered: