Skip to content

feat(backend): support top-level aqua cosign verification#9111

Merged
jdx merged 7 commits intojdx:mainfrom
risu729:copilot/aqua-cosign-binary
May 5, 2026
Merged

feat(backend): support top-level aqua cosign verification#9111
jdx merged 7 commits intojdx:mainfrom
risu729:copilot/aqua-cosign-binary

Conversation

@risu729
Copy link
Copy Markdown
Contributor

@risu729 risu729 commented Apr 15, 2026

Summary

  • add top-level cosign metadata support in aqua package parsing and override merging
  • support lock/install verification for top-level binary cosign config in aqua backend
  • reuse existing native sigstore verification path for both checksum and artifact flows
  • add lockfile regression coverage for top-level cosign provenance
  • extend aqua cosign e2e coverage for top-level binary verification

Tests

  • cargo test -p aqua-registry --quiet
  • cargo test --quiet backend::aqua::tests::
  • mise run test:e2e e2e/backend/test_aqua_cosign e2e/lockfile/test_lockfile_cosign_top_level_binary

This PR was generated by Copilot.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 15, 2026
edited
Loading

Greptile Summary

This PR adds support for top-level cosign verification in aqua package definitions. Previously only checksum-nested cosign (checksum.cosign) was handled; now a package's cosign field at the root level is parsed, merged across version overrides, and used to verify the downloaded binary artifact (rather than a checksum file) using the existing native sigstore path.

The implementation is clean: binary_cosign_config and checksum_cosign_config helper methods clearly separate the two verification flows, cosign_already_verified is only set after confirmed successful verification (guarded by has_native_cosign at the call site), and both detect_provenance_type and verify_provenance are kept in sync.

Confidence Score: 5/5

Safe to merge — no correctness issues found; logic is consistent across lock and install paths.

All changed paths are correct: binary_cosign_config guards cosign_already_verified properly, the two cosign flows are mutually exclusive by priority, the AquaCosign merge in apply_override is consistent with existing patterns, and tests validate both lockfile provenance recording and install-time verification. No P1 or P0 findings.

No files require special attention.

Important Files Changed

Filename Overview
src/backend/aqua.rs Core backend changes: adds binary_cosign_config/checksum_cosign_config helpers, cosign_artifact function, and refactors run_cosign_check to be target-agnostic. Logic is correct — cosign_already_verified is properly guarded, verification order and precedence are consistent between lock and install paths.
crates/aqua-registry/src/types.rs Adds top-level cosign: Option<AquaCosign> to AquaPackage and corresponding apply_override merge block. Merge correctly propagates override fields into the base while preserving existing values; tests validate deserialization and version-override merging.
e2e/backend/test_aqua_cosign Extends existing test to cover top-level binary cosign via envsense; removes unnecessary cleanup (correct per project convention). Detection heuristic using absence of "verify checksums with cosign" is sound.
e2e/lockfile/test_lockfile_cosign_top_level_binary New lockfile regression test: verifies that top-level cosign config records provenance = "cosign" in the lock file and that subsequent install succeeds. Has set -euo pipefail; uses correct single-underscore MISE_AQUA_GITHUB_ATTESTATIONS env var.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[verify_provenance] --> B{locked_provenance?}
    B -->|cosign| skip_others[skip attestations/slsa/minisign]
    B -->|other/none| run_others[run attestations → slsa → minisign]
    skip_others --> C{binary_cosign_config?}
    run_others --> C
    C -->|Some - key or bundle| D[cosign_artifact\nverify binary artifact\nrun_cosign_check target=artifact]
    C -->|None| E{checksum enabled?}
    D --> F[cosign_already_verified = true]
    F --> E
    E -->|yes| G{checksum_cosign_config\n AND NOT already_verified?}
    G -->|yes| H[cosign_checksums\nverify checksum file\nrun_cosign_check target=checksum]
    G -->|no| I[verify_checksum]
    H --> I
    E -->|no| I
    D --> record_binary[record_cosign_provenance]
    H --> record_checksum[record_cosign_provenance]
Loading

Reviews (8): Last reviewed commit: "refactor(backend): align aqua cosign det..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 15, 2026
View reviewed changes
Comment thread src/backend/aqua.rs Outdated
Comment thread e2e/lockfile/test_lockfile_cosign_top_level_binary Outdated
Comment thread e2e/lockfile/test_lockfile_cosign_top_level_binary
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for top-level binary cosign verification in the Aqua registry, allowing for direct artifact verification in addition to existing checksum-level checks. Key changes include updates to the AquaPackage structure, the implementation of cosign_artifact in the backend, and new E2E tests for lockfile provenance. A review comment suggests optimizing the cosign merging logic in apply_override to reduce redundant clones.

Comment thread crates/aqua-registry/src/types.rs Outdated
@risu729 risu729 force-pushed the copilot/aqua-cosign-binary branch from f2d2e26 to c59ee6e Compare May 4, 2026 05:11
@risu729 risu729 marked this pull request as ready for review May 4, 2026 08:01
@jdx jdx merged commit 57976d2 into jdx:main May 5, 2026
34 checks passed
@mise-en-dev mise-en-dev mentioned this pull request May 5, 2026
Merged
@risu729 risu729 deleted the copilot/aqua-cosign-binary branch May 5, 2026 04:41
mise-en-dev added a commit that referenced this pull request May 5, 2026
@mise-en-dev
chore: release 2026.5.1 (#9579)
db0ce93 
### 🚀 Features

- **(backend)** support top-level aqua cosign verification by @risu729
in [#9111](#9111)

### 🐛 Bug Fixes

- **(schema)** validate all schema files with draft2020 and strict mode
by @risu729 in [#9594](#9594)
- **(shim)** skip network resolution for installed tool dirs by @jdx in
[#9599](#9599)

### 📚 Documentation

- **(dev-tools)** clarify vfox metadata depends for install hooks by
@risu729 in [#9573](#9573)
- **(plugins)** remove registry submission guidance by @risu729 in
[#9577](#9577)

### 📦️ Dependency Updates

- lock file maintenance by @renovate[bot] in
[#9586](#9586)

### 📦 Registry

- remove bashly asdf fallback by @risu729 in
[#9578](#9578)
- use github backend for rebar by @risu729 in
[#9576](#9576)
- add wasm-tools
([aqua:bytecodealliance/wasm-tools](https://github.com/bytecodealliance/wasm-tools))
by @2xdevv in [#9596](#9596)
- enable symlink_bins for elixir-ls by @AlternateRT in
[#9592](#9592)

### Chore

- **(release)** always append sponsor block to release notes by @jdx in
[#9580](#9580)
- warn on vendored vfox embedded plugins by @risu729 in
[#9588](#9588)
- prefer registry shorthands over cargo/npm backends in mise.toml by
@risu729 in [#9595](#9595)

## 📦 Aqua Registry Updates

### New Packages (2)

-
[`salesforce/reactive-grpc/protoc-gen-reactor-grpc`](https://github.com/salesforce/reactive-grpc)
- [`spinframework/spin`](https://github.com/spinframework/spin)

### Updated Packages (1)

- [`pnpm/pnpm`](https://github.com/pnpm/pnpm)
@BrewTestBot BrewTestBot mentioned this pull request May 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risu729 @jdx