Please respect the XDG base directory specification and don't pollute the user's $HOME directory #4227
Description
Description
Cosign currently always stores its data in $HOME/.sigstore, which unnecessarily pollutes the user's home directory. This is especially annoying for people who don't run cosign themselves because it's run as part of another (automated) script/tool/etc.
The XDG base directory specification defines where applications are supposed to store their config-, cache-, state- and other data-files, namely
${XDG_CONFIG_HOME:-${HOME}/.config}${XDG_CACHE_HOME:-${HOME}/.cache}${XDG_STATE_HOME:-${HOME}/.local/state}${XDG_DATA_HOME:-${HOME}/.local/share}
The XDG base dirs are supposed to be the default paths for applications on Linux systems, and they should not be treated as an override or fallback mechanic. Users who want to use different paths can set or override the respective env vars. Using application-specific env vars or configs is discouraged. The XDG base directory specification is respected by most applications today, with only few legacy tools not implementing it (for whatever nonsensical reasons).
When adding support for this, old paths can still be used as a fallback if the correct paths don't exist yet on the user's system. An implementation is therefore trivial:
- Check for the correct XDG base dir path (depending on the env var values) and use it if it exists
- Check for the old/fallback path and use it if it exists
- Create a new directory in the correct XDG base dir path (depending on the env var values) and use it
More:
- https://wiki.archlinux.org/title/XDG_Base_Directory
- https://wiki.debian.org/XDGBaseDirectorySpecification
- https://wiki.gentoo.org/wiki/XDG/Base_Directories
Issue
cosign/doc/cosign_initialize.md
Line 16 in fce8b6d
cosign/cmd/cosign/cli/initialize.go
Line 39 in fce8b6d
Don't store data in ${HOME}/.sigstore.
Store it in ${XDG_DATA_HOME:-${HOME}/.local/share}/sigstore instead, meaning ${HOME}/.local/share/sigstore by default if XDG_DATA_HOME is unset or empty, or ${XDG_DATA_HOME}/sigstore if XDG_DATA_HOME is not empty.
TUF_ROOT also doesn't seem to work, but this is application specific and therefore a bad decision.
Example
Since CPython 3.14 has now fully switched from PGP to Sigstore, verifying its release files using cosign means that the user's HOME dir will unavoidably get polluted with the .sigstore directory, which is annoying.
$ stat -c %n ~/.sigstore/
stat: cannot statx '/home/basti/.sigstore/': No such file or directory
$ curl -sSL --remote-name-all https://www.python.org/ftp/python/3.14.0/Python-3.14.0b2.tar.xz{,.sigstore}
$ cosign verify-blob \
--new-bundle-format \
--certificate-oidc-issuer 'https://github.com/login/oauth' \
--certificate-identity '[email protected]' \
--bundle ./Python-*.tar.xz.sigstore \
./Python-*.tar.xz
$ stat -c %n ~/.sigstore/
/home/basti/.sigstore/
Before submitting this issue, I had a quick look at the code (I'm not a Go dev), but it looks like the responsible code is in a different repo, but I might be wrong:
https://github.com/sigstore/sigstore/blob/v1.9.4/pkg/tuf/client.go#L560-L570
Still going to post this here, because this is about the cosign tool.
Thanks for your consideration.