-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign provenance files #92
Comments
@pieterlexis yes integrating the attaching to docker images or auto uploading to Github releases can be done from separate PR. |
I would be interested in working on this PR ✋ 😄 |
For Docker Images, I have been looking at the implementation within Tekton Chains... and I can see it could be possible to do something similar here too I wonder if this should be integrated as part of the
That way, you can be sure that the attestation has not been modified / compromised before it makes it to the registry. I wonder if it would be worthwhile for me to expand on #88 so someone can just call a flag that allows a user to achieve all of this for a docker image. As far as I can see with SLSA, this is a common flow for anyone wanting to generate Level 2 Provenance for an image. |
@ChaosInTheCRD what you have shared in your workflow tryout https://github.com/ChaosInTheCRD/mic-test/runs/4514052305?check_suite_focus=true is exactly what we would like to achieve once this PR and #88 are merged in a single line command. @pieterlexis could you also have a look at @ChaosInTheCRD his workflow we can achieve this with the combination of both PR's? |
The If you want to sign the provenance about the container, my action could do that as long as the provenance is in the same format. |
Signing of provenance files should allow for compatibility with:
Both Cosign and notation allow for attaching additional artefacts to the image. Eventually this signed provenance should also be attachable to the container image (#88). That would allow us to fetch the provenance for a given docker image and use the tooling (notation/cosign) to verify the signature.
The text was updated successfully, but these errors were encountered: