Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add ability to attest the supplied multi-arch image #3875

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add ability to attest the supplied multi-arch image #3875

wants to merge 2 commits into from

Conversation

Danil-Grigorev
Copy link
Contributor

Summary

When using docker buildx to build multi-arch images, SLSA workflow may need to recursively attest underlying images for the multi-arch build.

This is possible using --recursive=true according to the cosign attest help:

    -r, --recursive=false:
        if a multi-arch image is specified, additionally sign each discrete image

This change allows to provide recursive input flag in the workflow.
...

Testing Process

...

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@Danil-Grigorev Danil-Grigorev changed the title Add ability to attest the supplied multi-arch image feat: Add ability to attest the supplied multi-arch image Sep 10, 2024
@ianlewis
Copy link
Member

ianlewis commented Sep 16, 2024
edited
Loading

@Danil-Grigorev Hi! Thanks for this. It looks great.

Could you update the docs with this new option?

Could you add an entry to the CHANGELOG.md?

@Danil-Grigorev
Update docs
af1f497 
Signed-off-by: Danil-Grigorev <[email protected]>
ramonpetgrave64
ramonpetgrave64 requested changes Oct 7, 2024
View reviewed changes
internal/builders/container/README.md
@@ -216,6 +216,7 @@ Inputs:
| `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`[email protected]` |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. |
| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) |
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
| `recursive` | If set, attestation is performed recursively on each of the images. Useful when a multi-arch image is used. |

CHANGELOG.md

##### New Features

- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
- A new [`recursive`](./internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.

@ramonpetgrave64
Copy link
Collaborator

@Danil-Grigorev Were you able to test this in any way, perhaps on your own fork?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramonpetgrave64 ramonpetgrave64 ramonpetgrave64 requested changes

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Danil-Grigorev @ianlewis @ramonpetgrave64