Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign buildpacksio/pack images using cosign and attach sbom generated from binaries #2287

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

adwait-godbole
Copy link

Fixes #2193

Generate JSON SBOM for release binaries just like how lifecycle is doing right now and use cosign for signing, attaching SBOM and verifying container images.

@adwait-godbole adwait-godbole requested review from a team as code owners November 18, 2024 15:53
@github-actions github-actions bot added this to the 0.36.0 milestone Nov 18, 2024
@github-actions github-actions bot added the type/chore Issue that requests non-user facing changes. label Nov 18, 2024
@adwait-godbole adwait-godbole force-pushed the sign-images-along-with-sbom branch from 209b788 to d25b270 Compare November 18, 2024 15:55
@adwait-godbole adwait-godbole changed the title generate SBOM for binaries and container images and use cosign for si… Generate SBOM for binaries and container images and use cosign for si… Nov 18, 2024
@adwait-godbole adwait-godbole changed the title Generate SBOM for binaries and container images and use cosign for si… Generate SBOM for binaries and container images and use cosign for si… Nov 18, 2024
@adwait-godbole adwait-godbole changed the title Generate SBOM for binaries and container images and use cosign for si… Sign buildpacksio/pack images using cosign and attach sbom generated from binaries Nov 18, 2024
@adwait-godbole
Copy link
Author

Hi @jjbustamante , @natalieparellano, before you go ahead with reviewing this PR, I had a query to clear off my head. Since we are doing a multi-platform image build using buildx, should the cosign sign and cosign attest (for sbom) be done individually for every platform arch image manifest digest or the entire multi-platform index digest as a whole?

@natalieparellano
Copy link
Member

@adwait-godbole thank you for this. I'd recommend we do this similarly to how we do it in the lifecycle, you can find the workflow file here: https://github.com/buildpacks/lifecycle/blob/main/.github/workflows/build.yml

The sbom that we attach to the release on GitHub is from linux-amd64. But the sbom that we embed within the lifecycle image is for the particular os/arch that we're shipping (see here). But, since we don't have the concept of sbom-within-the-image for pack, we can probably skip over this.

@jjbustamante jjbustamante modified the milestones: 0.36.0, 0.37.0 Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type/chore Issue that requests non-user facing changes.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

buildpacksio/pack images should be signed
3 participants