Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add ability to attest the supplied multi-arch image #3875

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

Danil-Grigorev
Copy link
Contributor

Summary

When using docker buildx to build multi-arch images, SLSA workflow may need to recursively attest underlying images for the multi-arch build.

This is possible using --recursive=true according to the cosign attest help:

    -r, --recursive=false:
        if a multi-arch image is specified, additionally sign each discrete image

This change allows to provide recursive input flag in the workflow.
...

Testing Process

...

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@Danil-Grigorev Danil-Grigorev changed the title Add ability to attest the supplied multi-arch image feat: Add ability to attest the supplied multi-arch image Sep 10, 2024
@ianlewis
Copy link
Member

ianlewis commented Sep 16, 2024

@Danil-Grigorev Hi! Thanks for this. It looks great.

Could you update the docs with this new option?

Could you add an entry to the CHANGELOG.md?

@Danil-Grigorev Danil-Grigorev force-pushed the patch-2 branch 6 times, most recently from cb751e1 to 4d135a6 Compare September 18, 2024 20:09
Signed-off-by: Danil-Grigorev <[email protected]>
@@ -216,6 +216,7 @@ Inputs:
| `gcp-service-account` | Email address or unique identifier of the Google Cloud service account for which to generate credentials. For example:<br>`[email protected]` |
| `provenance-registry-username` | Username when publishing to provenance registry (option 'provenance-registry') instead of image registry. Either `provenance-registry-username` input or `provenance-registry-username` secret is required. |
| `provenance-registry` | If set, provenance is pushed to this registry instead of image registry. (e.g. `gcr.io/my-new-repo`) |
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `recursive` | If set, attestation is performed recursively on the image. Usefull when a multi-arch image is used. |
| `recursive` | If set, attestation is performed recursively on each of the images. Useful when a multi-arch image is used. |


##### New Features

- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- A new [`recursive`](https://github.com/slsa-framework/slsa-github-generator/blob/v1.5.0/internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.
- A new [`recursive`](./internal/builders/container/README.md#workflow-inputs) input was added to allow users to pass `--recursive` option to the provenance attestation, usefull when signing `multi-arch` images.

@ramonpetgrave64
Copy link
Collaborator

@Danil-Grigorev Were you able to test this in any way, perhaps on your own fork?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants