Skip to content

Commit

Permalink
chore: attest multiarch deps properly
Browse files Browse the repository at this point in the history 
download and attest the sbom for images by architecture
  • Loading branch information
@BobyMCbobs
BobyMCbobs committed Feb 23, 2025
1 parent 6822436 commit 917f924
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .gitlab-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ variables:
before_script:
- set -x
- *setup-testing-repo
- apk add --no-cache curl cosign ko git crane
- apk add --no-cache curl cosign ko git crane jq
- export KO_DOCKER_REPO="$(echo ${KO_DOCKER_REPO} | tr '[:upper:]' '[:lower:]')"
- ko login "${CI_REGISTRY}" -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}"
- *image-set-build-env
Expand Down
8 changes: 7 additions & 1 deletion hack/publish.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,14 @@ IMAGE="$(ko publish \

if [ "${SIGN:-}" = true ]; then
cosign sign --recursive -y "$IMAGE"
cosign download sbom "$IMAGE" > /tmp/sbom-spdx.json
cosign download sbom "$IMAGE" >/tmp/sbom-spdx.json
cosign attest -y --recursive --predicate /tmp/sbom-spdx.json "$IMAGE"

DIGESTS="$(crane manifest "$IMAGE" | jq -r .manifests[].digest)"
for DIGEST in $DIGESTS; do
cosign download sbom "$KO_DOCKER_REPO@$DIGEST" >/tmp/sbom-spdx-"$DIGEST".json
cosign attest -y --recursive --predicate /tmp/sbom-spdx-"$DIGEST".json "$KO_DOCKER_REPO@$DIGEST"
done
fi

if [ "${TEST_TARBALL:-}" = true ]; then
Expand Down

0 comments on commit 917f924

Please sign in to comment.