From 917f924190f54148fe30ff64f92905ca46885dda Mon Sep 17 00:00:00 2001
From: Caleb Woodbine <calebwoodbine.public@gmail.com>
Date: Sun, 23 Feb 2025 19:50:26 +1300
Subject: [PATCH] chore: attest multiarch deps properly

download and attest the sbom for images by architecture
---
 .gitlab-ci.yml  | 2 +-
 hack/publish.sh | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bb6ae4d9..d7352c55 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -65,7 +65,7 @@ variables:
   before_script:
     - set -x
     - *setup-testing-repo
-    - apk add --no-cache curl cosign ko git crane
+    - apk add --no-cache curl cosign ko git crane jq
     - export KO_DOCKER_REPO="$(echo ${KO_DOCKER_REPO} | tr '[:upper:]' '[:lower:]')"
     - ko login "${CI_REGISTRY}" -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}"
     - *image-set-build-env
diff --git a/hack/publish.sh b/hack/publish.sh
index 7566e2fc..ba34a28d 100755
--- a/hack/publish.sh
+++ b/hack/publish.sh
@@ -54,8 +54,14 @@ IMAGE="$(ko publish \
 
 if [ "${SIGN:-}" = true ]; then
     cosign sign --recursive -y "$IMAGE"
-    cosign download sbom "$IMAGE" > /tmp/sbom-spdx.json
+    cosign download sbom "$IMAGE" >/tmp/sbom-spdx.json
     cosign attest -y --recursive --predicate /tmp/sbom-spdx.json "$IMAGE"
+
+    DIGESTS="$(crane manifest "$IMAGE" | jq -r .manifests[].digest)"
+    for DIGEST in $DIGESTS; do
+        cosign download sbom "$KO_DOCKER_REPO@$DIGEST" >/tmp/sbom-spdx-"$DIGEST".json
+        cosign attest -y --recursive --predicate /tmp/sbom-spdx-"$DIGEST".json "$KO_DOCKER_REPO@$DIGEST"
+    done
 fi
 
 if [ "${TEST_TARBALL:-}" = true ]; then