-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add proposal for producing supply chain metadata for all ratify assets #1641
docs: add proposal for producing supply chain metadata for all ratify assets #1641
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅ |
|
||
### Referrer Artifacts (TBD) | ||
|
||
As a future improvement, Ratify can look into attaching the SLSA build provenance metadata as a referrer artifact attached to the image. This might be in the form of a standalone artifact or packaged in an in-toto attestation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is generating the SLSA build provenance attestation metadata as a referrer an external dependency on docker buildx?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. The slsa generator action just needs the binary hashes to associate provenance with. The rest is handled by the workflow. https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#what-is-slsa-github-generator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @akashsinghal . PTAL at my comments above
1be0b22
to
a763799
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Akash, LGTM.
One minor details for the Q&A. "Do we need to publish the same artifacts as referrers as well or is it sufficient to use docker buildx attestations? Ratify will consider this in the future as need arises."
Could you remind us the reason to implement buildx attestations over referrers. thanks!
Buildx attestations are used in other OSS projects while referrers for the same content is not adopted in other larger projects. That's the only reason why to start with buildx attestations over referrers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
79d08c5
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. thanks!
… assets (ratify-project#1641) Signed-off-by: akashsinghal <[email protected]>
Description
What this PR does / why we need it:
This pull request introduces significant changes to the
docs/proposals/Release-Supply-Chain-Metadata.md
file, outlining a comprehensive plan for improving the integrity and verifiability of Ratify's release assets. Key changes include proposals for signing all container images and binaries, generating Software Bill of Materials (SBOMs) for all assets, and publishing provenance information for each binary. The changes are organized into two stages of implementation and a future "to be determined" stage.Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #
Type of change
Please delete options that are not relevant.
main
branch)How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration
Checklist:
Post Merge Requirements
Helm Chart Change