For the "Provenance attestation example" the commands to display the attestation are not displayed #23366
Description
Is this a docs issue?
- My issue is about the documentation content or website
Type of issue
I can't find what I'm looking for
Description
In the https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example page and section,
an example is given with a full SLSA provenance attesttaion in the in-toto format.
Problem, the command in order to display it is not given.
it can be tricky to the user without knowing the commands.
Location
https://docs.docker.com/build/metadata/attestations/slsa-provenance/
Suggestion
An example of the commands to be added:
#Retrieves the digest for the attestation manifest
DIGEST=$(docker buildx imagetools inspect $IMAGE --format '{{ json .Manifest }}' | jq -r '.manifests[] | select(.annotations."vnd.docker.reference.type"=="attestation-manifest") | .digest')
#Retrieve the in-toto digest
INTOTO_DIGEST=$(docker buildx imagetools inspect $IMAGE@$DIGEST --raw | jq -r '.layers[] | select(.annotations."in-toto.io/predicate-type"=="https://slsa.dev/provenance/v0.2") | .digest')
#Read the SLSA provenance attestation from the blob
crane blob $IMAGE@$INTOTO_DIGESTDefinitely not easy...
Moreover a easier command exists to retrieve the provenance BUT not in in-toto format:
docker buildx build --provenance=mode=max --metadata-file provenance.json -t $IMAGE --push .Maybe a better solution exists, in all the cases, the commands are missing in this documentation.
Thanks :)