-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOMs are not being signed #1151
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
[Triage] |
This work should be incorporated into the work for signing images: dotnet/dotnet-docker#4589. |
The implementation here that currently uses the ManifestGeneratorTask could potentially be simplified by acquiring the sbom-tool directly: https://github.com/microsoft/sbom-tool?tab=readme-ov-file#download-and-installation EDIT: Even better, we could potentially include the sbom-tool in the ImageBuilder container and call it from there instead of using Pipeline code. |
The build stage of the pipeline generates SBOMs using this logic:
docker-tools/eng/common/templates/jobs/build-images.yml
Lines 128 to 176 in 9791b15
The use of the ManifestGeneratorTask is only used as an "installer" in order to acquire the manifest tool that gets executed in the second step. It's done this way because of the need to have a separate SBOM for each image (see #979). So the SBOM generation occurs in the second step. But the logic for signing the SBOMs actually occurs in the first step via the ManifestGeneratorTask. This means we're not getting the benefit of signing because we're not using the task to generate the SBOMs. And that means none of our SBOMs are signed.
I've logged a related issue for the manifest generator to have another tool that can be used for signing: https://github.com/microsoft/dropvalidator/issues/668
The text was updated successfully, but these errors were encountered: