Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subject names for attestations #3070

Merged
merged 4 commits into from
Sep 26, 2022
Merged

Subject names for attestations #3070

merged 4 commits into from
Sep 26, 2022

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented Aug 30, 2022

Follow up to #2935.

From conversation with @tonistiigi:

thinking about this bit more, I think we should put the repo name here. We should at least have something that says that the digest points to an image (when we add attestation to local output then it points to a file and not an image)

SGTM 馃憤 - this makes sense from the buildkit side, since pushed images always have a name.

@jedevc jedevc requested a review from tonistiigi August 30, 2022 10:34
tonistiigi
tonistiigi reviewed Aug 31, 2022
View reviewed changes
exporter/containerimage/writer.go
}
for _, name := range names {
statements[i].Subject = append(statements[i].Subject, intoto.Subject{
Name: name,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be converted to https://github.com/package-url/purl-spec ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe. I'm not entirely sure, in-toto doesn't require it, so it's up to us. I do think we want to make sure that the platform is present in the name though (to ensure uniqueness), since then we'll have a 1-to-1 relationship between digests and names.

So maybe PURL would be the right choice here, with the version field containing the image tag, and the image repository location and architecture/os data in the qualifiers? Not sure whether we should use the sha256: in the name though, since that would be duplicated.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have cherry-picked your PURL util package (with a fixup to use reference for the distribution reference package, like we have in the other parts of the codebase).

@jedevc jedevc force-pushed the attestation-subject-name branch 2 times, most recently from f4726f9 to cacd12d Compare September 1, 2022 11:32
tonistiigi
tonistiigi reviewed Sep 2, 2022
View reviewed changes
util/purl/image.go
@@ -4,8 +4,8 @@ import (
"strings"

"github.com/containerd/containerd/platforms"
distreference "github.com/docker/distribution/reference"
"github.com/opencontainers/go-digest"
"github.com/docker/distribution/reference"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw, the reason I used the specific name was that there is also

https://github.com/containerd/containerd/tree/main/reference and
https://github.com/moby/moby/tree/master/reference

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that makes sense, I think we should make that change everywhere then at some point, instead of just here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to do that in a follow-up, if this is a blocker 馃憤

tonistiigi and others added 3 commits September 23, 2022 21:54
@tonistiigi
util: add helper package for ref to purl conversions
1b26a0a 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@jedevc @tonistiigi
fixup! util: add helper package for ref to purl conversions
b700f93 
Use convention of importing docker/distribution/reference as reference.

Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc @tonistiigi
containerimage: propogate commit options to helper functions
64082ae 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@tonistiigi tonistiigi force-pushed the attestation-subject-name branch 2 times, most recently from 2684b24 to 406f036 Compare September 24, 2022 05:33
@jedevc @tonistiigi
containerimage: set attestation subjects based on image name
d80b59f 
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@jedevc
Copy link
Member Author

jedevc commented Sep 26, 2022

@tonistiigi LGTM - good catch on OSVersion 馃帀

@tonistiigi tonistiigi merged commit 47e953b into moby:master Sep 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jedevc @tonistiigi