Export attestations for local exporter #3197
Conversation
jedevc
changed the title
|
You can use this pkg https://github.com/moby/buildkit/compare/master...tonistiigi:buildkit:staticfs?expand=1 to add new static files(attestation data) to the transfer context and then merge it with the existing |
jedevc
force-pushed
the
attestations-exporter-local
branch
from
c505156
to
adf0de4
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
2 times, most recently
from
12e699d
to
ac7b819
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
2 times, most recently
from
65a0647
to
792dfa5
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
from
792dfa5
to
e647335
Compare
|
🐛 Edit: Fixed in 3e1153f. |
jedevc
force-pushed
the
attestations-exporter-local
branch
from
e647335
to
48c6269
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
from
48c6269
to
d62a805
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
from
e454050
to
11edf00
Compare
|
Rebased onto master after #3240 merged. |
There was a problem hiding this comment.
Building with provenance attestation, I get a cryptic "context canceled" error. The issue seems to be that
buildkit/solver/llbsolver/proc/provenance.go
Line 147 in f771330
Path. In addition to fixing this, if this key is required it should be validated or at least the error should indicate what is going on.
jedevc
force-pushed
the
attestations-exporter-local
branch
from
11edf00
to
bbdf8e2
Compare
|
Fixed the context cancelled issue. Also found a bug in trying to generate the subject hash for a file that is a symlink - I've refactored to only hash regular files, ignoring directories/symlinks/everything else. |
jedevc
force-pushed
the
attestations-exporter-local
branch
2 times, most recently
from
21b59c2
to
389f839
Compare
| return errors.Wrap(err, "failed to marshal attestation") | ||
| } | ||
|
|
||
| if attestations[i].Path == "" { |
There was a problem hiding this comment.
Better to have this validation somewhere else, like AddAttestation. If somebody sends incorrect options it shouldn't go unnoticed to them if they forget to test the local exporter.
There was a problem hiding this comment.
Will resolve this one in a follow-up - agree that it should be somewhere else, but AddAttestation doesn't currently return an error, so might be a bit more invasive than the above comment.
jedevc
force-pushed
the
attestations-exporter-local
branch
2 times, most recently
from
b5ccb68
to
9150344
Compare
jedevc
force-pushed
the
attestations-exporter-local
branch
from
9150344
to
e023fca
Compare
There was a problem hiding this comment.
As discussed we should not set platform in output dir if only one is defined to be aligned with current local output logic. Prefix platform can be enforced for single platform using BUILDKIT_MULTI_PLATFORM attr:
buildkit/frontend/dockerfile/builder/build.go
Line 451 in efc6335
These utilities can be used to add new static files to the fs that is transferred between daemon and client. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The character "." (and others) appear before "/" in the ASCII table so when sorting, these will appear directly after the directory, before the contents. When the results of the sort are then used for calls to Walk(), the traversal order will be incorrect, causing fsutil's filesync functionality to reject the server's transfer. To fix this, we replace "/" in the pathname with the null character, to ensure that it is sorted before the others. Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
Previously, the test for generating a nested structures was determined by the number of refs, which for attestations, can be more than one even though there is a single platform. The code is reworked to ensure that if a single platform is specified, we still get a flat structure, even if attestations are present. Signed-off-by: Justin Chadwell <me@jedevc.com>
jedevc
force-pushed
the
attestations-exporter-local
branch
from
f5f83e6
to
394a0cb
Compare
Implements the
localexporter part of #3184.The attestation extraction logic is moved to a separate utils package, so that other exporters can use it. Additionally, the bundling logic is slightly reworked, to add an explicit Unbundle step before Extracting. This ensures that the Extract method can perform a one-to-one translation from result.Attestations to intoto.Statements, which allows for deriving intermediate properties such as the Path.
The attestation files are exported similar to another platform ref, with file names equivalent to the original attestation files had (though this should be pretty easy to change if we'd prefer a separate output location specified by the user).
I'm not quite sure what to put for the
subjectfield for intoto (unless there's a canonical way of calculating the hash of a directory that I'm not aware of?), so for now I've left those empty.