Add multi arch docker images #120
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #120 +/- ##
=======================================
Coverage 77.54% 77.54%
=======================================
Files 15 15
Lines 610 610
=======================================
Hits 473 473
Misses 97 97
Partials 40 40
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
marcofranssen
force-pushed
the
multi-arch-docker
branch
5 times, most recently
from
eb07a18
to
b8a7229
Compare
JeroenKnoops
previously approved these changes
Jan 14, 2022
marcofranssen
force-pushed
the
multi-arch-docker
branch
11 times, most recently
from
9059fc1
to
5f70311
Compare
marcofranssen
force-pushed
the
multi-arch-docker
branch
from
5f70311
to
ad6f73f
Compare
marcofranssen
force-pushed
the
multi-arch-docker
branch
from
ad6f73f
to
d776a66
Compare
|
Cut out a new release to test. Using cosign v1.5.1 all seems to work now for signatures: $ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft
Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:e5413487c74dd0f51d0b557d2000b70d860a24e8d172a77285194e27f7723a66"},"type":"cosign container image signature"},"optional":null}]
$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64
Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:d71d2952d9d0e68113994db321e3ef76ea33a346cb0f189f4740ba363de6c723"},"type":"cosign container image signature"},"optional":null}]
$ cosign verify --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8
Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
[{"critical":{"identity":{"docker-reference":"ghcr.io/philips-labs/slsa-provenance"},"image":{"docker-manifest-digest":"sha256:5125a5d75a6974ae1a7a22db54f6efaadd044fb420ae8e5864af47ebe3126a25"},"type":"cosign container image signature"},"optional":null}]Thanks @priyawadhwa For provenance attestations we still need to have a look at the manifest. This currently does not have a provenance attestation linked to it. Something we still need to resolve in the ci pipeline most probably. $ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft
Error: no matching attestations:
main.go:46: error during command execution: no matching attestations:
$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8
Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-arm64v8 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiNTEyNWE1ZDc1YTY5NzRhZTFhN2EyMmRiNTRmNmVmYWFkZDA0NGZiNDIwYWU4ZTU4NjRhZjQ3ZWJlMzEyNmEyNSJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ1WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQCczjSW728jVPHZaQ0QhjHNKZWq85ExHyz/6aVLzZmRlQIhAJR6rt+IFlaRFFj33vcrlrOHKetu+l+she9zga0w7sUv"}]}
$ cosign verify-attestation --key cosign.pub ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64
Verification for ghcr.io/philips-labs/slsa-provenance:v0.8.0-draft-amd64 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
- Any certificates were verified against the Fulcio roots.
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UiLCJkaWdlc3QiOnsic2hhMjU2IjoiZDcxZDI5NTJkOWQwZTY4MTEzOTk0ZGIzMjFlM2VmNzZlYTMzYTM0NmNiMGYxODlmNDc0MGJhMzYzZGU2YzcyMyJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uL0F0dGVzdGF0aW9ucy9HaXRIdWJIb3N0ZWRBY3Rpb25zQHYxIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9BdHRlc3RhdGlvbnMvR2l0SHViQWN0aW9uc1dvcmtmbG93QHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlLWFjdGlvbiIsImRpZ2VzdCI6eyJzaGExIjoiZGRkNmMyZDYyOTI5ZTg3NjkyNjdkMDEzNjYyNTJkOTI2MDlkMWRiYiJ9LCJlbnRyeVBvaW50IjoiQ29udGludW91cyBpbnRlZ3JhdGlvbiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiJodHRwczovL2dpdGh1Yi5jb20vcGhpbGlwcy1sYWJzL3Nsc2EtcHJvdmVuYW5jZS1hY3Rpb24vYWN0aW9ucy9ydW5zLzE4NTg3ODA2MzIiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTAyLTE3VDEzOjE5OjQ2WiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3BoaWxpcHMtbGFicy9zbHNhLXByb3ZlbmFuY2UtYWN0aW9uIiwiZGlnZXN0Ijp7InNoYTEiOiJkZGQ2YzJkNjI5MjllODc2OTI2N2QwMTM2NjI1MmQ5MjYwOWQxZGJiIn19XX19","signatures":[{"keyid":"","sig":"MEYCIQDSgWuGXT24YA2aqJXt029RwIqNvAmCbwNt9c0fVhDHVAIhAOKoSBb4QGd7STfNb/gEIQFHr9ErG6bqSBYjfgzur3WR"}]} |
marcofranssen
force-pushed
the
multi-arch-docker
branch
from
d776a66
to
a5f4306
Compare
Co-authored-by: Brend Smits <brend.smits@philips.com> Signed-off-by: Marco Franssen <marco.franssen@philips.com>
Signed-off-by: Brend Smits <brend.smits@philips.com> Signed-off-by: Marco Franssen <marco.franssen@philips.com>
Signed-off-by: Marco Franssen <marco.franssen@philips.com>
Signed-off-by: Marco Franssen <marco.franssen@philips.com>
Co-authored-by: Brend Smits <brend.smits@philips.com> Signed-off-by: Marco Franssen <marco.franssen@philips.com>
Signed-off-by: Marco Franssen <marco.franssen@philips.com>
marcofranssen
force-pushed
the
multi-arch-docker
branch
from
a5f4306
to
14513f0
Compare
marcofranssen
force-pushed
the
main
branch
2 times, most recently
from
5bd17a0
to
28d96d7
Compare
marcofranssen
force-pushed
the
main
branch
2 times, most recently
from
13e3c34
to
c209f4e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This still needs verification when building a release. This was failing on the signing PR so separated this into a new PR to debug this part.
resolves #107
resolves #68
As we are only providing the image digest it seems the provenance is only attached to the image tags.
v0.5.2-draft-amd64andv0.5.2-draft-arm64v8.So for the manifest tags
v0.5.2-draftand thecommit-hashwe do not have the provenance as those tags are on the manifests.It looks like there is another RepoDigest when pulling these images by manifest tags. See below the Digest for the amd64 platform. Not sure how this will be for the
arm64v8.$ docker manifest inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", "manifests": [ { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 1159, "digest": "sha256:5d674de12c6830a33ca1b1fe7964468ee98a1bdde262844e7697897bf8e5b9c7", "platform": { "architecture": "amd64", "os": "linux" } }, { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "size": 1159, "digest": "sha256:9a12783d47e0b03a0ad7cf996eb4d5f36627b1e073c832a6aa9a94b5fb5c182c", "platform": { "architecture": "arm64", "os": "linux" } } ] }Seems the digest for the pulled tag (in my case amd64 arch) is a different one as we have seen before.
$ docker inspect ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft [ { "Id": "sha256:788f5d3ffed4f844e4288aae0d04fad8af5dc2e94e852019c166f2bb0a15a4f3", "RepoTags": [ "ghcr.io/philips-labs/slsa-provenance:v0.5.2-draft" ], "RepoDigests": [ "ghcr.io/philips-labs/slsa-provenance@sha256:af08463f91a98c3f08083987dc1826eba302aeb110ae85b679a3859be2a25bea" ], ……………… …………………