Document SecureBuild verification path for SDK images#3966
Conversation
Replicated SDK images are rebuilt by SecureBuild roughly 6 hours after release, which breaks the upstream verification script because the digest, signing identity, and provenance builder all change. Add a second verification path using the SecureBuild-provided verify-securebuild-image.sh script, and explain the two-phase verification lifecycle so customers know which path to use.
✅ Deploy Preview for replicated-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for replicated-docs-upgrade ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
replicated-ci
added
type::docs
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/vendor/replicated-sdk-slsa-validating.md|143 col 37| [Replicated.Passive] In general, use active voice instead of passive voice ('was signed').
docs/vendor/replicated-sdk-slsa-validating.md|143 col 67| [Vale.Spelling] Did you really mean 'keyless'?
docs/vendor/replicated-sdk-slsa-validating.md|147 col 67| [Vale.Spelling] Did you really mean 'keyless'?
docs/vendor/replicated-sdk-slsa-validating.md|148 col 30| [Replicated.Passive] In general, use active voice instead of passive voice ('was signed').
docs/vendor/replicated-sdk-slsa-validating.md|148 col 64| [Vale.Spelling] Did you really mean 'Fulcio'?
docs/vendor/replicated-sdk-slsa-validating.md|148 col 91| [Vale.Spelling] Did you really mean 'Rekor'?
docs/vendor/replicated-sdk-slsa-validating.md|152 col 25| [Replicated.Acronyms] Spell out 'SPDX' on first use, if it's unfamiliar to the audience.
docs/vendor/replicated-sdk-slsa-validating.md|152 col 47| [Replicated.Passive] In general, use active voice instead of passive voice ('was signed').
docs/vendor/replicated-sdk-slsa-validating.md|152 col 77| [Vale.Spelling] Did you really mean 'keyless'?
| ## Purpose of attestations | ||
|
|
||
| Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image's Software Bill of Materials (SBOM) and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application. | ||
| Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image's SBOM and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application. |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Replicated.SentenceLength] Try to keep your sentence length to 26 words or fewer.
| ## Purpose of attestations | ||
|
|
||
| Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image's Software Bill of Materials (SBOM) and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application. | ||
| Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image's SBOM and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application. |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Replicated.Acronyms] Spell out 'SLSA' on first use, if it's unfamiliar to the audience.
|
|
||
| ## About the SDK image verification lifecycle | ||
|
|
||
| Replicated SDK images are published in two phases, and the verification method depends on which phase an image is in: |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Replicated.Passive] In general, use active voice instead of passive voice ('are published').
|
|
||
| Replicated SDK images are published in two phases, and the verification method depends on which phase an image is in: | ||
|
|
||
| 1. **Original release build.** When a new SDK version is released, Replicated builds the image through its own pipeline, which attaches: |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Replicated.Passive] In general, use active voice instead of passive voice ('is released').
| The verification script performs three security checks against the SecureBuild signing identity: | ||
| 1. SLSA v1.0 provenance verification | ||
| 1. Cosign image signature verification | ||
| 1. SBOM (SPDX) attestation verification |
There was a problem hiding this comment.
📝 [vale] reported by reviewdog 🐶
[Replicated.Acronyms] Spell out 'SPDX' on first use, if it's unfamiliar to the audience.
3 participants
Summary
verify-image.shinstructions (renamed to "Verify an original SDK release image"), because replicated-sdk still builds and signs images on release — SecureBuild only takes over after the rebuild.1.convention, sentence-case headings, colon-terminated run-in headings, fixed a 404 link at the bottom).Context: based on the SLSA provenance generation proposal and the merged verification script PR above.
Test plan
npm startlocally and confirm the page renders with working anchor links to#verify-originaland#verify-securebuild./vendor/releases-creating-releasesresolves.