You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just leaving a few notes here, as I did some tests today.
We should be able to attest that an SBOM belongs to an image by running this command within the Github Action, after the image was built: cosign attest --predicate bom.json --type cyclonedx oci.stackable.tech/stackable/images/airflow-operator:0.0.0-dev
In my tests this only worked when the CycloneDX SBOM was in JSON format, with XML it failed (tested with cosign 2.2.1).
Verification should work like this: cosign verify-attestation --type cyclonedx --certificate-identity-regexp '^https://github.com/stackabletech/.+/.github/workflows/.+@.+' --certificate-oidc-issuer https://token.actions.githubusercontent.com oci.stackable.tech/stackable/images/airflow-operator:0.0.0-dev
No description provided.
The text was updated successfully, but these errors were encountered: