Sign SBOM images #37

norbjd · 2024-03-26T15:01:43Z

Sign SBOM images using SLSA generator (like we are signing other images). This ensures provenance of SBOM images.

Example:

IMAGE=ghcr.io/norbjd/k8s-pod-cpu-booster/webhook
TAG=202403261508-695a2eb
DIGEST=$(crane digest "$IMAGE:$TAG" | cut -d':' -f2)

# check the image (optional)
slsa-verifier verify-image "$IMAGE@sha256:$DIGEST" --source-uri github.com/norbjd/k8s-pod-cpu-booster

# check the SBOM image
SBOM_IMAGE=$IMAGE:sha256-$IMAGE_DIGEST.sbom
SBOM_IMAGE="${SBOM_IMAGE}@"$(crane digest "${SBOM_IMAGE}")
slsa-verifier verify-image "$SBOM_IMAGE" --source-uri github.com/norbjd/k8s-pod-cpu-booster

Result:

Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.10.0" at commit 695a2eb85489ad11f474a8de2834f4e6e7c62389
PASSED: Verified SLSA provenance

It would have been useful that ko puts the sbom image pushed in .digest file (--image-refs parameter). But it's not the case today so we have to deal with it.

See also this doc: https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/; signing SBOM seems something that could be done.

Sign sbom image

0064e56

norbjd self-assigned this Mar 26, 2024

norbjd added 3 commits March 26, 2024 16:04

Fix for PR

28cf929

Fix crane command

cd5aaa0

Last changes before merging to main

521765e

norbjd changed the title ~~Sign SBOM image~~ Sign SBOM images Mar 26, 2024

norbjd merged commit 02a110a into main Mar 26, 2024
6 checks passed

norbjd deleted the slsa-sbom branch March 26, 2024 15:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign SBOM images #37

Sign SBOM images #37

norbjd commented Mar 26, 2024 •

edited

Loading

Sign SBOM images #37

Sign SBOM images #37

Conversation

norbjd commented Mar 26, 2024 • edited Loading

norbjd commented Mar 26, 2024 •

edited

Loading