publish attestations for release container images #890

qrkourier · 2025-02-24T17:17:00Z

Verify the public attestation for an image:

gh attestation verify --owner openziti oci://docker.io/openziti/zrok:0.4.49

ref: https://cli.github.com/manual/gh_attestation_verify

Inspect the bundled SBOM:

docker buildx imagetools inspect openziti/zrok:0.4.49 \
    --format "{{ json .SBOM.SPDX }}"

ref: https://docs.docker.com/build/metadata/attestations/sbom/#inspecting-sboms

Inspect the bundled SLSA:

docker buildx imagetools inspect openziti/zrok:0.4.49 \
    --format "{{ json .Provenance.SLSA }}"

ref: https://docs.docker.com/build/metadata/attestations/slsa-provenance/#inspecting-provenance

bonus: extract the Dockerfile from the SLSA metadata:

 docker buildx imagetools inspect openziti/zrok:0.4.49 \
    --format '{{ range (index .Provenance.SLSA.metadata "https://mobyproject.org/buildkit@v1#metadata").source.infos }}{{ if eq .filename "Dockerfile" }}{{ .data }}{{ end }}{{ end }}' | base64 -d

qrkourier added this to the v1.0 milestone Feb 24, 2025

qrkourier self-assigned this Feb 24, 2025

qrkourier linked a pull request Feb 24, 2025 that will close this issue

publish attestations for release container images #896

Merged

qrkourier closed this as completed in #896 Feb 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

publish attestations for release container images #890

publish attestations for release container images #890

qrkourier commented Feb 24, 2025 •

edited

Loading

publish attestations for release container images #890

publish attestations for release container images #890

Comments

qrkourier commented Feb 24, 2025 • edited Loading

qrkourier commented Feb 24, 2025 •

edited

Loading