-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Push signatures first #966
Comments
The cosign version is also old: Line 53 in 1a3e90f
I'm not sure it's possible to sign the platform-specific images before they're pushed (I'm also not sure it's useful), but I think it might be possible to sign the multi-platform manifest list we all know and love before pushing it. That's done here: distroless/cloudbuild_docker.sh Line 15 in 1a3e90f
Between |
The next trick is going to be having a GCB step that has both |
Sgtm. What I really want to do is just stage every build and then |
Staging also sounds good, but we should sign the digests wherever we sign them 😅 |
this is fixed by rules_oci |
Generally whenever distroless publishes new images, we see a rash of CI failures (e.g. cosigned e2e tests) because the tagged images aren't signed.
Looking through, distroless is also unfortunately signing tags (bad!):
distroless/cloudbuild_cosign.sh
Lines 12 to 48 in 3fe389d
This is part of why
ko
publishes SBOMs before publishing the images, although here it's tricky because a lack of integration in the build tooling.cc @loosebazooka @imjasonh @jonjohnsonjr @dlorenc
The text was updated successfully, but these errors were encountered: