Use SLSA attestations to attest to SBOMs #14438
Labels
Comments
|
Yep, I'd love to see this! |
|
I am interested in taking up this issue. Should the SBOM SLSA provenance replace the Cosign signature or are both wanted? Thanks! |
|
@34fathombelow do you have any preference? |
|
@enteraga6 You can replace the Cosign signature with an attestation. The attestation will have have its own signature. |
13 tasks
|
@34fathombelow Got it. PR is here #14507 |
crenshaw-dev
pushed a commit
that referenced
this issue
Jul 17, 2023
* Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]>
enteraga6
added a commit
to enteraga6/argo-cd
that referenced
this issue
Jul 17, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
13 tasks
crenshaw-dev
pushed a commit
that referenced
this issue
Jul 18, 2023
#14559) * chore: Generate SLSA provenance for SBOM (#14438) (#14507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Noah Elzner <[email protected]> * change source tag in sbom verification command to v2.8.0 Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
Jneville0815
pushed a commit
to radiusmethod/argo-cd
that referenced
this issue
Jul 18, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]> Signed-off-by: Jimmy Neville <[email protected]>
yyzxw
pushed a commit
to yyzxw/argo-cd
that referenced
this issue
Aug 9, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]>
Closed
tesla59
pushed a commit
to tesla59/argo-cd
that referenced
this issue
Dec 16, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <[email protected]> * upload SBOM Signed-off-by: Noah Elzner <[email protected]> * Remove cosign setup Signed-off-by: Noah Elzner <[email protected]> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <[email protected]> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <[email protected]> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <[email protected]> --------- Signed-off-by: Noah Elzner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Like other built artifacts, the SBOM can be attested to by SLSA attestations. (it's fairly common practice to attest to all built artifacts).
The project already attests to its binaries and container images via SLSA attestations, so should be easy to add the SBOMs.
I can send a PR updating the release workflow + documentation if you're interested.
The text was updated successfully, but these errors were encountered: