You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have some work in progress on my branch, but I'm not sure it even does the right thing and I am concerned the performance will be worse than the existing code.
For images, it should be possible to not degrade performance at all, if I properly understand how the manifests work.
For ImageIndex refs, the performance will be affected, since it requires an extra request, but if we support both all platforms and specific platforms, at least that'll enable folks to have an option with better performance too.
Description
Currently the verify-attestation command does not handle imagelists well.
The SUSE BCI images are multi-architecture, and so accessing registry.suse.com/bci/golang:latest gives you an image list, not a single image.
see https://codeengineered.com/blog/2022/bci-slsa-attestation/ blog from Matt Farina.
I know verify-blob-attestation or explicit sha256 blob tagging could work, but it is far from userfriendly.
The verify-attestation command should probably be enhanced to select the architecture, or check all of them?
The text was updated successfully, but these errors were encountered: