-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SLSA attestations to attest to SBOMs #14438
Labels
Comments
Yep, I'd love to see this! |
I am interested in taking up this issue. Should the SBOM SLSA provenance replace the Cosign signature or are both wanted? Thanks! |
@34fathombelow do you have any preference? |
@enteraga6 You can replace the Cosign signature with an attestation. The attestation will have have its own signature. |
13 tasks
@34fathombelow Got it. PR is here #14507 |
crenshaw-dev
pushed a commit
that referenced
this issue
Jul 17, 2023
* Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
enteraga6
added a commit
to enteraga6/argo-cd
that referenced
this issue
Jul 17, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Signed-off-by: Noah Elzner <elzner@google.com>
13 tasks
crenshaw-dev
pushed a commit
that referenced
this issue
Jul 18, 2023
#14559) * chore: Generate SLSA provenance for SBOM (#14438) (#14507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Signed-off-by: Noah Elzner <elzner@google.com> * change source tag in sbom verification command to v2.8.0 Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Signed-off-by: Noah Elzner <elzner@google.com>
Jneville0815
pushed a commit
to radiusmethod/argo-cd
that referenced
this issue
Jul 18, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Signed-off-by: Jimmy Neville <jimmyeneville@gmail.com>
yyzxw
pushed a commit
to yyzxw/argo-cd
that referenced
this issue
Aug 9, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Closed
tesla59
pushed a commit
to tesla59/argo-cd
that referenced
this issue
Dec 16, 2023
…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Like other built artifacts, the SBOM can be attested to by SLSA attestations. (it's fairly common practice to attest to all built artifacts).
The project already attests to its binaries and container images via SLSA attestations, so should be easy to add the SBOMs.
I can send a PR updating the release workflow + documentation if you're interested.
The text was updated successfully, but these errors were encountered: