Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish SBOMs #154

Open
SgtCoDFish opened this issue May 28, 2024 · 2 comments
Open

Publish SBOMs #154

SgtCoDFish opened this issue May 28, 2024 · 2 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@SgtCoDFish
Copy link
Member

I can see that SBOMs are generated by make oci-build-manager in trust-manager. It looks like these would be helpful to publish in releases, and it shouldn't be hard to add them to github releases.

I'd actually assumed we were publishing these but it doesn't seem like we are!

For example, on the v0.10.0 tag of trust-manager:

$ ls _bin/scratch/image/oci-layout-manager.v0.10.0.sbom
trust-manager-index.spdx.json
trust-manager-linux-amd64.spdx.json
trust-manager-linux-arm-v7.spdx.json
trust-manager-linux-arm64.spdx.json
trust-manager-linux-ppc64le.spdx.json
@SgtCoDFish SgtCoDFish added kind/feature Categorizes issue or PR as related to a new feature. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. labels May 28, 2024
@inteon
Copy link
Member

inteon commented Jun 5, 2024

I can confirm: we have not yet implemented sbom pushing.
Important to consider here:

  • figure out a strategy for re-pushing the same tag (reproducible builds + sboms)
  • make sure the SBOMs are still useable after the image was mutated (eg. an extra layer was added)
  • verify that the SBOM also refers to the base image's SBOM and that that SBOM is retrievable

@wallrj
Copy link
Member

wallrj commented Jul 26, 2024

Maybe related, I just noticed the following warning when doing an approver-policy-enterprise release:

WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wallrj @SgtCoDFish @inteon