How to add a provenance file to a docker image about slsa-provenance-action HOT 8 CLOSED

Hello, @Brend-Smits, the cosign has the support of uploading attestation files to the OCI Registry signing them.

$ cosign attest --key cosign.key --predicate <path> <image-uri>

Thomas Meadows asked that question in cosign's Slack channel.

Hey all! I am currently in the process of configuring https://github.com/philips-labs/slsa-provenance-action in a GitHub action to generate an attestation. I want to then take that created json and push it as an OCI manifest (.att) to the image repository against the image using cosign. How would I go about doing this?

I want to take care of this one, but I have a couple of questions first:

• Do we want to sign the provenance files while uploading them to the OCI Registry?
• Which method do you prefer for using cosign, as an executable or a Go module?

from slsa-provenance-action.

Thanks for the input here @developer-guy! I think signing the provenance files while uploading them would be very helpful? Unless anyone can think of a reason why we would want to avoid it.

from slsa-provenance-action.

yes, it'd be helpful no doubt. Also, we can do it with a keyless approach which leads us to the second item in the list, do we want to use cosign as an executable over os.Exec package, or a Go module?

from slsa-provenance-action.

I've started another issue on cosign

• sigstore/cosign#1202

from slsa-provenance-action.

My only reservation with keyless is that it doesn't provide an option for private repositories. I guess though that this is in the minority of cases.

from slsa-provenance-action.

Resolved by #88

from slsa-provenance-action.

Correction we might still want to integrate this in the binary so no additional step is required.

from slsa-provenance-action.

Created a new dedicated issue to work on having a more native integration for docker images #129

from slsa-provenance-action.