[PATCH 1/1] ci: drop buildkit provenance attestations
1 view
Skip to first unread message
Felix Moessbauer
May 15, 2024, 6:06:23 PMMay 15
to kas-...@googlegroups.com, jan.k...@siemens.com, Felix Moessbauer
The buildkit internal provenance v0.2 attestations are non-reproducible
(by design), but added to the manifest index. By that, the digest of the
container tag (that tags the index manifest) is not reproducible.
As we now have the better external (and signed) provenance v1
attestations that describe the whole github action execution and point to
the index manifest, we now solely use that. This is a more standard
approach to attest builds using a sigstore bundle (that uses the OCI
registry v2 referrer mechanism).
With this patch, the digest of our tagged containers should finally be
reproducible across all (identical) kas forks.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
.github/workflows/master.yml | 2 +-
.github/workflows/next.yml | 2 +-
.github/workflows/release.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 797ec44ef..206de997e 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -48,7 +48,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index 7d4f2d544..b30644171 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -109,7 +109,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36115fecf..97164e3f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
--
2.39.2
(by design), but added to the manifest index. By that, the digest of the
container tag (that tags the index manifest) is not reproducible.
As we now have the better external (and signed) provenance v1
attestations that describe the whole github action execution and point to
the index manifest, we now solely use that. This is a more standard
approach to attest builds using a sigstore bundle (that uses the OCI
registry v2 referrer mechanism).
With this patch, the digest of our tagged containers should finally be
reproducible across all (identical) kas forks.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
.github/workflows/master.yml | 2 +-
.github/workflows/next.yml | 2 +-
.github/workflows/release.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 797ec44ef..206de997e 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -48,7 +48,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index 7d4f2d544..b30644171 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -109,7 +109,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36115fecf..97164e3f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
--
2.39.2
Jan Kiszka
May 16, 2024, 1:08:35 AMMay 16
to Felix Moessbauer, kas-...@googlegroups.com
Jan
--
Siemens AG, Technology
Linux Expert Center
MOESSBAUER, Felix
May 16, 2024, 3:31:41 AMMay 16
to Kiszka, Jan, kas-...@googlegroups.com
Felix
MOESSBAUER, Felix
May 16, 2024, 4:52:09 AMMay 16
to Kiszka, Jan, kas-...@googlegroups.com
On Thu, 2024-05-16 at 07:08 +0200, Jan Kiszka wrote:
> On 16.05.24 00:06, Felix Moessbauer wrote:
> > The buildkit internal provenance v0.2 attestations are non-
> > reproducible
> > (by design), but added to the manifest index. By that, the digest
> > of the
> > container tag (that tags the index manifest) is not reproducible.
> >
> > As we now have the better external (and signed) provenance v1
> > attestations that describe the whole github action execution and
> > point to
> > the index manifest, we now solely use that. This is a more standard
> > approach to attest builds using a sigstore bundle (that uses the
> > OCI
> > registry v2 referrer mechanism).
> >
> > With this patch, the digest of our tagged containers should finally
> > be
> > reproducible across all (identical) kas forks.
As we now have that commit on gh/siemens/kas and gh/fmoessbauer/kas the
> > The buildkit internal provenance v0.2 attestations are non-
> > reproducible
> > (by design), but added to the manifest index. By that, the digest
> > of the
> > container tag (that tags the index manifest) is not reproducible.
> >
> > As we now have the better external (and signed) provenance v1
> > attestations that describe the whole github action execution and
> > point to
> > the index manifest, we now solely use that. This is a more standard
> > approach to attest builds using a sigstore bundle (that uses the
> > OCI
> > registry v2 referrer mechanism).
> >
> > With this patch, the digest of our tagged containers should finally
> > be
> > reproducible across all (identical) kas forks.
gh actions CI reproduced exactly the same digest for the next tag:
sha256:13dfe98e5fe8631eeca52a456f1280fcaafb9d42ec9681a4cde8acddf9026c8d
Felix
Reply all
Reply to author
Forward
0 new messages