Skip to content

Sign buildpacksio/pack images using cosign and attach sbom generated from binaries#2287

Open
adwait-godbole wants to merge 3 commits intobuildpacks:mainfrom
adwait-godbole:sign-images-along-with-sbom
Open

Sign buildpacksio/pack images using cosign and attach sbom generated from binaries#2287
adwait-godbole wants to merge 3 commits intobuildpacks:mainfrom
adwait-godbole:sign-images-along-with-sbom

Conversation

@adwait-godbole
Copy link

@adwait-godbole adwait-godbole commented Nov 18, 2024

Fixes #2193

Generate JSON SBOM for release binaries just like how lifecycle is doing right now and use cosign for signing, attaching SBOM and verifying container images.

@adwait-godbole adwait-godbole requested review from a team as code owners November 18, 2024 15:53
@github-actions github-actions bot added this to the 0.36.0 milestone Nov 18, 2024
@github-actions github-actions bot added the type/chore Issue that requests non-user facing changes. label Nov 18, 2024
@adwait-godbole
generate SBOM for binaries and container images and use cosign for si…
d25b270 
…gning images

Signed-off-by: adwait-godbole <adwaitngodbole@gmail.com>
@adwait-godbole adwait-godbole force-pushed the sign-images-along-with-sbom branch from 209b788 to d25b270 Compare November 18, 2024 15:55
@adwait-godbole adwait-godbole changed the title generate SBOM for binaries and container images and use cosign for si… Generate SBOM for binaries and container images and use cosign for si… Nov 18, 2024
@adwait-godbole adwait-godbole changed the title Generate SBOM for binaries and container images and use cosign for si… Generate SBOM for binaries and container images and use cosign for si… Nov 18, 2024
@adwait-godbole
job splitting and function renaming
bc968c5 
Signed-off-by: adwait-godbole <adwaitngodbole@gmail.com>
@adwait-godbole
fix architectures env sequence
f467196 
Signed-off-by: adwait-godbole <adwaitngodbole@gmail.com>
@adwait-godbole adwait-godbole changed the title Generate SBOM for binaries and container images and use cosign for si… Sign buildpacksio/pack images using cosign and attach sbom generated from binaries Nov 18, 2024
@adwait-godbole
Copy link
Author

adwait-godbole commented Nov 19, 2024

Hi @jjbustamante , @natalieparellano, before you go ahead with reviewing this PR, I had a query to clear off my head. Since we are doing a multi-platform image build using buildx, should the cosign sign and cosign attest (for sbom) be done individually for every platform arch image manifest digest or the entire multi-platform index digest as a whole?

@natalieparellano
Copy link
Member

natalieparellano commented Nov 26, 2024

@adwait-godbole thank you for this. I'd recommend we do this similarly to how we do it in the lifecycle, you can find the workflow file here: https://github.com/buildpacks/lifecycle/blob/main/.github/workflows/build.yml

The sbom that we attach to the release on GitHub is from linux-amd64. But the sbom that we embed within the lifecycle image is for the particular os/arch that we're shipping (see here). But, since we don't have the concept of sbom-within-the-image for pack, we can probably skip over this.

@jjbustamante jjbustamante modified the milestones: 0.36.0, 0.37.0 Nov 27, 2024
@jjbustamante jjbustamante modified the milestones: 0.37.0, 0.38.0 Mar 14, 2025
@jjbustamante jjbustamante modified the milestones: 0.38.0, 0.39.0 Jun 3, 2025
@jjbustamante jjbustamante modified the milestones: 0.39.0, 0.40.0 Nov 23, 2025
@jjbustamante jjbustamante modified the milestones: 0.40.0, 0.41.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type/chore Issue that requests non-user facing changes.

Projects

None yet

Milestone

0.41.0

Development

Successfully merging this pull request may close these issues.

buildpacksio/pack images should be signed

3 participants

@adwait-godbole @natalieparellano @jjbustamante