You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per my understanding, the use of SBOMs was deprecated and should be replaced by attestations. However, the verification of multiarch image attestations can be highly misleading for the end user. Comparison:
SBOMs:
cosign download sbom registry/repo/image:tag
This multiarch image does not have an SBOM attached at the index level.
Try using --platform with one of the following architectures:
linux/amd64, linux/arm64, linux/ppc64le
Error: no SBOM found attached to image index
attestations:
cosign verify-attestation registry/repo/image:tag
Error: no matching attestations:
I see two issues with this:
The user is not notified that attestations exist for the arch images
The user cannot specify the architecture whose attestation they want to get (with SBOMs this was possible with --platform argument)
The only way to get a multiarch image attestation is to specify the image via digest (if that even occurs to a user, since no hint was given). I don't think it's reasonable to expect this from the end users.
The text was updated successfully, but these errors were encountered:
@querti, last time I checked, there isn't a lot of guidance on what to do with Image Indexes, aka multi-arch images. I've explored this in the past and one of the approaches that seems reasonable is to attach multiple SBOMs to the Image Index.
Signing and attesting both Image Indexes and Image Manifests seems to be the most compatible option since an Image Index is eventually resolved to an Image Manifest upon usage. This allows verification at different points, for example.
It is probably a good idea to improve the error message when a signature/attestation is not found and the image reference is to an Image Index, like the download sbom command does. That sounds like useful information to users.
Per my understanding, the use of SBOMs was deprecated and should be replaced by attestations. However, the verification of multiarch image attestations can be highly misleading for the end user. Comparison:
SBOMs:
attestations:
I see two issues with this:
The only way to get a multiarch image attestation is to specify the image via digest (if that even occurs to a user, since no hint was given). I don't think it's reasonable to expect this from the end users.
The text was updated successfully, but these errors were encountered: