svrnty/docker-base-distro
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 13 Wiki Activity

Fix provenance: pass only predicate to cosign, not full in-toto statement
Some checks failed
Build and Push Base Distro Images / build-and-push (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Has been cancelled
Details
Build and Push Base Distro Images / build-and-push (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Has been cancelled
Details
Build and Push Base Distro Images / build-and-push (apko/flutter-sdk.yaml, flutter-sdk) (push) Has been cancelled
Details
Build and Push Base Distro Images / build-and-push (apko/base.yaml, base) (push) Has been cancelled
Details
Build and Push Base Distro Images / build-and-push (apko/build.yaml, build) (push) Has been cancelled
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Has been cancelled
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Has been cancelled
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/flutter-sdk.yaml, flutter-sdk) (push) Has been cancelled
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/build.yaml, build) (push) Has been cancelled
Details
Weekly Rebuild (CVE Updates) / rebuild (apko/base.yaml, base) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Check .NET stable releases (push) Successful in 1s
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/base.yaml, base) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/build.yaml, build) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-runtime.yaml, dotnet-runtime) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/dotnet-sdk.yaml, dotnet-sdk) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Rebuild and push all variants (apko/flutter-sdk.yaml, flutter-sdk) (push) Has been cancelled
Details
Check for Upstream Stable Updates / Create release for new Flutter version (push) Has been cancelled
Details
Check for Upstream Stable Updates / Check Wolfi package updates (push) Has been cancelled
Details
Check for Upstream Stable Updates / Check Flutter stable releases (push) Has been cancelled
Details

Browse Source 
cosign attest --type slsaprovenance expects the predicate JSON only
(builder, buildType, invocation, metadata). It wraps it in the
in-toto statement envelope itself. Passing the full statement caused
cosign to look for builder at the wrong nesting level.

Ref: https://github.com/sigstore/cosign/issues/3757

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-02 10:21:39 -05:00
parent b3372fce38
commit 510bfa01b9
3 changed files with 24 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitea/workflows/publish.yaml
View File

@ -150,12 +150,7 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
jq -n \ jq -n \
--arg type "https://in-toto.io/Statement/v0.1" \
--arg predType "https://slsa.dev/provenance/v0.2" \
--arg name "${{ steps.publish.outputs.image_versioned }}" \
--arg sha "$DIGEST_SHA" \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \ --arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \
@ -163,10 +158,6 @@ jobs:
--arg entry "${{ matrix.config }}" \ --arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \ --arg runId "${{ github.run_id }}" \
'{ '{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder}, "builder": {"id": $builder},
"buildType": $buildType, "buildType": $buildType,
"invocation": { "invocation": {
@ -176,7 +167,6 @@ jobs:
"buildInvocationID": $runId, "buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true} "completeness": {"parameters": true, "environment": true, "materials": true}
} }
}
}' > /tmp/provenance.json }' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"

10
.gitea/workflows/rebuild.yaml
View File

@ -149,12 +149,7 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
jq -n \ jq -n \
--arg type "https://in-toto.io/Statement/v0.1" \
--arg predType "https://slsa.dev/provenance/v0.2" \
--arg name "${{ steps.publish.outputs.image_versioned }}" \
--arg sha "$DIGEST_SHA" \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \ --arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \
@ -162,10 +157,6 @@ jobs:
--arg entry "${{ matrix.config }}" \ --arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \ --arg runId "${{ github.run_id }}" \
'{ '{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder}, "builder": {"id": $builder},
"buildType": $buildType, "buildType": $buildType,
"invocation": { "invocation": {
@ -175,7 +166,6 @@ jobs:
"buildInvocationID": $runId, "buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true} "completeness": {"parameters": true, "environment": true, "materials": true}
} }
}
}' > /tmp/provenance.json }' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"

10
.gitea/workflows/update-check.yaml
View File

@ -231,12 +231,7 @@ jobs:
COSIGN_YES: "true" COSIGN_YES: "true"
run: | run: |
IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}" IMAGE_DIGEST="${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}@${{ steps.publish.outputs.digest }}"
DIGEST_SHA=$(echo '${{ steps.publish.outputs.digest }}' | sed 's/sha256://')
jq -n \ jq -n \
--arg type "https://in-toto.io/Statement/v0.1" \
--arg predType "https://slsa.dev/provenance/v0.2" \
--arg name "${{ steps.publish.outputs.image_versioned }}" \
--arg sha "$DIGEST_SHA" \
--arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ --arg builder "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
--arg buildType "https://apko.dev/build/v1" \ --arg buildType "https://apko.dev/build/v1" \
--arg uri "${{ github.server_url }}/${{ github.repository }}" \ --arg uri "${{ github.server_url }}/${{ github.repository }}" \
@ -244,10 +239,6 @@ jobs:
--arg entry "${{ matrix.config }}" \ --arg entry "${{ matrix.config }}" \
--arg runId "${{ github.run_id }}" \ --arg runId "${{ github.run_id }}" \
'{ '{
"_type": $type,
"predicateType": $predType,
"subject": [{"name": $name, "digest": {"sha256": $sha}}],
"predicate": {
"builder": {"id": $builder}, "builder": {"id": $builder},
"buildType": $buildType, "buildType": $buildType,
"invocation": { "invocation": {
@ -257,7 +248,6 @@ jobs:
"buildInvocationID": $runId, "buildInvocationID": $runId,
"completeness": {"parameters": true, "environment": true, "materials": true} "completeness": {"parameters": true, "environment": true, "materials": true}
} }
}
}' > /tmp/provenance.json }' > /tmp/provenance.json
cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}" cosign attest --predicate /tmp/provenance.json --type slsaprovenance "${IMAGE_DIGEST}"
echo "Provenance attestation attached successfully" echo "Provenance attestation attached successfully"