Replace cosign with buildx attestations for Docker Scout compliance

Docker Scout requires buildx-style provenance+SBOM, not cosign
attestations. Replace crane push with docker load + buildx build
(--provenance=mode=max --sbom=true) for the installer image. Use
buildx imagetools create for the release tag to preserve attestations.
Remove cosign/syft from CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -30,7 +30,7 @@ jobs:
 
       - name: Install build dependencies
         run: |
-          for pkg in make gnu-sed crane cosign syft; do
+          for pkg in make gnu-sed crane; do
             brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
           done
           gmake --version | head -1
@@ -63,15 +63,8 @@ jobs:
       - name: Build installer and disk image
         run: gmake installer
 
-      - name: Attest installer image
-        env:
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        run: gmake attest COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
-
       - name: Tag release images
-        env:
+        run: gmake release TAG=${{ steps.version.outputs.tag }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        run: gmake release TAG=${{ steps.version.outputs.tag }} COSIGN_KEY=<(echo "${{ secrets.COSIGN_PRIVATE_KEY }}")
 
       - name: Compress disk image
         run: |

Makefile

@@ -74,7 +74,6 @@ help:
 	@echo "  overlay    — Build SBC overlay (U-Boot, firmware, DTBs)"
 	@echo "  installer  — Build Talos installer image + raw disk image"
 	@echo "  release    — Tag and push release images"
-	@echo "  attest     — Attach SBOM attestation to installer image"
 	@echo "  clean      — Remove checkouts and build artifacts"
 	@echo ""
 	@echo "Variables:"
@@ -180,7 +179,11 @@ installer:
 			installer --arch arm64 \
 			--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
 			$(IMAGER_COMMON_FLAGS) && \
-		crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
+		LOADED=$$(docker load -i ./_out/installer-arm64.tar | sed 's/Loaded image: //') && \
+		printf "FROM $$LOADED\n" | docker buildx build \
+			--platform linux/arm64 \
+			$(ATTESTATION_ARGS) \
+			-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
 		docker \
 			run --rm -t -v ./_out:/out -v /dev:/dev --privileged \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \
@@ -188,32 +191,14 @@ installer:
 			--base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \
 			$(IMAGER_COMMON_FLAGS)
 
-#
-# Attestation — attach SBOM to crane-pushed images
-#
-COSIGN_KEY ?= cosign.key
-
-.PHONY: attest
-attest:
-	syft $(INSTALLER_IMAGE):$(TALOS_TAG) \
-		--platform linux/arm64 \
-		-o spdx-json=_out/installer-sbom.spdx.json
-	cosign attest --predicate _out/installer-sbom.spdx.json \
-		--type spdxjson \
-		--key $(COSIGN_KEY) \
-		$(INSTALLER_IMAGE):$(TALOS_TAG)
-
 #
 # Release — tag images with the Git tag for stable references
 #
 .PHONY: release
 release:
-	crane copy $(INSTALLER_IMAGE):$(TALOS_TAG) \
+	docker buildx imagetools create \
-		$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
+		-t $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) \
-	cosign attest --predicate _out/installer-sbom.spdx.json \
+		$(INSTALLER_IMAGE):$(TALOS_TAG)
-		--type spdxjson \
-		--key $(COSIGN_KEY) \
-		$(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
 
 #
 # Clean

TECHNICAL.md

@@ -36,8 +36,6 @@ A weekly scheduled workflow checks for new Talos and RPi kernel releases and cre
 |--------|-------------|
 | `REGISTRY_USERNAME` | Docker Hub username (org-level) |
 | `REGISTRY_PASSWORD` | Docker Hub access token (org-level) |
-| `COSIGN_PRIVATE_KEY` | PEM-encoded cosign signing key (org-level) |
-| `COSIGN_PASSWORD` | Password for the cosign private key (org-level) |
 
 ## Runner Setup (Apple Silicon Mac Mini)