New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add moby/buildkit #21500
feat: add moby/buildkit #21500
Conversation
[moby/buildkit](https://github.com/moby/buildkit): concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
This is because |
ah, I see. Thank you for teaching me! |
darwin has only
Windows
|
*.provenance.json have been released. |
Yes.
The Of course it may be possible to run it, but I don't think aqua supports many daemon-type tools for use on Linux. (Like WebServer, Database...) |
It didn't work well. slsa_provenance:
type: github_release
asset: buildkit-{{.Version}}.{{.OS}}-{{.Arch}}.provenance.json
|
I see. It makes sense. Thank you. |
$ slsa-verifier version
____ _ ____ _ __ __ _____ ____ ___ _____ ___ _____ ____
/ ___| | | / ___| / \ \ \ / / | ____| | _ \ |_ _| | ___| |_ _| | ____| | _ \
\___ \ | | \___ \ / _ \ _____ \ \ / / | _| | |_) | | | | |_ | | | _| | |_) |
___) | | |___ ___) | / ___ \ |_____| \ V / | |___ | _ < | | | _| | | | |___ | _ <
|____/ |_____| |____/ /_/ \_\ \_/ |_____| |_| \_\ |___| |_| |___| |_____| |_| \_\
slsa-verifier: Verify SLSA provenance for Github Actions
GitVersion: 2.5.1
GitCommit: eb7007070baa04976cb9e25a0d8034f8db030a86
GitTreeState: clean
BuildDate: 2024-03-25T14:54:53
GoVersion: go1.21.8
Compiler: gc
Platform: darwin/arm64 $ slsa-verifier verify-artifact \
--provenance-path buildkit-v0.13.1.darwin-arm64.provenance.json \
--source-uri github.com/moby/buildkit \
buildkit-v0.13.1.darwin-arm64.tar.gz
No certificate provided, trying Redis search index to find entries by subject digest
Verifying artifact buildkit-v0.13.1.darwin-arm64.tar.gz: FAILED: error searching rekor entries: no matching entries found
FAILED: SLSA verification failed: error searching rekor entries: no matching entries found $ slsa-verifier verify-artifact --help
Verifies SLSA provenance on artifact blobs given as arguments (assuming same provenance)
Usage:
slsa-verifier verify-artifact [flags] artifact [artifact..]
Flags:
--build-workflow-input map[] [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
--builder-id string [optional] the unique builder ID who created the provenance
-h, --help help for verify-artifact
--print-provenance [optional] print the verified provenance to stdout
--provenance-path string path to a provenance file
--provenance-repository string image repository for provenance with format: <registry>/<repository>
--source-branch string [optional] expected branch the binary was compiled from
--source-tag string [optional] expected tag the binary was compiled from
--source-uri string expected source repository that should have produced the binary, e.g. github.com/some/repo
--source-versioned-tag string [optional] expected version the binary was compiled from. Uses semantic version to match the tag |
Hmm. We give up verifying provenance for now. |
v4.157.0 is out 🎉 |
About provenance, I opened a discussion. |
moby/buildkit: concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
$ aqua g -i moby/buildkit
How to confirm if this package works well
Reviewers aren't necessarily familiar with this package, so please describe how to confirm if this package works well.
Please confirm if this package works well yourself as much as possible.
Command and output
If files such as configuration file are needed, please share them.
Reference