search

chainguard-dev / edu

Educational Resources for Software Supply Chain Security
https://edu.chainguard.dev
Other
76 stars 68 forks source link

Switch to `cosign download attestation` for SBOMs #797

Closed mattmoor closed 1 year ago

mattmoor commented 1 year ago

Describe the bug

I noticed that we are still using cosign download sbom across the site, which accesses the unsigned SBOM.

We are moving away from the unsigned SBOMs (as part of the TF migration) and we've had attestations for these for a while now!

To Reproduce

cosign download sbom cgr.dev/chainguard/apko no longer works.

Instead we should use:

cosign download attestation --predicate-type=https://spdx.dev/Document cgr.dev/chainguard/apko | jq -r .payload | base64 -d | jq

Expected behavior

Gets the SBOM

Screenshots

N/A

Desktop (please complete the following information):

N/A

Smartphone (please complete the following information):

N/A

Additional context Add any other context about the problem here.

mattmoor commented 1 year ago

I can try my hand at a PR for this in a bit, but wanted to get an issue files.