This is prep-work to consume binaries with attestation from guest-components (#2074) The tool asserts that the OCI image has been built on the specified repo with a push on the main branch and the specified digest matches the git sha of the source code and of the workflow.
Note: such a verification is only solid when performed for an oci image w/ digest, since the tags are mutable. we want to resolve a tag to a digest uri and then verify and pull that digest uri. (oras resolve image:tag)
$ cd src/cloud-api-adaptor
$ ./hack/verify-provenance.sh \
-a ghcr.io/confidential-containers/guest-components/api-server-rest@sha256:0d2f600490caddb024c4e1e4c9d512c38a0d38e20131dd74702e6dfa4c6890b1 \
-r confidential-containers/guest-components \
-d d8da69072424e496486dfb5421a26f16ff2a7abf
Verification passed
This is prep-work to consume binaries with attestation from guest-components (#2074) The tool asserts that the OCI image has been built on the specified repo with a push on the main branch and the specified digest matches the git sha of the source code and of the workflow.
Note: such a verification is only solid when performed for an oci image w/ digest, since the tags are mutable. we want to resolve a tag to a digest uri and then verify and pull that digest uri. (oras resolve image:tag)