Digital Signature for the container image and a signed SBOM

[iamvolvo]

Hi,

I'd like to be able to verify the container images I'm downloading from https://hub.docker.com/_/amazoncorretto/ have indeed been generated by you and have not been tampered with.

I'd also like to be able to be able to know what components you are including in your containers, ideally in an SBOM format, and I'd also like to make sure that this metadata hasn't been tampered with.

Thanks!

[benty-amzn]

Hi, thanks for contacting us about this. It would be helpful if you could describe in a bit more detail what you're looking for:

• What information would you like that isn't already provided by docker trust amazoncorretto or docker sbom amazoncorretto:<tag>?
• How would you like that information provided? Do you have an example you can share where another image is vending this information?

[lutkerd]

As an "Official Image", Dockerhub generates those images based on the Dockerfiles in this repository and the images will get automatically rebuilt when the base images change.

[lqc]

@benty-amzn The docker scout sbom command creates a new SBOM by scanning the contents of the image which has its downsides and depends on the accuracy of the tool. Instead, it is possible for the image author to provide a signed attestation of the contents added as metadata of the image itself (e.g. https://docs.docker.com/build/attestations/ and https://docs.docker.com/build/attestations/sbom/)

@lutkerd If the actual build pipeline is not here, but with DockerHub, I guess it would actually be a request to their build pipeline to generate that metadata.