When publishing an image with the default parameters and --image-refs=refs-file, ko publishes an image for the SBOM in KO_DOCKER_REPO. However, this image is not included in the file passed in --image-refs option. I don't know if it is intentional or not.
Minimal reproducible example:
go mod init example
cat > main.go <<EOF
package main
import "fmt"
func main() {
fmt.Println("Hello world!")
}
EOF
# build, and check a SBOM image is published (something like $KO_DOCKER_REPO/example-***:sha256-***.sbom)
ko build . --image-refs=refs-file
grep "sbom" refs-file || echo "No SBOM included in refs-file"
In my case, this is problematic because I would like to sign the SBOM (the same way I'm signing the image). But, to retrieve the SBOM image, I have to tweak a little bit. I would have expected the SBOM image to be in refs-file, so I can rely on that file, instead of inspecting the image from the registry to retrieve the SBOM image digest.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.
Hello :wave:
When publishing an image with the default parameters and
--image-refs=refs-file
,ko
publishes an image for the SBOM inKO_DOCKER_REPO
. However, this image is not included in the file passed in--image-refs
option. I don't know if it is intentional or not.Minimal reproducible example:
In my case, this is problematic because I would like to sign the SBOM (the same way I'm signing the image). But, to retrieve the SBOM image, I have to tweak a little bit. I would have expected the SBOM image to be in
refs-file
, so I can rely on that file, instead of inspecting the image from the registry to retrieve the SBOM image digest.