Get attestations separate from build output

[jedevc]

Currently, when buildkit exports attestations, it exports them inline with the rest of the content:

• For the image, oci and docker exporters, the attestations are exported using the attached attestation storage.
• For the local and tar exporters, the attestations are exported to separate files within the output directory.

While this is most designed for use cases where the attestations are intended for publishing, using the results in CI/CD pipelines is more complicated. For these cases, a user will likely want to extract the attestations separately from the exported result.

For example:

• A user wants to host the provenance and SBOM for the image in the GitHub releases page, but the consumable artifact is pushed separately to a container registry.
• A user wants to automate generation of a report of the build, that includes details from the provenance (e.g. timings, github repositories, links to ci runs, etc), as well as details from the sbom (package versions of critical packages).
• A user wants to create a pipeline that builds + pushes an image, and only conditionally deploys it, but only if no vulnerabilities are detected during the analysis of the outputted SBOM. This should be possible independent of whether the final output artifact contains the SBOM attestation.
• A user wants to manually export the attestation results to a third-party software component, maybe for more advanced analysis and integration.

Ideally, BuildKit should support generating these attestations separately from the main output, to enable these use cases. A couple of implementation possibilities:

1. Use #2760, and create (or modify) a dedicated attestations exporter that only exports all the attestations. Using #3403, the user can then precisely configure which attestations end up where, and can create a pipeline to easily get the attestations separately. One issue with the above is that attestations vary between exporters (e.g. the subject of a local attestation is the list of all files in the export, while in an image attestation it's the digest of the platform manifest). We should be able to get the exact same attestation that is exported.
2. Return the generated attestations in the exporter response (mostly likely not directly, but we could use the new build history api to write the attestations to the content store and then allow the client to read them using a returned descriptor).

[slonopotamus]

Today, I learned there is a attestation-inline=false build option. Does it solve your issue?

[jedevc]

Today, I learned there is a attestation-inline=false build option. Does it solve your issue?

Unfortunately not really. There's no functionality in buildkit today to do anything as described above - I wrote up some additional context in https://github.com/moby/buildkit/pull/4435#issuecomment-1830109768:

small rant (hindsight is 20/20). inline is such a weird name for this behavior, it's nothing about inline attestations, it's more about a tag that different exporters can use to detect if an attestation should be included by default.