distroless icon indicating copy to clipboard operation
distroless copied to clipboard
verified publisher icon GoogleContainerTools

In-toto attestations?

Open politician opened this issue 3 years ago • 1 comments

It seems builds are supposed to be attested but they have not since November 28th 2021

Old image works:

cosign verify-attestation --key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub gcr.io/distroless/base@sha256:4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91

Latest image does not work:

cosign verify-attestation --key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub gcr.io/distroless/base:latest

politician avatar Mar 15 '22 12:03 politician

The attestation stuff was a bit experimental. I'll find someone to take a look at this.

loosebazooka avatar Mar 15 '22 13:03 loosebazooka