For the "Provenance attestation example" the commands to display the attestation are not displayed

[scraly]

Is this a docs issue?

• [x] My issue is about the documentation content or website

Type of issue

I can't find what I'm looking for

Description

In the https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example page and section, an example is given with a full SLSA provenance attesttaion in the in-toto format.

Problem, the command in order to display it is not given. it can be tricky to the user without knowing the commands.

Location

https://docs.docker.com/build/metadata/attestations/slsa-provenance/

Suggestion

An example of the commands to be added:

#Retrieves the digest for the attestation manifest
DIGEST=$(docker buildx imagetools inspect $IMAGE --format '{{ json .Manifest }}' | jq -r '.manifests[] | select(.annotations."vnd.docker.reference.type"=="attestation-manifest") | .digest')

#Retrieve the in-toto digest
INTOTO_DIGEST=$(docker buildx imagetools inspect $IMAGE@$DIGEST --raw | jq -r '.layers[] | select(.annotations."in-toto.io/predicate-type"=="https://slsa.dev/provenance/v0.2") | .digest')

#Read the SLSA provenance attestation from the blob
crane blob $IMAGE@$INTOTO_DIGEST

Definitely not easy...

Moreover a easier command exists to retrieve the provenance BUT not in in-toto format:

docker buildx build --provenance=mode=max --metadata-file provenance.json -t $IMAGE --push .

Maybe a better solution exists, in all the cases, the commands are missing in this documentation.

Thanks :)