-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove unsigned SBOM section from SBOM tutorial #1826
Conversation
Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better. ``` WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore/cosign#2755). Instead, please use SBOM attestations. WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate amd_64.spdx --key <key path>'. ``` Signed-off-by: Jason Hall <jason@chainguard.dev>
✅ Deploy Preview for ornate-narwhal-088216 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
@@ -128,27 +128,6 @@ ExternalRef: PACKAGE_MANAGER purl pkg:alpine/zlib@1.2.12-r0?arch=aarch64&upstrea | |||
|
|||
Next, you’ll use Cosign to work with the SBOM and the image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth linking out to cosign docs directly, as they're likely to be more up to date and then don't have to keep trying to keep this in synch? https://docs.sigstore.dev/cosign/signing/other_types/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll raise this with the team. 👍 There are some upsides to maintaining our own docs on tools we use frequently or that are also used a lot in the secure container space (good for our SEO and pipeline). But the downside is that things can get out of sync. We're actually working on a new docs update cadence that should roll out soon as well. cc @sheesh
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For sure yeah, two sides of the coin 😄 @smythp
Will keep my eyes open for new docs cadence
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removal looks good. I'll merge and then look into if anything needs to be added back for this use case. Thanks for jumping in with the PR 🆒
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removal looks good. I'll merge and then look into if anything needs to be added back for this use case. Thanks for jumping in with the PR 🆒
Cosign complains when attaching unsigned SBOMs, and we shouldn't recommend this path when signed SBOMs are better.
Type of change
deletion
What should this PR do?
remove the section about unsigned SBOMs
Why are we making this change?
we shouldn't recommend unsigned SBOMs, since Cosign complains about them, and signed SBOMs are better.
What are the acceptance criteria?
clarity and flow
How should this PR be tested?
n/a, nothing to test