Support for container attestation/verification

[septatrix]

My understanding is that currently there are a handful of different attestation methods for OCI images in the ecosystem. Podman supports different mechanisms from docker which support different stuff that e.g. the GitHub attestation with their cli.

Which attestation methods does bootc currently support or plan to support? GitHub seems to be pushing "their way" and it seems like podman does not support that?

This whole topic is sadly is very incomprehensible to me and there does not seem to be a common standard? I would really appreciate some clarification as we currently consider overhauling our architecture and are thus far split between bootc and the-systemd-way (see the "putting everything together" blog)

[cgwalters]

(Converted to a discussion)

Hi, the simple answer is that today bootc is aligned with the containers/{image,storage} ecosystem which is used by podman as far as fetching container images (including signing and the rest of the containers/image ecosystem)

For Github you're presumably referring to https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds ?

I don't think bootc needs to support that directly; the basic thing I'd say here is to sign your container with e.g. cosign, and that's what should be verified from the registry to bootc. Verifying the build attestation is something that I think should be done as part of the build pipeline, not per client.

[cgwalters]

(Converted to a discussion)

Well I tried twice, but that keeps failing, I end up at the 404 page and the status looks like Github is confused...