You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0000-refactor-sbom.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ The layer-scoped files are restored on future builds so that buildpacks can use
28
28
29
29
**image signature** - allows for cryptographically verifying the digest of an OCI image
30
30
31
-
**[cosign](https://github.com/sigstore/cosign/tree/main#cosign)** - tooling for generating image signatures
31
+
**[cosign](https://github.com/sigstore/cosign/tree/main#cosign)** - tooling for generating image signatures and attestations
32
32
33
33
**OCI v1.1** - pending new releases to the OCI image and distribution specs, as described [here](https://opencontainers.org/posts/blog/2023-07-07-summary-of-upcoming-changes-in-oci-image-and-distribution-specs-v-1-1/)
34
34
@@ -79,8 +79,8 @@ We should make it possible to invoke the `signer` separate from other phases.
79
79
Buildpacks should continue to output SBOM files as before. We won't need to bother buildpack authors with this change.
80
80
81
81
The `exporter` will accept a new optional flag `-omit-sbom` that defaults to `false`.
82
-
If `-omit-sbom=false` the exporter will behave as today, and include the SBOM layer containing the `<layers>/sbom/launch/` directory in the application image.
83
-
If `-omit-sbom=true` the exporter will not create the SBOM layer, but `<layers>/sbom/launch/` will remain on the filesystem and be available to the `signer`.
82
+
*If `-omit-sbom=false` the exporter will behave as today, and include the SBOM layer containing the `<layers>/sbom/launch/` directory in the application image.
83
+
*If `-omit-sbom=true` the exporter will not create the SBOM layer, but `<layers>/sbom/launch/` will remain on the filesystem and be available to the `signer`.
84
84
85
85
The exporter will additionally generate configuration for the `signer` irrespective of the value of `-omit-sbom`.
86
86
@@ -95,7 +95,7 @@ The `signer` will accept configuration that will allow it to attach attestations
95
95
96
96
```toml
97
97
[image]
98
-
reference = <image digest>
98
+
reference = "<image digest>"
99
99
100
100
[[attestations]]
101
101
type = "<media type>"
@@ -190,6 +190,7 @@ It should optionally accept configuration for new attestations to describe the n
190
190
191
191
During `analyze`, the lifecyle should verify attestations for the previous application image, and download the SBOM data as files in `<layers>/sbom/launch/`
192
192
so that the `restorer` can behave just as it does today when recreating `<layers>/<buildpack-id>/<layer>.sbom.<ext>` files for buildpacks.
193
+
193
194
The lifecycle should fall back to pulling the SBOM layer from the image if no attestations exist (this will be necessary to keep compatibility with daemon images).
0 commit comments