Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-7811

create image attestations, signatures, SBOMs, source containers for OCI artifacts

XMLWordPrintable

    • RHDH COPE 3276, RHDH COPE 3277, RHDH COPE 3278, RHDH COPE 3279, RHDH COPE 3280, RHDH COPE 3281

      As seen in RHIDP-7098 we've managed to:

      • convince pyxis to allow plugins as OCI artifacts, as long as we add new entries for each new plugin
      • update konflux-release-data with valid RPAs and RPs matching the plugin tags we want to release
      • load those images into a snapshot
      • start a release to stage

       

      However now getting conforma violations - 2 per plugin:

      • builtin.image.signature_check and
      • builtin.attestation.signature_check:

       

      step-validate

Success: false
Result: FAILURE
Violations: 4, Warnings: 0, Successes: 0

Components:
- Name: rhdh-plugin-catalog--backstage-plugin-notifications
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications@sha256:010254485d066557d809a749d7e5919298f4cc2235fa1bc2ca71a131e3a95b44
  Violations: 2, Warnings: 0, Successes: 0

- Name: rhdh-plugin-catalog--backstage-plugin-notifications-backend
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications-backend@sha256:080c0dc7fd9ac11d2d2faa9bb3b927d22ad2f1e0d1e48a6e56bfa0c98c3b7a64
  Violations: 2, Warnings: 0, Successes: 0

Results:
✕ [Violation] builtin.attestation.signature_check
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications@sha256:010254485d066557d809a749d7e5919298f4cc2235fa1bc2ca71a131e3a95b44
  Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more
  attestations were created. Error: no matching attestations: 
  Title: Attestation signature check passed
  Description: The attestation signature matches available signing materials.

✕ [Violation] builtin.image.signature_check
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications@sha256:010254485d066557d809a749d7e5919298f4cc2235fa1bc2ca71a131e3a95b44
  Reason: Image signature check failed: no signatures found
  Title: Image signature check passed
  Description: The image signature matches available signing materials.

✕ [Violation] builtin.attestation.signature_check
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications-backend@sha256:080c0dc7fd9ac11d2d2faa9bb3b927d22ad2f1e0d1e48a6e56bfa0c98c3b7a64
  Reason: No image attestations found matching the given public key. Verify the correct public key was provided, and one or more
  attestations were created. Error: no matching attestations: 
  Title: Attestation signature check passed
  Description: The attestation signature matches available signing materials.

✕ [Violation] builtin.image.signature_check
  ImageRef: quay.io/rhdh-plugin-catalog/backstage-plugin-notifications-backend@sha256:080c0dc7fd9ac11d2d2faa9bb3b927d22ad2f1e0d1e48a6e56bfa0c98c3b7a64
  Reason: Image signature check failed: no signatures found
  Title: Image signature check passed
  Description: The image signature matches available signing materials.

      So the task here is to:

      • figure out what's missing
      • enhance the plugin export/publish task to create the missing artifacts in quay (for image attestation and signatures)

      Links:

              nickboldt Nick Boldt
              nickboldt Nick Boldt
              RHIDP - Cope
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated: