attest

docker/attest

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jonny Stoten	b4a9283ec3	Update go git (#209 )	2024-10-22 15:31:55 +01:00
Jonny Stoten	a078fba81d	feat: add internal reproducible git checksum builtin (#203 ) Adds a new rego builtin `attest.internals.reproducible_git_checksum`. This is needed for verifying DOI provenance, see https://github.com/docker/doi-image-policy/blob/main/slsa.md#doi-build-reproducible-git-checksum. We use https://github.com/go-git/go-git for as much of this as possible, but it doesn't support the actual archive operation, so we shell out to `git` for that. There is some similar unexported code in bashbrew, and we should probably be using the same code in the build process as we are here. I'll create a follow-up ticket to sort that out.	2024-10-22 14:30:27 +01:00

Author

SHA1

Message

Date

Jonny Stoten

b4a9283ec3

Update go git (#209 )

2024-10-22 15:31:55 +01:00

Jonny Stoten

a078fba81d

feat: add internal reproducible git checksum builtin (#203 )

Adds a new rego builtin `attest.internals.reproducible_git_checksum`.
This is needed for verifying DOI provenance, see
https://github.com/docker/doi-image-policy/blob/main/slsa.md#doi-build-reproducible-git-checksum.

We use https://github.com/go-git/go-git for as much of this as possible,
but it doesn't support the actual archive operation, so we shell out to
`git` for that.

There is some similar unexported code in bashbrew, and we should
probably be using the same code in the build process as we are here.
I'll create a follow-up ticket to sort that out.

2024-10-22 14:30:27 +01:00

2 Commits