feat: use docker buildx to create attestation files.

Updates the Github workflow to use the Docker buildx to generate the
SLSA attestation and SBOM files. Furthermore, the previous workflow used
to generate the SBOM files has been updated to download the data from
the container registry and upload them to the release page as it does
before.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

.github/workflows/attestation.yml

@@ -0,0 +1,131 @@
+name: Sign attestation files
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        type: string
+        required: true
+
+jobs:
+  sbom:
+    name: Fetch, sign and verify SBOM and provenance files
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    permissions:
+      packages: write
+      id-token: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Install the crane command
+        uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Find platform digest
+        shell: bash
+        run: |
+          set -e
+          DIGEST=$(crane digest \
+            --platform "linux/${{ matrix.arch }}" \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }})
+          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Find attestation digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }} \
+            | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
+          )
+          echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign attestation manifest
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+      - name: Find provenance manifest digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
+            jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
+          echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign provenance manifest
+        run: |
+          cosign sign --yes \
+          ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}}
+
+      - name: Find SBOM manifest layers digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
+            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest
+          done
+
+      - name: Verify SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign verify \
+              --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+              --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+              ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest
+          done
+
+      - name: Download provenance and SBOM files
+        run: |
+          set -e
+          crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}} > audit-scanner-attestation-${{ matrix.arch }}-provenance.json
+          md5sum audit-scanner-attestation-${{ matrix.arch }}-provenance.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+
+
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest > audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json
+            md5sum audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+          done
+            
+      - name: Sign checksum file
+        run: |
+          cosign sign-blob --yes \
+            --bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+            
+          cosign verify-blob \
+            --bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+
+      - name: Upload SBOMs as artifacts
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: attestation-${{ matrix.arch }}
+          path: audit-scanner-attestation-${{ matrix.arch }}*

.github/workflows/container-build.yml

@@ -31,7 +31,7 @@ jobs:
 
   sbom:
     needs: build
-    uses: ./.github/workflows/sbom.yml
+    uses: ./.github/workflows/attestation.yml
     permissions:
       packages: write
       id-token: write

.github/workflows/container-image.yml

@@ -65,6 +65,8 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
+          sbom: true
+          provenance: mode=max
           tags: |
             ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
       - # Only build amd64 because buildx does not allow multiple platforms when
@@ -77,6 +79,8 @@ jobs:
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
+          sbom: true
+          provenance: mode=max
           outputs: type=docker,dest=/tmp/audit-scanner-image-${{ env.TAG_NAME }}.tar
           tags: |
             ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}

.github/workflows/release.yml

@@ -34,6 +34,7 @@ jobs:
       - name: Generate CRDs
         run: |
           tar -czf CRDS.tar.gz -C config/crd $(ls config/crd)
+
       - name: Upload CRDs as artifacts
         uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
@@ -92,10 +93,10 @@ jobs:
             }
             core.setFailed(`Draft release not found`)
 
-      - name: Download SBOM artifacts
+      - name: Download attestation artifacts
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          pattern: sbom-*
+          pattern: attestation-*
           path: ./
           merge-multiple: true
 
@@ -109,6 +110,12 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R
 
+      - name: Create tarball for the attestation files
+        run: |
+          for arch in "amd64" "arm64"; do
+            tar -czf attestation-$arch.tar.gz $(ls audit-scanner-attestation-$arch-*)
+          done
+
       - name: Upload release assets
         id: upload_release_assets
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -118,12 +125,8 @@ jobs:
             let path = require('path');
 
             let files = [
-              'audit-scanner-sbom-amd64.spdx',
-              'audit-scanner-sbom-amd64.spdx.cert',
-              'audit-scanner-sbom-amd64.spdx.sig',
-              'audit-scanner-sbom-arm64.spdx',
-              'audit-scanner-sbom-arm64.spdx.cert',
-              'audit-scanner-sbom-arm64.spdx.sig',
+              'attestation-amd64.tar.gz',
+              'attestation-arm64.tar.gz',
               "CRDS.tar.gz"]
             const {RELEASE_ID} = process.env
 

.github/workflows/sign-image.yml

@@ -30,3 +30,8 @@ jobs:
         run: |
           cosign sign --yes \
             ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner*" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }}