Skip to content

docs: address issue #23366 #24116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
github-actions wants to merge 1 commit into from
Closed

docs: address issue #23366 #24116

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion content/manuals/build/metadata/attestations/slsa-provenance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,34 @@
<!-- TODO: add a link to the definitions page, imported from moby/buildkit -->

The following example shows what a JSON representation of a provenance
attestation with `mode=max` looks like:
attestation with `mode=max` looks like.

### Retrieving the raw in-toto format

While the [Inspecting Provenance](#inspecting-provenance) section shows how to
use `imagetools inspect` with templates to extract specific provenance data,
you can also retrieve the complete attestation in its raw in-toto format.

To retrieve the raw in-toto format attestation, use the following commands:

```bash
# Retrieves the digest for the attestation manifest
DIGEST=$(docker buildx imagetools inspect $IMAGE --format '{{ json .Manifest }}' | jq -r '.manifests[] | select(.annotations."vnd.docker.reference.type"=="attestation-manifest") | .digest')

# Retrieve the in-toto digest
INTOTO_DIGEST=$(docker buildx imagetools inspect $IMAGE@$DIGEST --raw | jq -r '.layers[] | select(.annotations."in-toto.io/predicate-type"=="https://slsa.dev/provenance/v0.2") | .digest')

# Read the SLSA provenance attestation from the blob
crane blob $IMAGE@$INTOTO_DIGEST
```

These commands:

1. Find the attestation manifest digest from the image index
2. Extract the in-toto digest for the SLSA provenance predicate
3. Retrieve the complete attestation blob using `crane`

The output is the full in-toto format attestation, as shown below:

Check warning on line 235 in content/manuals/build/metadata/attestations/slsa-provenance.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'following' instead of 'below'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'following' instead of 'below'", "location": {"path": "content/manuals/build/metadata/attestations/slsa-provenance.md", "range": {"start": {"line": 235, "column": 61}}}, "severity": "INFO"}

```json
{
Expand Down