Since 2023, BuildKit can add provenance and SBOM attestations to images. But I don’t understand how I can verify that the attestations have not been tampered with.
I looked everywhere, and came to the (hopefully incorrect) conclusion, that verification is impossible. This means that, in practice, these attestations have very limited utility, because an attacker can easily forge them.
The docs only mention how I can inspect the attestations (see Provenance attestations | Docker Docs). Is there a (BuildKit) command to verify the attestation? Similar to “cosign verify”? You can’t expect humans to do the verification (manually): humans are bad at verifying huge technical data structures. There also is no documentation about the specifics of that data structure (for instance, what is the meaning of the JSON entry predicate -> buildConfig -> digestMapping?).
I also feel the need to mention that cryptography does not seem to play any role in the attestations added by BuildKit! Thus, there is no way to verify the identity of the person or workflow that created the attestations.
Just checking if you could get an answer to this somewhere else learn more about attestations as the topic would be automatically closed tomorrow without new replies.
I saw the question before, just couldn’t get back here, but bookmarked the message with a notification so I’m here now.
I could not find anything about verification without external tools, and as “external tool” I basically found cosign in search results.
Have you thought opening an issue on GitHub?
I haven’t found documentation about it either. Searching for an example, I found this from soneone:
where the digestMapping seemed to be a digest of the image layers.
I did not open a ticket, because I think Docker Inc. is already aware of this. They have decided to exclude cryptography on purpose. And they have security experts on the payroll. So if their experts were unable to convince management to build cryptography into attestations, then, … I dunno what else to do.
As for your other observation (digestMapping): these digestMapping hashes are unrelated to the image layers. I can’t find them anywhere. Just try it yourself:
There, open the layer with the “in-toto.io/predicate-type”: “h ttps://slsa.dev/provenance/v0.2”. One of the digest maps is sha256:00b2b030610ae9d340134b0b202d234d8daeb58ea0bec23cfb7da525ce257f55": “step2”
You won’t find that digest anywhere in the image of that architecture (s390x)