Does "subjects" and "materials" field support multi-arch images?

[ywluogg]

Hi team, I wonder if there is a way that "subjects" and "materials" field in the statement supports multi-arch images? I know that you can specify multiple digests for different algorithms for a single image, but are there examples what a multi-arch image look like in these fields?

[MarkLodato]

Assuming you mean multi-arch container images (OCI/Docker), one approach would be to only list the digest of the (multi-arch) image index. I don't have enough experience to know whether that is an issue when you go to use such an image. For example, does a Kubernetes admission controller see the digest of the (multi-arch) index or the (single-arch) manifest? If the former, you should be fine. If the latter, then that may be difficult to match the hash observed with the hash in the attestation.

An alternative would be to list the (multi-arch) index and all of the (single-arch) manifests, each as a separate entry in subjects. You can just give each a unique name.

@mlieberman85 do you have experience with this?

[mlieberman85]

Yes, I believe we have just done separate values in the subjects

[ywluogg]

I see! Thanks for the reference! Let me know if that's a common practice - in the case that people separate them into individual items in subjects, using the qualifier for adding additional identifiers could be one of the choices.

[marcelamelara]

hello @ywluogg ! We wanted to ping this issue and ask if it has been resolved?

[ywluogg]

Yes this is resolved. Thanks