From c9f267159e48bceca8e7ce7b18ca604d51e49876 Mon Sep 17 00:00:00 2001 From: Jacob Wolf Date: Fri, 14 Jul 2023 15:51:18 +0000 Subject: [PATCH] Add provenance flag check --- Makefile | 1 + hack/provenance | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 hack/provenance diff --git a/Makefile b/Makefile index c511c959..8e6197db 100644 --- a/Makefile +++ b/Makefile @@ -89,6 +89,7 @@ image: .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION) -t=$(IMAGE):$(TAG)-$(OS)-$(ARCH)-$(OSVERSION) \ --build-arg=GOPROXY=$(GOPROXY) \ --build-arg=VERSION=$(VERSION) \ + `./hack/provenance` \ . touch $@ diff --git a/hack/provenance b/hack/provenance new file mode 100755 index 00000000..c04e7ebe --- /dev/null +++ b/hack/provenance @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# There is no reliable way to check if a buildx installation supports +# --provenance other than trying to execute it. You cannot even rely +# on the version, because buildx's own installation docs will result +# in installations of buildx that do not correctly report their version +# via `docker buildx version`. +# +# Additionally, if the local buildkit worker is the Docker daemon, +# attestation should not be supported and must be disabled. +# +# Thus, this script echos back the flag `--provenance=false` if and only +# if the local buildx installation supports it. If not, it exits silently. + +BUILDX_TEST=`docker buildx build --provenance=false 2>&1` +if [[ "${BUILDX_TEST}" == *"See 'docker buildx build --help'."* ]]; then + if [[ "${BUILDX_TEST}" == *"requires exactly 1 argument"* ]] && ! docker buildx inspect | grep -qE "^Driver:\s*docker$"; then + echo "--provenance=false" + fi +else + echo "Local buildx installation broken?" >&2 + exit 1 +fi