When you pull an OCI image from the registry, you implicitly trust that it contains what its builder claims it does. They may even provide an SBOM for this image, but the SBOM itself must also be trusted. Nothing prevents a builder from reporting an innocuous SBOM, while injecting malware into the image.
Reproducible builds render this sort of undetectable tampering impossible: A user can directly...
The article discusses Project Hummingbird, Red Hat's initiative to create a catalog of secure container images using Konflux, a Tekton-based software factory. The project emphasizes the importance of reproducibility and software supply chain security in an era where digital sovereignty is crucial. To achieve this, Hummingbird images are designed to be easy to reproduce with minimal tooling, making them less susceptible to undetectable tampering.
The process involves using cosign and podman to re...