| #!/usr/bin/env bash | |
| # This script obtains the "h1:..." hashes for all platforms | |
| # See https://github.com/hashicorp/terraform/issues/27264 | |
| set -o errexit; set -o nounset; set -o pipefail | |
| export GOBIN="${PWD}/bin" PATH="${PWD}/bin:${PATH}"; TMPDIR="$(mktemp -d)" | |
| # Note: All modules in the lockfile MUST have zips for these platforms | |
| PLATFORMS=("darwin/amd64" "darwin/arm64" "linux/amd64" "linux/arm64") |
| top_10_files() { crane export $1 --platform linux/amd64 | tar -tvf - | awk -v size="$size" '$5 >= size {print $5" "$9}' | sort -nrk1.2 | head -n10 | numfmt --to=iec-i --suffix=B --format="%9.2f"; } |
On apk-based distro (Alpine etc.):
( APK_NAME="hello" APK_RELDIR="repository/testdata" && apk index -o TMP.tar.gz \
${APK_RELDIR}/*.apk &>/dev/null && tar xf TMP.tar.gz -O APKINDEX | \
grep -e ^C: -e ^P: | grep -B1 P:${APK_NAME} | head -1 | \
cut -d: -f2 && rm -f TMP.tar.gz )
Using Docker (via distroless.dev/alpine-base):
NOTE: do not use this, it does not work properly. Instead, see https://gist.github.com/jdolitsky/eaaae0f4ab8f3a9d3c95ab0727f31001#file-main-go-L31
First, fetch an apk package (for example, curl 7.84.0 for aarch64):
curl -LO https://dl-cdn.alpinelinux.org/alpine/edge/main/aarch64/curl-7.84.0-r2.apk
Then run:
| package: | |
| name: bom | |
| version: "{{ .Version }}" | |
| description: A utility to generate SPDX-compliant Bill of Materials manifests | |
| target-architecture: | |
| - all | |
| copyright: | |
| - license: Apache-2.0 | |
| paths: | |
| - "*" |
| apiVersion: policy.sigstore.dev/v1alpha1 | |
| kind: ClusterImagePolicy | |
| metadata: | |
| name: keyless-attestation-spdxjson | |
| spec: | |
| images: | |
| - glob: ** | |
| authorities: | |
| - name: keyless | |
| keyless: |
| Hello World! |
| $ curl -s http://localhost:8080 | |
| Hello World! |
| docker run --rm -it --rm -p 8080:8080 factory-demo |
| docker load < output.tar |