Skip to content

Don't regenerate attestation when image wasn't rebuilt #5894

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vvoland opened this issue Apr 8, 2025 · 1 comment
Open

Don't regenerate attestation when image wasn't rebuilt #5894

vvoland opened this issue Apr 8, 2025 · 1 comment
Labels
area/attestations kind/enhancement

Comments

@vvoland
Copy link
Collaborator

vvoland commented Apr 8, 2025

Description

Currently attestations are always regenerated, even when the produced image doesn't change because the result is already in cache.
This causes the digest of the resulting image change for every build request.

On Docker side, this is an unexpected default behavior.
We need an option to instruct Buildkit to not regenerate the attestation for an image which wasn't rebuilt.
@tonistiigi
Copy link
Member

Provenance attestation is a record of invoking a build. Two completely different builds at completely different times can produce the same result. If the build was completely cached(in buildkit builds are never completely cached as every execution, eg. loading a Dockerfile is a build step), then that is what the provenance attestation is conveying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/attestations kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tonistiigi @jsternberg @vvoland