This demo shows how to build a container image with Docker Buildx while capturing provenance using Witness, signing with Sigstore, and uploading attestations to Archivista.
The project includes:
- A simple Go HTTP server application
- Multi-stage Dockerfile for efficient container builds
- GitHub Actions workflow that:
- Builds multi-platform container images (linux/amd64, linux/arm64)
- Pushes to GitHub Container Registry (GHCR)
- Captures build provenance with Witness
- Signs attestations with Sigstore (using default TSA)
- Uploads attestations to Archivista for public verification
- GitHub repository with Actions enabled
- No additional secrets needed (uses GITHUB_TOKEN for GHCR)
- Docker Buildx: Builds the container with metadata output and SLSA provenance
- Witness Run Action: Wraps the build command to capture:
- Command execution details
- Environment information
- Input/output materials
- Build artifacts
- Sigstore: Signs the attestation using GitHub OIDC identity
- Archivista: Stores the attestation for later verification
- Push code to the
mainbranch or create a PR - GitHub Actions will automatically:
- Build the container image
- Push to
ghcr.io/<your-username>/witness-demo - Create and sign attestations
- Upload to Archivista
After the build completes, you can verify the attestations:
# The attestation will be available at Archivista
# Check the GitHub Actions logs for the specific attestation IDThe built image will be available at:
ghcr.io/<your-github-username>/witness-demo:latest
ghcr.io/<your-github-username>/witness-demo:<commit-sha>
- Sigstore Signing: Uses ephemeral keys with GitHub OIDC identity
- Timestamp Authority: Uses FreeTSA for trusted timestamps
- Public Transparency: Attestations are publicly verifiable via Archivista
- SLSA Provenance: Docker Buildx generates SLSA provenance attestations
- SBOM Generation: Automatic software bill of materials creation