fix: SBOM attestation for multi-platform images and cosign identity matching

mikkeldamsgaard · claude · mikkeldamsgaard · commit f12edf6313aa · 2026-03-14T14:23:00.000+01:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
       - name: SBOM attestation for initium image
         run: |
           cosign attest --yes --type spdx \
-            --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }} --format '{{json .SBOM.SPDX}}') \
+            --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
             ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }}
       - uses: docker/build-push-action@v6
         id: build-jyq
@@ -81,5 +81,5 @@ jobs:
       - name: SBOM attestation for initium-jyq image
         run: |
           cosign attest --yes --type spdx \
-            --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }} --format '{{json .SBOM.SPDX}}') \
+            --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
             ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- SBOM attestation in release workflow: use platform-specific SBOM path (`index .SBOM "linux/amd64"`) instead of `.SBOM.SPDX` which returns `null` for multi-platform images.
+- Cosign verification commands in docs and Makefile: use `--certificate-identity` with the exact tag ref (e.g. `@refs/tags/v2.0.0`) instead of a glob pattern (`v*`) which cosign does not support.
+
 ## [2.0.0] - 2026-03-14
 
 ### Security
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 BINARY   := initium
 VERSION  ?= dev
 IMAGE    ?= ghcr.io/kitstream/initium
-COSIGN_IDENTITY := https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v*
+COSIGN_IDENTITY := https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v$(VERSION)
 .PHONY: all build test lint clean verify-image
 all: lint test build
 build:
diff --git a/docs/security.md b/docs/security.md
@@ -86,7 +86,7 @@ Release images are signed with [cosign](https://github.com/sigstore/cosign) usin
 # Verify signature (requires cosign)
 cosign verify \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-  --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v*' \
+  --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v2.0.0' \
   ghcr.io/kitstream/initium:2.0.0
 
 # Or use the Makefile target (also supports IMAGE=ghcr.io/kitstream/initium-jyq)
@@ -99,7 +99,7 @@ make verify-image VERSION=2.0.0
 cosign verify-attestation \
   --type spdx \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-  --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v*' \
+  --certificate-identity 'https://github.com/KitStream/initium/.github/workflows/release.yml@refs/tags/v2.0.0' \
   ghcr.io/kitstream/initium:2.0.0
 ```
 
