Summary
Request that releases of gpu-operator container images and Helm charts ship with keyless cosign signatures, SLSA build provenance, and SBOM attestations, all verifiable from the public Sigstore Rekor transparency log.
Why
Downstream projects that integrate gpu-operator into curated platforms (in our case, NVIDIA AICR) are increasingly required to produce a customer-facing supply-chain story for security review, air-gap deployment, and SLSA / NIST SSDF compliance. Today AICR can pin gpu-operator's chart versions and image digests, and we render the deployed image set into a public CycloneDX BOM, but we cannot complete the chain because the published artifacts cannot be verified against a publisher-rooted, transparency-logged trust path.
Current state
Verified against nvcr.io/nvidia/gpu-operator:v26.3.1 (the most recent release at the time of filing):
- Image is signed (legacy, key-based). A
.sig artifact exists alongside the image with a dev.cosignproject.cosign/signature annotation. The signature carries no embedded Fulcio certificate and no Rekor bundle, so verification requires consumers to know and trust an out-of-band public key. cosign verify <image> (keyless mode) fails with no matching signatures: empty key.
- No SLSA build provenance attestation.
cosign verify-attestation --type slsaprovenance <image> returns no matching attestations. There is no cryptographic record tying the image digest to its build workflow, source commit, and dependencies.
- No SBOM attestation.
cosign download attestation <image> returns no attestations. Customers cannot fetch a tamper-evident inventory of what's inside the image.
The ask below is to move from key-based signing to the modern keyless + Rekor + SLSA + SBOM pattern that admission policies (Kyverno, Gatekeeper, Sigstore policy-controller) and supply-chain tools (Trivy, Grype, in-toto) verify natively.
What we're asking for
Concretely, on each gpu-operator release:
- Cosign keyless signature on every container image (
cosign sign <image>@<digest> with the GitHub Actions OIDC identity).
- SLSA Build L3 provenance attestation (e.g., via
slsa-github-generator or the cosign+goreleaser integration; predicate type https://slsa.dev/provenance/v1).
- SBOM attestation (e.g.,
syft attest with predicate type https://cyclonedx.org/bom or SPDX equivalent).
The same applies to the Helm chart artifact when published as an OCI artifact (cosign sign-blob or the chart-aware equivalent).
Reference implementations
Two NVIDIA-owned projects already do this end-to-end and can serve as direct templates:
Both produce signatures verifiable with stock cosign:
cosign verify <image-or-chart>@<digest> \
--certificate-identity-regexp 'https://github.com/NVIDIA/gpu-operator/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Acceptance criteria
A release counts as "fully attested" when, for every published image and chart artifact:
cosign verify ... succeeds with the publisher's expected OIDC identity (no out-of-band key required).cosign verify-attestation --type slsaprovenance ... returns a SLSA v1 predicate naming the source repo and the build workflow.cosign verify-attestation --type cyclonedx ... (or SPDX equivalent) returns an SBOM attestation.
Summary
Request that releases of gpu-operator container images and Helm charts ship with keyless cosign signatures, SLSA build provenance, and SBOM attestations, all verifiable from the public Sigstore Rekor transparency log.
Why
Downstream projects that integrate gpu-operator into curated platforms (in our case, NVIDIA AICR) are increasingly required to produce a customer-facing supply-chain story for security review, air-gap deployment, and SLSA / NIST SSDF compliance. Today AICR can pin gpu-operator's chart versions and image digests, and we render the deployed image set into a public CycloneDX BOM, but we cannot complete the chain because the published artifacts cannot be verified against a publisher-rooted, transparency-logged trust path.
Current state
Verified against
nvcr.io/nvidia/gpu-operator:v26.3.1(the most recent release at the time of filing):.sigartifact exists alongside the image with adev.cosignproject.cosign/signatureannotation. The signature carries no embedded Fulcio certificate and no Rekor bundle, so verification requires consumers to know and trust an out-of-band public key.cosign verify <image>(keyless mode) fails withno matching signatures: empty key.cosign verify-attestation --type slsaprovenance <image>returnsno matching attestations. There is no cryptographic record tying the image digest to its build workflow, source commit, and dependencies.cosign download attestation <image>returnsno attestations. Customers cannot fetch a tamper-evident inventory of what's inside the image.The ask below is to move from key-based signing to the modern keyless + Rekor + SLSA + SBOM pattern that admission policies (Kyverno, Gatekeeper, Sigstore policy-controller) and supply-chain tools (Trivy, Grype, in-toto) verify natively.
What we're asking for
Concretely, on each gpu-operator release:
cosign sign <image>@<digest>with the GitHub Actions OIDC identity).slsa-github-generatoror the cosign+goreleaser integration; predicate typehttps://slsa.dev/provenance/v1).syft attestwith predicate typehttps://cyclonedx.org/bomor SPDX equivalent).The same applies to the Helm chart artifact when published as an OCI artifact (
cosign sign-blobor the chart-aware equivalent).Reference implementations
Two NVIDIA-owned projects already do this end-to-end and can serve as direct templates:
.github/actions/sbom-and-attest/action.yml— composite action that signs container images, generates SBOMs, and attaches both as cosign attestations.github/actions/generate-slsa-predicate/action.yml— generates the SLSA Build L3 provenance predicate.github/workflows/on-tag.yaml— release workflow that orchestrates the full pipeline.goreleaser.yaml— keyless cosign signing for CLI binaries viacosign attest-blobpost-build hook.github/actions/sbom-and-attest/action.yml— same composite-action pattern as AICR.github/workflows/release.yml— release workflowBoth produce signatures verifiable with stock cosign:
Acceptance criteria
A release counts as "fully attested" when, for every published image and chart artifact:
cosign verify ...succeeds with the publisher's expected OIDC identity (no out-of-band key required).cosign verify-attestation --type slsaprovenance ...returns a SLSA v1 predicate naming the source repo and the build workflow.cosign verify-attestation --type cyclonedx ...(or SPDX equivalent) returns an SBOM attestation.