https://github.com/trmiller/vendorme/blob/0b7091a0736be19ca2fd0a3245d997356822ba07/cmd/cli/rekor/rekoruuid_validator.go#L59
The above will error on an image with the same digest but just a different URI, e.g. registry or name. I noticed this recently with gcr where they have both a global registry gcr.io as well as region specific subdomains like asia.gcr.io and
Separately do we want to just validate images in almost a reverse way? Ignore if the image isn't found in the release at all just ensure that all images inside a release have valid attestations associated with them? This would probably be difficult given the current setup as different images could have different attestations.
See: tektoncd/chains#305 as an example
https://github.com/trmiller/vendorme/blob/0b7091a0736be19ca2fd0a3245d997356822ba07/cmd/cli/rekor/rekoruuid_validator.go#L59
The above will error on an image with the same digest but just a different URI, e.g. registry or name. I noticed this recently with gcr where they have both a global registry
gcr.ioas well as region specific subdomains likeasia.gcr.ioandSeparately do we want to just validate images in almost a reverse way? Ignore if the image isn't found in the release at all just ensure that all images inside a release have valid attestations associated with them? This would probably be difficult given the current setup as different images could have different attestations.
See: tektoncd/chains#305 as an example