Learn how to reproduce Hummingbird images using cosign and podman. This process ensures software supply chain security by verifying the image's bit-for-bit identity. Discover the steps to rebuild a Hummingbird image and maintain reproducibility.

Rhdev is a blog and resource hub dedicated to Ruby on Rails development, a popular web application framework written in Ruby. Developers can explore tutorials, best practices, and case studies for building web applications with Ruby on Rails. Additionally, Rhdev covers topics such as ActiveRecord ORM, RESTful APIs, and frontend integration using JavaScript frameworks, offering insights for both beginners and experienced Rails developers.

Red Hat Developer

Project Hummingbird, Red Hat's catalog of hardened minimal container images, supports reproducible builds that allow users to verify images are bit-for-bit identical to published blobs. Using SLSA provenance attestations and SBOMs generated by the Konflux build system, anyone can rebuild a Hummingbird image with just cosign and podman and confirm it matches the original. The post explains the technical challenges overcome to achieve this — including RPM installation ordering, SQLite WAL mode, SOURCE_DATE_EPOCH timestamps via Buildah 1.41, and injecting security metadata directly into Containerfiles. CI now rebuilds every image on each change to ensure reproducibility is maintained continuously, and the effort is driving broader Konflux discussions to make reproducible builds a platform-wide feature.

Reproducible builds in Project Hummingbird