We have byte-by-byte reproducible builds of everything at Polar Signals, including container images. We migrated from podman to buildkit, and it looks like producing provenance information includes build times, ultimately breaking reproducibility. Is there any way to fix this?

Frederic 🧊 Branczyk @[email protected] This is a benefit of attaching signed provenance outside the image. We use sigstore and it works great.

Getting reproducible image builds was one of the (many!) reasons we built our own tools for it, more about it here chainguard.dev/unchained/desi…