Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content trust sign with buildx #313

Open
sabretus opened this issue Jun 22, 2020 · 8 comments
Open

Content trust sign with buildx #313

sabretus opened this issue Jun 22, 2020 · 8 comments

Comments

@sabretus
Copy link

Hello,

Is there any way to sign a multi architectural image built by buildx?

The build is running like this:

docker buildx build --platform linux/amd64,linux/arm64 -t ${IMAGE}:${VERSION} --push .

To sign the image I am doing a regular "docker push" or "docker trust sign" but it signs and pushes only a local arch image and then overrides the manifest list previously pushed with buildx.

Somehow official hub.docker.com repo have signed multi-arch images, so how?
@williamdes
Copy link

Hi @tonistiigi
Would you please give us your point of view on this issue ?

williamdes added a commit to sudo-bot/action-docker-sign that referenced this issue May 2, 2021
@williamdes
Update documentation for multi arch builds
ee2b979 
Ref: docker/buildx#313
Ref: docker/cli#392
@williamdes
Copy link

For anyone finding this issue, the solution to sign a manifest is to use the notary command line.
See: https://github.com/sudo-bot/action-docker-sign#sign-multi-platform-manifests
Ref: sudo-bot/action-docker-sign@ee2b979

So, you will need to use buildx to push tags like {platform}-latestOrWhatYouWant and then make a manifest and sign it

@roman-vynar
Copy link

Notary is so much user unfriendly, abandoned and overcomplicated solution that after being using it since 2017 with both Docker Hub and a private registry we decided to stop using it.

@hardillb
Copy link

Has anything moved forward with this?

Having a first class way to build and sign multi-platform releases in a single command would be a REALLY great way to increase adoption of Docker Content Trust

@carrodher carrodher mentioned this issue Apr 19, 2023
Closed
@carrodher carrodher mentioned this issue Jun 13, 2023
Closed
@JC5
Copy link

JC5 commented Aug 27, 2023

Using the notary scripts is way too fragile and complicated for me to use. I would expect something like docker trust sign to work for multi-arch containers out of the box. The multi-arch experience is already mostly transparent for most of (my) users, most barely notice there are 5 variants of the same container.

I would really like to be able to sign all 5 as well.

@leonheldattoradex
Copy link

Hello, this was opened in 2020 and since then I can't find any information on it.
Was this feature ever implemented?

@williamdes
Copy link

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

You will find more than you can ever need on https://github.com/sudo-bot/action-docker-sign

@heruan
Copy link

heruan commented Oct 17, 2024
edited
Loading

Is signing multi-arch images still so complicated? Our CI/CD workflows build and push for multiple arch, with a single tag. From there, how can we sign both images that share the same tag?

I would expect docker trust sign my-image:my-tag to work, but it REMOVES one of the two architectures from Docker Hub, unprompted 😱

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@heruan @hardillb @roman-vynar @sabretus @JC5 @williamdes @leonheldattoradex