moby · jedevc · Dec 9, 2022 · Dec 9, 2022 · Dec 9, 2022 · Dec 9, 2022
diff --git a/exporter/containerimage/writer.go b/exporter/containerimage/writer.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strconv"
 	"strings"
 	"time"
 
@@ -64,6 +65,9 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 	}
 
 	multiPlatform := len(inp.Refs) > 0
+	if len(inp.Attestations) > 0 {
+		multiPlatform = false
+	}
 
 	var p exptypes.Platforms
 	if ok && len(platformsBytes) > 0 {
@@ -75,6 +79,25 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 		}
 	}
 
+	requiresAttestations := false
+	for _, p := range p.Platforms {
+		if atts, ok := inp.Attestations[p.ID]; ok {
+			atts = attestation.Filter(atts, nil, map[string][]byte{
+				result.AttestationInlineOnlyKey: []byte(strconv.FormatBool(true)),
+			})
+			if len(atts) > 0 {
+				requiresAttestations = true
+				break
+			}
+		}
+	}
+	if requiresAttestations {
+		// if we only have inline attestations, we don't *need* an image index
+		// for the attestations, but if we do have the index, we should still
+		// attach it if possible
+		multiPlatform = true
+	}
+
 	if opts.MultiPlatform != nil {
 		multiPlatform = *opts.MultiPlatform
 	}
@@ -105,15 +128,15 @@ func (ic *ImageWriter) Commit(ctx context.Context, inp *exporter.Source, session
 		if len(p.Platforms) > 1 {
 			return nil, errors.Errorf("cannot export multiple platforms without multi-platform enabled")
 		}
+		if requiresAttestations {
+			return nil, errors.Errorf("cannot export attestations without multi-platform enabled")
+		}
 
 		var ref cache.ImmutableRef
 		if inp.Ref != nil {
 			ref = inp.Ref
 		} else if len(p.Platforms) > 0 {
 			p := p.Platforms[0]
-			if _, ok := inp.Attestations[p.ID]; ok {
-				return nil, errors.Errorf("cannot export attestations without multi-platform enabled")
-			}
 			ref = inp.Refs[p.ID]
 		} else if len(inp.Refs) == 1 {
 			for _, ref = range inp.Refs {

diff --git a/exporter/local/export.go b/exporter/local/export.go
@@ -101,6 +101,9 @@ func (e *localExporterInstance) Export(ctx context.Context, inp *exporter.Source
 	}
 
 	isMap := len(inp.Refs) > 0
+	if len(inp.Attestations) > 0 {
+		isMap = false
+	}
 
 	platformsBytes, ok := inp.Metadata[exptypes.ExporterPlatformsKey]
 	if len(inp.Refs) > 0 && !ok {

diff --git a/exporter/oci/export.go b/exporter/oci/export.go
@@ -77,6 +77,14 @@ func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exp
 		return nil, err
 	}
 
+	if e.opt.Variant == VariantDocker {
+		if i.opts.MultiPlatform != nil && *i.opts.MultiPlatform {
+			return nil, errors.Errorf("docker exporter does not currently support exporting manifest lists")
+		}
+		b := false
+		i.opts.MultiPlatform = &b
+	}
+
 	for k, v := range opt {
 		switch k {
 		case keyTar:
@@ -115,10 +123,6 @@ func (e *imageExporterInstance) Config() *exporter.Config {
 }
 
 func (e *imageExporterInstance) Export(ctx context.Context, src *exporter.Source, sessionID string) (map[string]string, error) {
-	if e.opt.Variant == VariantDocker && len(src.Refs) > 0 {
-		return nil, errors.Errorf("docker exporter does not currently support exporting manifest lists")
-	}
-
 	if src.Metadata == nil {
 		src.Metadata = make(map[string][]byte)
 	}

diff --git a/exporter/tar/export.go b/exporter/tar/export.go
@@ -134,6 +134,9 @@ func (e *localExporterInstance) Export(ctx context.Context, inp *exporter.Source
 	}
 
 	isMap := len(inp.Refs) > 0
+	if len(inp.Attestations) > 0 {
+		isMap = false
+	}
 
 	platformsBytes, ok := inp.Metadata[exptypes.ExporterPlatformsKey]
 	if len(inp.Refs) > 0 && !ok {

diff --git a/exporter/util/multiplatform/parse.go b/exporter/util/multiplatform/parse.go
@@ -14,10 +14,10 @@ const (
 )
 
 func ParseBuildArgs(opt map[string]string) (string, bool) {
-	if v, ok := opt[frontendMultiPlatform]; ok {
+	if v, ok := opt[frontendMultiPlatformArg]; ok {
 		return v, true
 	}
-	if v, ok := opt[frontendMultiPlatformArg]; ok {
+	if v, ok := opt[frontendMultiPlatform]; ok {
 		return v, true
 	}
 	return "", false

diff --git a/frontend/gateway/grpcclient/client.go b/frontend/gateway/grpcclient/client.go
@@ -16,6 +16,7 @@ import (
 	gogotypes "github.com/gogo/protobuf/types"
 	"github.com/golang/protobuf/ptypes/any"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/attestations"
 	"github.com/moby/buildkit/frontend/gateway/client"
 	pb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/identity"
@@ -161,7 +162,7 @@ func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError erro
 					}
 				}
 
-				if res.Attestations != nil && c.caps.Supports(pb.CapAttestations) == nil {
+				if res.Attestations != nil {
 					attestations := map[string]*pb.Attestations{}
 					for k, as := range res.Attestations {
 						for _, a := range as {
@@ -483,8 +484,20 @@ func (c *grpcClient) ResolveImageConfig(ctx context.Context, ref string, opt llb
 }
 
 func (c *grpcClient) BuildOpts() client.BuildOpts {
+	opts := c.opts
+	if c.caps.Supports(pb.CapAttestations) == nil {
+		opts = map[string]string{}
+		attestOpts := attestations.Filter(c.opts)
+		for k, v := range c.opts {
+			if _, ok := attestOpts[k]; ok {
+				continue
+			}
+			opts[k] = v
+		}
+	}
+
 	return client.BuildOpts{
-		Opts:      c.opts,
+		Opts:      opts,
 		SessionID: c.sessionID,
 		Workers:   c.workers,
 		Product:   c.product,