buildx icon indicating copy to clipboard operation
buildx copied to clipboard

Published 20 hours ago verified publisher icon docker

Content trust sign with buildx

Open sabretus opened this issue 4 years ago • 8 comments

Hello,

Is there any way to sign a multi architectural image built by buildx?

The build is running like this:

docker buildx build --platform linux/amd64,linux/arm64 -t ${IMAGE}:${VERSION} --push .

To sign the image I am doing a regular "docker push" or "docker trust sign" but it signs and pushes only a local arch image and then overrides the manifest list previously pushed with buildx.

Somehow official hub.docker.com repo have signed multi-arch images, so how?

sabretus avatar Jun 22 '20 09:06 sabretus

Hi @tonistiigi Would you please give us your point of view on this issue ?

williamdes avatar May 02 '21 00:05 williamdes

For anyone finding this issue, the solution to sign a manifest is to use the notary command line. See: https://github.com/sudo-bot/action-docker-sign#sign-multi-platform-manifests Ref: https://github.com/sudo-bot/action-docker-sign/commit/ee2b979529b2c856280252bcbf9d5aab0e3d2c65

So, you will need to use buildx to push tags like {platform}-latestOrWhatYouWant and then make a manifest and sign it

williamdes avatar May 02 '21 15:05 williamdes

Notary is so much user unfriendly, abandoned and overcomplicated solution that after being using it since 2017 with both Docker Hub and a private registry we decided to stop using it.

roman-vynar avatar May 03 '21 07:05 roman-vynar

Has anything moved forward with this?

Having a first class way to build and sign multi-platform releases in a single command would be a REALLY great way to increase adoption of Docker Content Trust

hardillb avatar Dec 29 '22 17:12 hardillb

Using the notary scripts is way too fragile and complicated for me to use. I would expect something like docker trust sign to work for multi-arch containers out of the box. The multi-arch experience is already mostly transparent for most of (my) users, most barely notice there are 5 variants of the same container.

I would really like to be able to sign all 5 as well.

JC5 avatar Aug 27 '23 17:08 JC5

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

leonheldattoradex avatar May 07 '24 17:05 leonheldattoradex

Hello, this was opened in 2020 and since then I can't find any information on it. Was this feature ever implemented?

You will find more than you can ever need on https://github.com/sudo-bot/action-docker-sign

williamdes avatar Jul 02 '24 22:07 williamdes

Is signing multi-arch images still so complicated? Our CI/CD workflows build and push for multiple arch, with a single tag. From there, how can we sign both images that share the same tag?

I would expect docker trust sign my-image:my-tag to work, but it REMOVES one of the two architectures from Docker Hub, unprompted 😱

heruan avatar Oct 17 '24 15:10 heruan